Full WordPress htaccess tutorial
In this article, we are trying to answer the question, “What is htaccess?” Let’s check together. We will review how to create an htaccess file in WordPress and how to find the location of the htaccess file in WordPress together, and finally we will teach how to add new commands in htaccess.
Although security is not 100%, in WordPress you can solve security flaws to a great extent by managing and using htaccess file codes. Especially if you are a beginner in this field and have installed many security plugins on your site, the htaccess file can be a solution to problems.
htaccess file in your WordPress is a powerful configuration file that you can use to make settings on your web server to improve the security and performance of your site. In fact, this term is an abbreviation of “Hypertext Access” which will have special commands, its commands are not written like many programming languages and it has its own form and structure, you can easily edit the file and with the right commands, you can change the functions and features. Enable or disable extras to protect your site from spam, hackers and other threats.
htaccess file can control the elements of your website. If you are afraid of being hacked, if you want your WordPress site to be the most secure. Currently, by editing this file, 99% of the defects can be removed.
Some of these features include changing basic paths, locking external access to certain files, or more advanced functions such as password protecting content or preventing quick image connections; So let’s take a deep look at how to manipulate your htaccess file to increase your security. Be careful that editing this file without expertise in this field will not help you, it may cause your site to fail. After running any code on this section, you need to check your site. htaccess file should be used according to SEO, safety, etc. standards.
What is the htaccess file and why is it created?
htaccess file is located at the root of your site. A configuration file for managing data and transferring or receiving files. A dot in front of a filename means that a file is hidden and you won’t be able to see it when browsing your files unless you set all hidden files on your computer to public view. This also applies to web servers, Direct Admin, cPanel and Plesk. So if your site is on a shared host, the htaccess file is hidden.
In WordPress, the file is used to facilitate permalinks, and with this option enabled, you can automatically have it. However, there is much more you can do with htaccess, such as adding 301 redirects or including rules to block unauthorized visitors who are trying to sabotage your site.
First step: To start working with the htaccess file, take a backup!
htaccess file can destroy your entire website. Of course, this is if you have not learned how to work with it well. As mentioned, if you enter the commands carefully. There is no problem. In the worst case, you can delete this file and recreate it.
Backing up your site before making any changes can act as a fail-safe method so you can quickly restore your files and operate as if the code wasn’t running on your site’s host and server. Well, let’s learn how to display it in the cPanel control panel.
The least you should do is download a copy of your .htaccess file to your computer so you can replace it if something goes wrong. You can make a copy of the htaccess file after logging in by going to Files > File Manager. Upload yourself to cPanel. If prompted, select the Show Hidden Files check box, then click Go.
Alternatively, you can click Settings at the top right of File Manager and click the Show hidden files box, then click the Save button. You should now be able to go to the root of your site and find the htaccess file. Click it once in the list, then click the Download button in the navigation. Save it to your computer. If you need to restore it, you can click the upload button at the top of the page.
Check the Overwrite existing files box, then click the Select File button to backup the htaccess file. Search for yourself and run on the screen.
Once you’ve opened the file, it should be uploaded and you can click the Go Back link at the bottom of the page to return to your File Manager. After doing this, it means that the file htaccess. You have been restored.
Creating an htaccess file on the cPanel host
Depending on your installation type, the htaccess file may. don’t have, so you may need to create one before you can even think about editing it. You can use your favorite text editor to create one or do it directly in cPanel.
Create and upload a new file and name it htaccess. put.
If your server doesn’t allow you to do this, create a file called htaccess.txt instead, then rename the file to htaccess. change it.
Since all WordPress installations have nice permalinks set by default since version 4.2, it’s best to use the caution error instead of creating an empty file and use the code for .htaccess files. Enter by default in newer versions of WordPress.
Here is the default code you need to enter for a single WordPress installation:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
For multi-site networks installed with sub-directory version 3.5 or higher, use the following code instead:
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
When you create a new htaccess file, it is essential to set the file permission to 644 to protect it from possible attacks. In this case, the created htaccess file will not be exposed to all users and only those who have an admin account can check it. Note that an important part of your site’s safety is related to this file and you should protect it well against hackers.
Add new code in htaccess file
One of the things you need to know about using and creating an htaccess file is that everything depends on the structure of the code and the type of code you use.
When you’re editing your file, note that lines starting with hashtags are comments, and in the form of general htaccess commands. are not included. When you add rules, it’s very important to include them above or below the default WordPress rule described above. You should not add or edit anything between the # BEGIN WordPress and # END WordPress lines. For multi-site networks, the same principle is usually used and there is no difference in this field.
If you want to make changes, it will probably be overwritten, so it’s best to save previous changes to a text file on your system so that if something goes wrong, you can at least revert to the previous code. In general, adding rules below the default WordPress lines keeps things more organized and provides more clarity as to what your edits are as opposed to WordPress code. It is also possible to further organize the htaccess file. Add your own comments to each add-on.
The best htaccess file editor
There are many methods and ways you can choose to edit your htaccess file and one of them is to do it directly in cPanel. Currently, this method is the most common and usual thing that is used in training.
No matter which method you choose, you may notice that refreshing your site after saving the edit to a file allows you to check if your edits are causing problems or causing your site to fail to load. If you do, you can immediately restore the file and try again. If everything works as it should, then no changes need to be made and you can continue with the tutorial.
Once logged into cPanel, go to Files > File Manager and choose to show hidden files as described earlier. Go to the root of your site and click once on your .htaccess file listed. Click Edit in the top navigation to apply your changes.
Security tips related to htaccess file
Now that you’ve learned how to create and use this file in general, it’s important to learn some security tips about it.
Protect important files
One of the best edits you can make is to protect your .htaccess file along with error logs, wp-config.php and php.ini files. After making the following change, attempts to access these files will be rejected.
<FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all
</FilesMatch>
Be sure to check your files and see if you have one called php.ini because you might not. Instead, you might have one called php5.ini. If so, replace php.ini with php5.ini in the above rule.
How to limit access to WordPress site admin
If you use a static IP address, you can restrict access to the admin dashboard and login page by adding the following rules:
ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine is
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>
The first two lines redirect unauthorized IP addresses to your 404 error page. This will also help you resolve redirect loops so your site doesn’t look broken. Just make sure to edit both /path-to-your-site/ instances to the actual path to your site.
Also, replace IP address one, IP address two, and IP address three with the actual IP addresses you want to access these pages. If you want to add just one address, delete lines 9 and 10. You can also repeat line 10 as many times as you want, replacing each one. You can also repeat line 10 as many times as you want, replacing each of the three IP addresses with the actual IP address you want to whitelist.
If you or any of your other users have a dynamic IP address, a multisite network, or multiple users on your network that need to be logged in, you can use the following rule instead:
ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine is
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>
Don’t forget to change /path-to-your-site/ on lines one and two in the htaccess file to your actual site path, and also replace your-site.com with your actual domain.
Many hackers use bots to try and gain access to the admin dashboard or login. By adding this to your htaccess file, you only allow people who manually type your site into their browser’s address bar to access these pages. While it doesn’t stop hackers trying to manually guess user login details, in most cases it still makes a big difference and significantly reduces the amount of brute force attacks you get.
Prevent directory browsing
If visitors enter your domain, it’s possible for visitors to see a list of your site’s directories on the front end, and then a list in their browser’s address bar. Since WordPress has a collection file structure, there is currently nothing stopping you from visiting your-site.com/wp-content-uploads/ and seeing a list of your folders and files. This is definitely not what you want; Because hacking an important file on your site is much easier for a hacker if he can literally see the desired file in the directory and doesn’t have to guess where the file is located.
It’s the equivalent of hiding a spare key to your place in a super-clever, secret location, but then posting a note right on your door letting anyone who visits know where your spare key is hidden. .
Options All -Indexes
Add this line to the htaccess file. It prevents directory browsing, so it’s harder for hackers to identify you.
Restrict access to PHP files
Similarly, providing direct access to your PHP files is a big problem. The harder you make it for hackers to find your important files, the better, and since PHP files can be used to inject malicious code to further infect your site, it’s important to protect your PHP files.
You can add the following lines from a standard structure to block unauthorized users from directly accessing your plugin and theme PHP files:
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]
Restrict PHP file execution
We list another way to secure the site, also in this file you can prevent the unauthorized execution of PHP files so that if your site is hacked, hackers cannot upload their PHP file with malicious code and have it. It actually works
This means you can prevent backdoor exploits from working. While you still have to find and remove the file, the more obstacles you create for a hacker, the less likely it is that your site will become unrepairable.
Since most hackers upload backends to your /wp-content/uploads/ folder, blocking any PHP files from running there can be a big help.
Add the following code to restrict the execution of PHP files added to the upload folder:
<Directory “/var/www/wp-content/uploads/”>
<Files “*.php”>
Order Deny,Allow
Deny from All
</Files>
</Directory>
Protect your site from running scripts
You’re in serious business right now, so why not prevent malicious code from being injected into your PHP files as well? WP Recipes released a way to prevent script injection.
Many hackers try to modify WordPress GLOBALS and _REQUEST variables in an attempt to inject malicious code. To prevent this change from being accepted, you can add the following to your .htaccess file. Add your own:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Prevent Image Hot Linking in WordPress
When a URL visitor grabs one of your images and uploads it to their site instead of uploading the image to their server, it steals your bandwidth. It is also called image hotlink.
To prevent this from happening, add this to the htaccess file. Add your own:
RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER}
!^http://(www\.)?your-site.com/.*$ [NC] RewriteRule \.(gif|jpg)$
http://www.your-site.com/hotlink.gif [R,L]
Don’t forget to replace your-site.com with your original domain in line two and replace http://www.your-site.com/hotlink.gif in line three with the original URL of the image you want to protect.
Securing the wp-includes directory
Your wp-includes directory is home to many of your important files. By blocking all unauthorized access to it, you can protect all important files from hackers.
WP Explorer has a great plugin to prevent hackers from accessing your wp-includes folder:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
Avoid username hashing
When a visitor enters your-site.com/?author=1 in their address bar, they are redirected to the author page, which has a user ID of 1. The author page contains the actual username associated with the user ID.
The visitor can easily get the username of all the users of your site if they have posts related to their account. This process is called hashing and verifying the username. If a hacker can easily obtain your username, it’s one less thing for them to guess. In fact, the only other detail they have to guess is your password.
While knowing the username associated with an account doesn’t add much value to a hacker if the user uses a strong password, it can still be useful for preventing username counting, because the more obstacles you create for a hacker, the less likely it is. . This is where they can actually hack into your site.
Here we learn how to prevent username counting by adding the following to the htaccess file.
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]
SSL check in htaccess file
Note that SSL protocols are an inseparable part of websites these days and must be present.
Use the following code to force the use of an SSL certificate unless the fully qualified domain name (FQDN) listed on line three is entered:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq “www.you-site.com”
ErrorDocument 403 https://www.your-site.com
Just don’t forget to replace www.your-site.com in lines three and four with your actual domain name.
the final conclusion
htaccess file is one of the most important and key files in security development as well as website optimization. Using different methods, you can easily create, review, manage or edit the htaccess file. Likewise, improve your website security with the steps outlined in this article on Web Hosting. htaccess file can save your site from big risks and make nothing extra available to users and hackers. After that, its safety is of particular importance, and you should update and secure it frequently as needed.