The file " ..htaccess "(abbreviation of "Hypertext Access") in your blog directory is a configuration file that you can use to replace the settings of your web server.
With good orders, you can enable or disable certain features and additional features to protect your website from spammers, hackers and other threats.
Some of these commands include Redirections, protecting certain files, or more advanced functions such as password protection or the protection of an image from hotlinking.
In this tutorial we will see some simple changes that you can add to your file ".Htaccess" to make your blog more secure
But first, if you've never installed WordPress, find out How to install a WordPress blog in 7 steps et How to search, install and activate a WordPress theme on your blog
Then let's go to why we are here.
Changing the .htaccess file
When you activate permalinks on WordPress, an .htaccess file is automatically created at the root of your website.
When WordPress writes to a “..htaccess ", It always writes the data between the following hasstags:
# BEGIN WordPress
#WordPress End.
The character "#Refers to the comments in the file, so they will not affect your configuration.
These files are powerful and the slightest syntax error, such as forgetting a character " <", can make your website unavailable. It is therefore important to make a backup of your file .htaccess before making any changes.
Also read our guide on Some htaccess tricks you probably do not know
Some operating systems do not allow you to create an .htaccess file. The best way to work around this problem is:
- Using Notepad or a similar text editor, add your commands to the editor
- Save the file as a file .txt
- Then send the file to your website
- Once downloaded, rename the file for ".Htaccess"
You should immediately refresh your blog to see if everything is going well. Otherwise, you can still restore the old .htaccess file.
How to protect your wp-config.php file
One of the most important files in your WordPress installation is the. wp-config.php.
This file is located at the root of your WordPress installation and contains details about the basic configuration of your blog, such as your WordPress security keys and database connection information. This information is of course sensitive and those who access it can damage your blog.
Discover also our 10 WordPress plugins to protect the content of a website
You can protect your "wp-config.php" file by adding the following text to your htaccess file. :
order allow, deny deny from all
Of course, you will still be able to access the file via FTP and on the cPanel.
How to prevent browsing in WordPress folders
Protect your WordPress folders, is an obscurity security. This method will hide your folders, which will prevent users from seeing your content.
It's a good practice to hide your records, which works great with other methods of protection (Which we list in this article).
To hide your folders, you need to add this code to the .htaccess file:
All -indexes options
How to prevent Hotlinking your blog
Hotlinking depletes your bandwidth, which happens when people use your images on another website. If nearly 10.000 people can see this image on another website, then the bandwidth costs will not be charged to the new website. (Which makes use of your image)but at your expense.
You can add a code to your file .htaccess to prevent hotlinking on your blog:
RewriteEngine On RewriteCond% {HTTP_REFERER}! ^ $ RewriteCond% {HTTP_REFERER}! ^ Http: // (www.) • yourdomainname /.*$ [NC] RewriteRule (gif | jpg) $ http: // yourdomainname /hotlink.gif [R, L]
Do not forget to change the value " yourdomainname By your domain name, and "Hotlink.gif" To an image indicating that the hotlinking is disabled on your blog.
Restrict access to your dashboard
There are a few ways to protect access to your dashboard. The easiest way is to use IP addresses (especially if you access your blog from one place). To do this, you must add the following line of code to a new .htaccess file.
order deny, allow Allow from vosip deny from all
Change the value "yourip" to your IP address. To find your IP address, go to the following website: My-IP, once you have added your IP and saved the htaccess file, send it to the folder " / Wp-admin "(and no longer at the root of the installation).
See also our guide on How to customize the WordPress dashboard for a client
By performing this action, you will be the only one to access your dashboard. To add a new IP address (For new administrators for example), you will have to modify the .htaccess file which is in the folder « / Wp-admin », And add just after your IP address, the following code:
Admin_ip_1, admin_ip_2, admin_ip_3
Or " admin_ip_1 "," admin_ip_2 " and " admin_ip_3 Will be replaced by valid IP addresses corresponding to the different IPs of the administrators.
Protect your ".htaccess" file
You will never be safe if the very foundation of your security system is vulnerable. You must therefore, protect your .htaccess file. When a visitor tries to access your file ".Htaccess", the server will generate an error page automatically (403).
To protect your ".htaccess" file, you must add this code:
order allow, deny deny from all
In short
Editing your ".htaccess" file or creating a new one for subfolders can greatly increase the security of your blog. You can therefore use these tips to boost the security of your blog in addition to other measures that you have learned on the web or here on blogpascher.
Discover also some themes and premium WordPress plugins
You can use other WordPress plugins to give a modern appearance and to optimize the handling of your blog or website.
We offer you here some premium WordPress plugins that will help you do that.
1. Facebook Comments for WordPress and WooCommerce
“WP Facebook Comments” is a WordPress Plugin premium that allows users to comment on your blog content using their Facebook accounts.
Users can also choose to share their commenting activities with their friends (and friends of their friends) on Facebook.
Read our article on How content marketing affects the SEO of your blog
This plugin comes with built-in moderation tools and a social report ranking.
Download | Demo | Web hosting
2. Zxeion
Zxeion is a powerful WordPress Plugin premium responsible for improving the security of your website. This plugin contains a collection of protection and security tools that will protect your website against possible attacks.
Its real-time protection system will help you identify threats to your website and block them, without you having to do anything.
So much to see... 10 WordPress Themes to Create an Event Website
Its main features are: real-time protection, excellent customer support, regular updates, an IP address blocker, excellent documentation, modern and professional interface, dedicated customer support and others.
Download | Demo | Web hosting
3. WP Membership
Le WordPress Plugin premium WP Membership has the advantage of being multilingual and so far comes with nearly 11 languages in its repertoire. He will help you as others do WordPress plugins from this list to protect your content.
As main features, it offers among others: support for several payment gateways - Paypal, Stripe-, several models of price grid, 2 page templates dedicated to registration, 5 models of profile section.
However, its strength lies in the fact that you will hardly have to configure or customize it. Just install it and start protecting your content.
Download | Demo | Web hosting
Recommended Resources
Find out about other recommended resources to help you build and manage your website.
- 9 WordPress plugins to restrict access to your content
- 9 WordPress plugins to customize your homepage
- 6 WordPress plugins to ensure GDPR compliance of a blog
- 5 WordPress plugins to create responsive tables
Conclusion
So ! That's it for this tutorial. We hope it helps you improve the security of your WordPress blog. Do not hesitate to share with your friends on your favorite social networks.
However, you will also be able to consult our resources, if you need more elements to carry out your projects of creation of Internet sites, by consulting our guide on the WordPress blog creation.
And if you have any suggestions or remarks, leave them in our section Comments.
...
Hello,
Thanks for the info, I've had some blogs injected into the database of IDs like admin / admin before, then they go into your blog and do whatever they want there.
With an extra htaccess, they can't reach the login page, here's what I did:
Installation of the htaccess file in the root of the server (not the site)
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/…/.motdepasse <-path depending on your host
Require valid-user
And a .motdepass file that contains your login and encrypted password with this address: http://www.htaccesstools.com/htpasswd-generator/
This gives two login to do when working on his wordpress but I prefer that wake up with a pirated blog!
Patrick
Hello Patrick,
Yes this is a good tip and thanks for sharing. Then I will say that it is more for intermediate bloggers.
Thierry