A .htaccess (hypertext access) file is the common name of a directory-level configuration file which allows decentralised management of web server configuration. A .htaccess file is always added to the root directory, it can override many other configuration settings which includes server’s global configuration, content type and character set.
A .htaccess file can be used for lots of hacks that will secure and improve functionality for WordPress blogs and websites. Below are lists of top 10 htaccess tips and tricks which will improve and prevent WordPress sites from attackers. Some will allow to block specific IP addresses to visit the site, redirect visitors to maintenance page when particular site is redesigned or modified, prevent IP addresses to login into the wordpress admin section and many more.
Contents
1. Blacklist undesired users and bots ip address
<Limit GET POST PUT> order allow,deny allow from all deny from 123.456.789 deny from 93.121.788 deny from 223.956.789 deny from 128.456.780 </LIMIT>
2. Redirect visitors to a maintenance page
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule $ /maintenance.html [R=302,L]3. Redirect www to non www or vice versa
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.yourblogname.com [NC]
RewriteRule ^(.*)$ http://yourblogname.com/$1 [L,R=301]
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^yourblogname.com [NC]
RewriteRule ^(.*)$ http://www.yourblogname.com/$1 [L,R=301]4. Force Caching with htaccess
The following htaccess code won’t help the initial pageload, but it will significantly help subsequent pageloads by sending 304 statuses when requested elements haven’t been modified.
FileETag MTime Size ExpiresActive on ExpiresDefault "access plus x seconds"
5. Allow only your IP adress on the wp-admin directory
Replace your IP with allow from xx.xx.xx.xx which will only allow your IP to access wp-admin directory.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Wordpress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xx </LIMIT>
6. The easiest way to ban a WordPress spammer
To block certain IP address from accessing your blog enter the following code into .htaccess file and replace example IP address with the one you want to ban.
## USER IP BANNING <Limit GET POST> order allow,deny deny from 200.49.176.139 allow from all </Limit>
7. Deny access to your wp-config.php file
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
8. Limit the File upload size to 10MB
# limit file uploads to 10mb LimitRequestBody 10240000
9. Password protected directories
A simple way to password protect blog directories
AuthType Basic AuthName "restricted area" AuthUserFile /usr/local/var/www/html/.htpasses require valid-user
10. Quickly secure plugin files
WordPress plugin files might have a loop hole and may allow hackers to get into your website. To prevent others to have direct access to plugin files use following code.
<Files ~ ".(js|css)$"> order allow,deny allow from all </Files>
Using these htaccess hacks have proven to be useful for our blog from spammers and third party automated software trying to enter our blog. These hacks not only prevents your website from hackers but also improve speed and functionality of your blog/website. Do leave your comment if you have come across hacks like these.
