Web and designers | Complete resource platform for web designers and developers – 20 htaccess hacks to prevent your WordPress site from hacking

A .htaccess (hypertext access) file is the common name of a directory-level configuration file which allows decentralised management of web server configuration. A .htaccess file is always added to the root directory, it can override many other configuration settings which includes server’s global configuration, content type and character set.

A .htaccess file can be used for lots of hacks that will secure and improve functionality for WordPress blogs and websites. Below are lists of top 20 htaccess hacks which will improve and prevent WordPress sites and blog from hacking. Some will allow to block specific IP addresses to visit the site, redirect visitors to maintenance page when particular site is redesigned or modified, prevent IP addresses to login into the wordpress admin section and many more.

1. Blacklist undesired users and bots ip address

Apache can be used to ban undesirable people and bots from your website. This code allows people to visit the blog except the person with the IP addresses

1<Limit GET POST PUT>
2order allow,deny
3allow from all
4deny from 123.456.789
5deny from 93.121.788
6deny from 223.956.789
7deny from 128.456.780
8</LIMIT>

Article link

2. Redirect Day and name permalinks to /%postname%/

The first thing to do is to login to your WordPress admin, go to Settings → Permalinks and select custom. Fill out the field with /%postname%/.

Your permalinks will now look like the ones on this blog:

`1`	`http://www.yourblog.com/name-of-the-post`

Now we got to redirect all backlinks using the old permalinks structure to the new permalink structure. To do so, you’ll have to edit the .htaccess file, located in WordPress root directory.
Be careful while editing .htaccess: Always create a backup before!

Paste the following line in your .htaccess:

`1`	`RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://www.domain.com/$4`

Article link

3. Redirect visitors to a maintenance page

1RewriteEngine on
2RewriteCond %{REQUEST_URI} !/maintenance.html$
3RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
4RewriteRule $ /maintenance.html [R=302,L]

Article link

4. Redirect www to non www or vice versa

1RewriteEngine On
2RewriteBase /
3RewriteCond %{HTTP_HOST} ^www.yourblogname.com [NC]
4RewriteRule ^(.*)$ http://yourblogname.com/$1 [L,R=301]

1RewriteEngine On
2RewriteBase /
3RewriteCond %{HTTP_HOST} ^yourblogname.com [NC]
4RewriteRule ^(.*)$ http://www.yourblogname.com/$1 [L,R=301]

5. Setting canonical url manually using .htaccess

1# Set the canonical url
2RewriteEngine On
3RewriteCond %{HTTP_HOST} ^yourblogname\.com$ [NC]
4RewriteRule ^(.*)$ http://www.yourblogname.com/$1 [R=301,L]

6. Redirect WordPress Feeds to FeedBurner

This nice hack redirects http://www.yoursite.com/feed to http://feeds.feedburner.com/yoursite.

1# temp redirect wordpress content feeds to feedburner
2<IfModule mod_rewrite.c>
3 RewriteEngine on
4 RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
5 RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
6 RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/webanddesigners [R=302,NC,L]
7</IfModule>

Article link

7. Redirect WordPress Comment Feeds to FeedBurner

1# temp redirect wordpress comment feeds to feedburner
2<IfModule mod_rewrite.c>
3 RewriteEngine on
4 RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
5 RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
6 RewriteRule ^comments/feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/webanddesigners [R=302,NC,L]
7</IfModule>

Article link

8. SEO Friendly 301 Redirects

Use the following code to: Redirect to specific page without showing old fashion error page.

`1`	`#SEO Friendly 301 Redirects`

`2`	`Redirect 301 /abc/file.html http://www.yourblogname.com/def/file.html`

9. Force Caching with htaccess

The following htaccess code won’t help the initial pageload, but it will significantly help subsequent pageloads by sending 304 statuses when requested elements haven’t been modified.

1FileETag MTime Size
2ExpiresActive on
3ExpiresDefault "access plus x seconds"

10. Allow only your IP adress on the wp-admin directory

Replace your IP with allow from xx.xx.xx.xx which will only allow your IP to access wp-admin directory.

1AuthUserFile /dev/null
2AuthGroupFile /dev/null
3AuthName "Wordpress Admin Access Control"
4AuthType Basic
5<LIMIT GET>
6order deny,allow
7deny from all
8allow from xx.xx.xx.xx
9</LIMIT>

11. How to: Deny comment posting to no referrer requests

Simple hack to prevent spammers posting on your blog.

1RewriteEngine On
2RewriteCond %{REQUEST_METHOD} POST
3RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
4RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
5RewriteCond %{HTTP_USER_AGENT} ^$
6RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Article link

12. The easiest way to ban a WordPress spammer

To block certain IP address from accessing your blog enter the following code into .htaccess file and replace example IP address with the one you want to ban.

1## USER IP BANNING
2<Limit GET POST>
3order allow,deny
4deny from 200.49.176.139
5allow from all
6</Limit>

13. Redirect visitors to a maintenance page

1RewriteEngine on
2RewriteCond %{REQUEST_URI} !/maintenance.html$
3RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
4RewriteRule $ /maintenance.html [R=302,L]

Article link

14. Deny access to your wp-config.php file.

wp-config.php file in WordPress includes all important information like database name,

1# protect wpconfig.php
2<files wp-config.php>
3order allow,deny
4deny from all
5</files>

Article link

15. Limit the File upload size to 20MB

To limit file upload size in wordpress to 20MB use the following code.

`1`	`# limit file uploads to 10mb`

`2`	`LimitRequestBody 10240000`

16. Customized HTTP 404 error page

If you’d like to redirect your visitors every time they catch into an HTTP 404 error, use this code:

1# custom error pages
2ErrorDocument 401 /err/401.php
3ErrorDocument 403 /err/403.php
4ErrorDocument 404 /err/404.php
5ErrorDocument 500 /err/500.php

Article link

17. Add Trailing Slash to URL

To add slash at the end of your URL add the following code to .htaccess file.

1#trailing slash enforcement
2RewriteBase /
3RewriteCond %{REQUEST_FILENAME} !-f
4RewriteCond %{REQUEST_URI} !#
5RewriteCond %{REQUEST_URI} !(.*)/$
6RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]

18. Password protected directories

A simple way to password protect blog directories

1AuthType Basic
2AuthName "restricted area"
3AuthUserFile /usr/local/var/www/html/.htpasses
4require valid-user

19. CheckSpelling directive

This directive can be useful to auto-correct simple spelling errors in the URL

1<IfModule mod_speling.c>
2CheckSpelling On
3</IfModule>

Article link

20. Quickly secure plugin files

WordPress plugin files might have a loop hole and may allow hackers to get into your website. To prevent others to have direct access to plugin files use following code.

1<Files ~ "\.(js|css)$">
2  order allow,deny
3  allow from all
4</Files>

Using these htaccess hacks have proven to be useful for our blog from spammers and third party automated software trying to enter our blog. These hacks not only prevents your website from hackers but also improve speed and functionality of your blog/website. Do leave your comment if you have come across hacks like these.