The .htaccess file can be used to restrict access to directories or files on your web site. By restricting access to certain files and directories you can reduce the possibility of your site be compromised.
Remember, the best way to stop your site being compromised or hacked is to keep your content management system (WordPress) up to date. As the developers of WordPress find security issues, they are fixed and included in the next release. By keeping WordPress up to date you are including the latest fixes and security patches.
This also applied to plugins. Only install 3rd party plugins that you trust and are being kept up to date.
The .htaccess files on this page are suggestions to help you secure your WordPress site but are no guarantee to stop hacking of your site.
The wp-config.php contains your database password as well as other pieces of information and should never read by anyone on the Internet.
Copy the following lines into an .htaccess file in the root of your web site:
<files wp-config.php>
order deny,allow
deny from all
</files>
<files wp-login.php>
order deny,allow
deny from all
</files>
A common attack on a WordPress site is trying to guess or brute force the password for the WordPress Admin page. If you have a static (fixed) IP address at your home or office you can restrict access to the WordPress Admin pages to your IP address only.
If you do not have a static IP address you can restrict all access to the WordPress Admin pages. If you need to make a change to your site, you can remove the restriction by using your FTP access and editing the .htaccess file and then reinstating the restrictions afterwards.
To restrict access to the WordPress Admin page place an .htaccess file in your wp-admin directory with the following lines. Replace x.x.x.x with your fixed IP address or remove the line to restrict all access and replace http://yourwebsite.co.nz with your own URL.
Order deny,allow
Deny from all
Allow from x.x.x.x
ErrorDocument 403 http://yourwebsite.co.nz
Another common attack to a WordPress site is to load Trojan files into the wp-content directory where temporary files can be placed during the normal operation of WordPress.
Place an .htaccess file in the wp-content directory with the following lines. This will restrict any files which can be loaded into the directory to be xml, ccs or images.
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
We also often see that the xmlrpc.php gets hammered by brute force attempts. Most of the time these don’t actually get anywhere, but it can seriously impact on the performance of the server. If you don’t need xmlrpc (and most people don’t), then restrict access to it. As above, if you don’t have a fixed IP address, just remove the allow from x.x.x.x line to restrict from everywhere.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from x.x.x.x
</Files>