How to Secure Your WordPress Website from Hackers via .htaccess?

Specky Geek

·

·

WordPress is the platform that powers around one-third of the Internet’s websites. But with great popularity comes great risk – it’s a bullseye for hackers. Cyber-criminals are always on the lookout for security loop holes to hack WordPress websites.

Disclosure:We receive compensation from companies whose products and services we feature. All links, coupons & recommendations on this website should be treated as paid advertisements.

Not all WordPress websites are actively maintained. Any website running on an old version of WordPress with a security flaw becomes an easy target for hackers, who keep scouring the web to find vulnerable sites.

Unlocking the Power of .htaccess

Every Linux and Apache-based hosting server relies on the enigmatic .htaccess file. It’s the secret vault that stores and deploys directives to your hosting server, enabling you to fortify your WordPress website.

If you’re curious about how .htaccess works with WordPress, you can dive deeper into the details here.

Let’s fortify our WordPress website by adding some code snippets to the .htaccess file in your WordPress installation folder.

Open your .htaccess file for editing.

  1. Log in to your web hosting control panel.
  2. Access your file manager. Alternatively, you can use FTP access provided by your web hosting provider.
  3. In the directory where WordPress is installed, look for a hidden file that starts with a dot, like “.htaccess.”
  4. If you can’t see hidden files like this, you’ll need to configure your hosting file manager to display them. If your web hosting has cPanel, here’s how to do it:
  • Open the file manager dashboard in cPanel.
  • Look for a configuration or settings option (usually represented by a gear icon) at the top-right corner.
  • Click on it and check the box that says “Show hidden files”.

Now, copy-paste the five codes below to make your WordPress site more secure and safe using .htaccess.

1. Don’t Allow Directory Access

How to prevent others from browsing and viewing your WordPress website folders and file directly? Copy-paste the code in your .htaccess file, and your website directories will no longer be accessible directly.

# Disable directory browsing
Options All -Indexes

2. Redirect from HTTP to HTTPS

How to redirect your WordPress website from HTTP to HTTP via .htaccess file? If you have SSL installed on your website, it makes sense to switch to “https” domain, rather than “http”.

Before using the code below, make sure that you change WordPress Settings so that the domain URLs are changed to https version on the page. Go to the Settings page of your website, and simply changes the two addresses to start with “https” and click on save. You will be automatically redirected to the login page. Log in again using the old credentials. Note that all your old URLs are now changed to “https” version.

# Redirect HTTP to HTTPS
RewriteEngine On 
RewriteCond %{HTTP_HOST} ^speckygeek\.com [NC]
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://speckygeek.com/$1 [R,L]

3. Keep WP-Includes Folder Safe

How to keep your WordPress’ wp-includes folder safe via .htaccess? Copy-paste the code below, and your critical WordPress files will no longer be accessible directly. This makes your website more secure as hackers will have no access to such files.

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

4. Prevent Access to WP Config File

How to keep your WordPress’ config file safe? The wp-config.php file in the main directory of your WordPress installation holds all the secrets of your website. If this file is accessible, anyone can directly takeover your website. A lot of hacking is targeted towards this file. Using the code below in .htaccess file will make it inaccessible, which in turn improves your WordPress site security.

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

5. Keep Htaccess File Safe

How to keep your WordPress’ .htaccess file safe? Since, the .htaccess file controls access to different files and folders, it is no less important to keep it secure. Use the code below and paste in .htaccess file so that it is secured from unauthorized viewing or  access.

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Stay Updated & Secure

In addition to the .htaccess code snippets, here are some crucial steps to not only safeguard your WordPress website but also make your digital fortress practically impenetrable.

  1. Keep updated: Regularly update WordPress, themes, and plugins to fend off vulnerabilities.
  2. Unsafe files: Stick to reputable themes and plugins, and avoid “nulled” versions that can hide malicious code.
  3. Plugin prudence: Keep your plugins to minimum. Only use plugins from reliable sources such as WordPress.org and other reputed sources to ensure safety.
  4. Strong password: Always use a strong password with alpha-numerics and symbols.

By following these guidelines and taking these steps, you’ll not only fortify your WordPress website but also significantly reduce the risk of any hacking or security breaches. Keep your digital domain safe and thrive in the vast online landscape. Stay vigilant!