For Detail htaccess file Usages and how to create it, please check htaccess file knowledge base Millions of WordPress users use the .htaccess file to protect their websites from spammers, hackers, other known threats and increase their WordPress Website Performance. I will list some Useful Tips of htaccess file used for WordPress Security and Performance.
Normally your control panel can install a WordPress website easily by just several click and configuration. After you have installed WordPress and configured your website’s permalink settings to meet the requirement of SEO, your htaccess file will be installed in your root folder. When you change https://domain.powerhoster.com/sample-post/ instead of https://domain.powerhoster.com/?p=123, your htaccess file will look like:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
If no .htaccess file exists in your root directory, you can create one yourself and upload it. Above htaccess file is useful for Search Engine finding your web pages. Search Engine Optimization is a very import task of webmasters.
2. Protect Your WordPress Admin Area
Normally you need use itheme plugin to change your WordPress admin folder wp-admin to any other name folder so the hackers can not find your admin area. You also need protect it using htaccess file:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic order deny,allow deny from all # whitelist yourown's IP address allow from xx.xx.xx.xx # whitelist yourpartner's IP address allow from xx.xx.xx.xxx
xx.xx.xx.xx is your own IP address and Your partner’s IP address. You can whitelist as many IP address as you want. For more information to secure your admin area, you can also check here.
3.Ban Suspicious IP Addresses
If you find some IP addresses are suspicious, you can safely block them by your htaccess file in your root directory.
order allow,deny deny from xxx.xxx.xx.x allow from all
Replace xxx with the IP address you want to block.
4. Protect .htaccess From Unauthorized Access
htaccess file is very powerful. It is as strong as your server’s apache configuration file. It is your duty to protect your htaccess file from accessing from outside of your website and hackers. If your htaccess file is hackered, your web hosting provier may suspend your website. Put folling code into your htaccess file:
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
5. Protect your wp-config.php
wp-config.php file is very important in your WordPress website. This file includes your database login information which is vital to your WordPress website. If you lose your control to your database file, you will lose all your WordPress website. Put following code to your htaccess file in your root directory and you will protect your wp-config.php file.
<files wp-config.php> order allow,deny deny from all </files>
6.Protect your WP-Content Directory
Your wp-content directory is also very important for your WordPress website. The bad guy can upload some files into your wp-content directory and change your WorPress Website and do some illegal things. You will lose your domains and your websites if the hackers have taken your WordPress wp-content folder. put following code into your htaccess file in your WordPress wp-content directory and you will be OK.
Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files>
7. Block Include-Only Files From Accessing by Others
All the include files in your WordPress website can only be accessed by your WordPress Website not by other websites or users. Please put following codes into your htaccess file in your root directory.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
8. Enable Browser Caching
There are several plugins such as Super Cache plugins and wp-3-total plugins to help you to create cache files in your WordPress website, but you can also anable browser caching by using following codes in your htaccess file:
# Setup browser caching ExpiresActive On ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/gif "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType text/css "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType text/x-javascript "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresByType image/x-icon "access 1 year" ExpiresDefault "access 2 days"
