With 70 Million WordPress sites and counting and so many hackers looking to get into your site it is worth while to look at a few options to secure WordPress admin files on your website. After scouring the web for months I came across many different ways that you can block WordPress hackers with htaccess. This is not the safest way for new programmers or users that use WordPress plugin quite often, but if you are confident enough to try or you have a good developer. You will likely like the option listed her for protecting your WordPress website from any malicious attempts to access your files and directories. And as usual I have cut out the fluff and given you the quick and dirty steps that can be taken to secure WordPress admin files. Make note that all of these steps could be taken, but this is more of a pick and choose what suits your particular set up best.
Let’s start with what a typical WordPress .htaccess file looks like and go from there.
Typical WordPress .htaccess file
BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress
First of all let me suggest that any additions to the .htaccess file to be added after # END WordPress. Also, let’s also make sure that if you are going to make changes to your .htaccess file you better save and copy the file first as well as keep it in a safe place.
Wp-config.php Protection
<Files wp-config.php> order allow,deny deny from all </Files>
This will prevent any access to the wp-config file.
Control IP access
order deny,allow allow from 201.090.21.0 (replace with your IP address) deny from all
Allow access for selected users only. This snippet of code will deny access to anyone that is not on your IP address
Stop directory Browsing
# directory browsing Options All -Indexes
Too many programmers know WordPress and can find access into your site through plugins or other content. Block their access to your directories with this code.
Deny access to Wp-content
Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files>
This code requires it’s own .htaccess file which must be added to the wp-content folder, it allows users to see images and possibly CSS, … but protects PHP files.
Protect Files
# Protect the .htaccess <files .htaccess=""> order allow,deny deny from all </Files>
Use this to protect a file rather than a folder section of your site.
.htaccess Protection
<Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
This piece of code blocks users from accessing anything that starts with hta
Ban Bad Users
order allow,deny deny from 202.090.21.1 deny from 204.090.21.2 allow from all
If you have noticed bad users abusing your site, identify them by IP and block them.
