Ozkan Oner

Simple Security Measures for WordPress with htaccess

by · 12 October 2020

WordPress is a content management system that many people like and use around the world. That’s why it’s interesting for hackers. Having so many users means plenty of material for hackers. Of course, I don’t think we can make any system 100% secure, but with a few tweaks here, you can take the entry-level security situation to the next level. At least you can get rid of every incoming entry 🙂

Blocking Access from IP Addresses
With the code below, we can block access from the IP addresses we specify. This code can be used to block known spammers and other suspicious or malicious sources of access.

<Limit GET POST>
    order allow,deny
    deny from IP_ADDRESS_1
    deny from IP_ADDRESS_2
    allow from all
</Limit>

Setting Access Permission to Certain Files in wp-content
One of the most commonly used hacking methods is to upload the file it has produced to the site and run it on the server. WordPress uses the wp-content folder as the upload location. To avoid this situation, we can use the following code. You can allow or block the extensions you want by changing the extensions in parentheses.

Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
    Allow from all
</Files>

Identifying IP Addresses That Can Access the wp-admin Folder
If you have a static IP address, you can prevent others from accessing wp-admin, that is, the admin panel, by simply typing your own IP address. You can give access to more than one IP address by duplicating the line where you write IP.

<Limit GET POST PUT>
    order deny,allow
    deny from all
    allow from IP_ADDRESS_1
    allow from IP_ADDRESS_2
</Limit>

Blocking All Access to wp-config.php and .htaccess
I think there is no need to explain the importance of wp-config.php and .htaccess files. You can close all access to these files with the help of the codes below.

<files wp-config.php>
    order allow,deny
    deny from all
</files>

<files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
</files>

Turning Off Directory Listing
And finally, turn off directory listing. Linux lists the files in the directory by default if you don’t have index.html index.php etc files in the directory. You may have sensitive files here that you don’t want others to see. It is possible to prevent this with a single line of code. If you do not have an index file, you can create an access block warning with the code below.

Options All -Indexes

Tags:

You may also like...