How to Protect WordPress Website by htaccess File in 10 ways, websiteslearn, websitelearn, habibcoder, wordpress developer

How to Protect WordPress Website by htaccess File in 10 Ways?

WordPress is a popular Content Management System and Millions of websites around the world use WordPress. While it is known for its ease of use and customization options, it is also important to make sure that your WordPress website is secure. One way to do this is by using the .htaccess file, which is a server configuration file that allows you to control access to your website. In this article, we will discuss 10 ways to protect WordPress website using the .htaccess file.

1. Block Access to wp-config.php:

The wp-config.php file contains important information about your WordPress installation, including your database credentials. You should block access to this file to prevent unauthorized access to your website. For doing this, add the following code to your .htaccess file:

# WP-CONFIG BLOCK
<Files wp-config.php>
order allow,deny
deny from all
</Files>

2. Block Access to wp-includes Directory:

The wp-includes directory contains important WordPress files that should not be accessible directly from the web. To block access to this directory, add the following code to your .htaccess file:

# Block access to wp-includes directory

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

3. Limit Login Attempts:

Brute force attacks are a common way that hackers try to gain access to your website. To prevent these attacks, you can limit the number of login attempts that a user can make. To do this, add the following code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# Set the number of allowed login attempts
RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [NC]
RewriteCond %{REMOTE_ADDR} ^(.+)$
RewriteCond %{HTTP_USER_AGENT} ^(.+)$
RewriteCond %{ENV:BAD_LOGINS} ^(.*)$
RewriteRule ^.*$ - [E=BAD_LOGINS:%1:%2]

# Limit the number of login attempts
RewriteCond %{ENV:BAD_LOGINS} ^(.*?)\|\d+\|(\d+)$
RewriteRule ^.*$ - [E=BAD_LOGINS:%1|%{TIME}|%2+1]
RewriteCond %{ENV:BAD_LOGINS} ^(.*?)\|\d+\|([5-9]+)$
RewriteRule ^.*$ - [F,L]

# Limit the frequency of login attempts
RewriteCond %{ENV:BAD_LOGINS} ^(.*?)\|(\d+)\|\d+$
RewriteCond %{TIME} >%1+120
RewriteRule ^.*$ - [E=BAD_LOGINS:%{REMOTE_ADDR}|%{TIME}|1]
</IfModule>

This code sets the number of allowed login attempts to 5 and limits the number of login attempts to 2 minutes. You can adjust these values ​​as you like.

This code uses Apache’s mod_rewrite module to track the number and frequency of login attempts for each IP address and user agent. If a user exceeds the specified limit of login attempts within a certain number of times, their request will be redirected to a 403 Forbidden error. This helps prevent potential security threats such as brute force attacks on the login page.

4. Protect .htaccess file:

you can protect your .htaccess file from unauthorized access by adding the following code to it:

# Protect .HTACCESS

<Files .htaccess>
order allow,deny
deny from all
satisfy all
</Files>

By adding this code to your .htaccess file, you can prevent unauthorized access to it, which can help protect your website from malicious attacks. However, note that this protection only works when the .htaccess file is used on Apache-based servers.

5. Block Browsing Directories:

block access to browsing directories on your website by adding the following code to your .htaccess file:

# directory browsing block
Options All -Indexes

By adding this code to your .htaccess file, you can prevent unauthorized access to your website’s directories, which can help to protect sensitive information and files from being viewed or downloaded by unauthorized users.

Note: Before making changes to your .htaccess file, make sure to back up the file in case you need to revert your changes. Additionally, be careful when making changes to your .htaccess file as incorrect code can cause your website to become inaccessible.

6. Block WordPress xmlrpc.php Requests:

Block XML-RPC requests to the xmlrpc.php file in WordPress by adding the following code to your .htaccess file:

# Disable XMLRPC.PHP
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

This code uses the ‘Files’ directive to specify that the ‘xmlrpc.php’ file should not be accessible. The ‘order deny,allow’ directive specifies that the allow/deny rules should be processed in the specified order, and the ‘deny from all’ directive denies access to the file from all IP addresses.

By adding this code to your .htaccess file, you can prevent XML-RPC requests to the ‘xmlrpc.php’ file, which can help to protect your website from potential security threats such as DDoS attacks.

7. Disable Scanners in WP Website:

You can disable scanners in a WordPress website by adding the following code to your .htaccess file:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* – [F]

This code uses mod_rewrite to block access to common WordPress files that are targeted by scanners, such as the wp-comments-post.php, wp-login.php, and xmlrpc.php files. It also blocks access from user agents and referers that are commonly associated with scanning activity.

You can help Protect WordPress Website from being scanned and potentially exploited by attackers, by adding this code to your .htaccess file.

8. Block Suspicious IP:

Block access to your website from specific IP addresses by adding the following code to your .htaccess file:

<Limit GET POST>
order allow,deny
deny from xxx.xxx.xxx.xxx
allow from all
</Limit>

Replace ‘xxx.xxx.xxx.xxx’ with the IP address you want to block. You can also block multiple IP addresses by adding multiple ‘deny from’ lines.

Note: The above code blocks access to all HTTP methods (GET, POST, etc.). If you only want to block specific methods, replace ‘GET POST‘ with the appropriate method (e.g., GET to block only GET requests).

9. Individual File Protection:

You can protect individual files on your website using .htaccess by adding the following code:

<Files "filename.ext">
AuthName "Protected Area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
Require valid-user
</Files>

Replace “filename.ext” with the actual name of the file you want to protect and “/path/to/.htpasswd” with the actual file path to the .htpasswd file that contains the username and password information.

The AuthName directive sets the message displayed to users when they are prompted for authentication. The AuthType directive sets the type of authentication to be used, in this case Basic authentication. The AuthUserFile directive sets the file path to the .htpasswd file. The Require valid-user directive requires that a valid username and password be supplied by the user.

It is important to note that.htaccess files can only be used on servers that run the Apache web server software and have the AllowOverride directive set to Allin the server configuration.

10. WP-Content Access Prevention:

Prevent direct access to the wp-content folder and its files in a WordPress website, by adding the following code to the .htaccess file in the root directory of the website:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-content/uploads/.*\.(png|jpg|jpeg|gif|svg|css|js)$ - [NC,F,L]
</IfModule>

This code uses the Apache mod_rewrite module to redirect any request for a file with a specific extension (‘.png’, ‘.jpg’, ‘.jpeg’, ‘.gif’, ‘.svg’, ‘.css’, or ‘.js’) in the ‘wp-content/uploads’ folder to a 403 Forbidden error.

Note: This code is meant to be a simple solution to prevent direct access to files in the ‘wp-content’ folder. It may not be sufficient to secure your website in all cases. If you need to add more security to your website, it’s recommended to use a plugin or consult a security expert.

By adding all of these codes in the .htaccess file, you can protect your website from Brute force attacks and from redirecting to your website.

If you need a WordPress Expert or a professional WP Developer. To Protect WordPress Website from hacking/brute force attacks, you can contact us. We are an expert WordPress Developer and Web Designer team. We can make and manage any type of Website.

Leave a Comment

Your email address will not be published. Required fields are marked *

scroll-top