Almost Perfect htaccess File for WordPress Blogs

Privacy & Security,Web Development — Josiah on July 11, 2007 at 7:41 am

If you manage and edit your own website or run a blog with it’s own domain then you are probably aware of a type of file called the .htaccess file. You may or may not know what this file actually does, or how to create and edit one but fret not, I’m here to help.

Josiah Cole dot com runs a slightly out of date WordPress 2.1 install (the horror I know), and a fairly standard one at that, with a couple select plugins like Askimet and wp-cache to help me possibly survive another Digging. The one item that is not lacking is a complete and robust .htaccess file that sufficiently protects and aids my site in handling traffic and visitors.

This quick tutorial will provide you with an htaccess file that does the following:

1. Protects itself (security)
2. Turns the digital signature off (security)
3. Limits upload size (security)
4. Protects wp-config.php (security)
5. Gives access permission to all visitors with exceptions (security, usability)
6. Specifies custom error documents (usability)
7. Disables directory browsing (security)
8. Redirect old pages to new (optional)
9. Disables image hotlinking (bandwidth)
10. Enables PHP compression (bandwidth)
11. Sets the canonical or “standard” url for your site (seo, usability)

htaccess file creation screenshot in Notepad on Windows XP

1. Step 1, create a blank .htaccess file. This can be done in Notepad or a comparable simple text editor of your choice (no MS Word does not count although it’s possible). Open Notepad and Click Save, name this file htaccess.txt. If you’re using Windows XP the OS won’t allow you to name a file e .htaccess but don’t worry, you can rename it once it’s been uploaded to your server (no idea how Linux, Vista or OSX handle this).

2. Add content to htaccess.txt. Now that you have htaccess.txt saved, you can start to edit the file and use it to better manage your site without relying on complex PHP or bloated JavaScript code.

The example htaccess file below is one that can be used for a website like this one (running WordPress and nothing else), simply un-comment the sections you’d like to use by removing the # at the beginning of the line and copy+paste the contents into your own .htaccess file.

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

# disable the server signature
ServerSignature Off

# limit file uploads to 10mb
LimitRequestBody 10240000

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

#who has access who doesnt
order allow,deny
#deny from 000.000.000.000
allow from all

#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php

# disable directory browsing
Options All -Indexes

#redirect old to new
Redirect 301 /old.php http://www.yourdomain.com/new.php

#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

# php compression – use with caution
<ifmodule mod_php4.c>
php_value zlib.output_compression 16386
</ifmodule>

# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]

# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

3. Upload htaccess.txt. Once you’ve created your master piece of an .htaccess file upload the htaccess.txt file to your web server via ftp (in ASCII mode) and rename the file to .htaccess. Once it’s been renamed change the file permissions of the .htaccess file to 644 to further protect it from malicious hacker types.

4. Test, Test, Test. Go to your site, is it still up? Good, now check to see if you can access files you protected, or try and see a directory listing. Not all variables are testable but do your best to make sure your file is working.

Lastly Josiah Cole dot com is now running a variation of the htaccess file above with no hotlink protection (I only host a couple images) and no redirects or custom errors docs (yet). No problems *yet* but I’m still running tests to make sure there are no problems. Maybe my visitors can help me do this by commenting? If I like it I’ll add your suggestion to the article and give you some URL lovin’.

Note: If you are already using a custom permalink structure to format page names, you’ll need to keep that code in the htaccess file in order for that to continue functioning. To see your htaccess file in WordPress click Manage>Files>.htaccess (for rewrite rules).

Comments (53)

53 Comments »

[...] posted a clean and concise htaccess file example for website’s running WordPress Blogs. This htaccess file tutorial covers 11 techniques to increase security, decrease bandwidth and control user access all [...]

Pingback by Oomny » htaccess File Tutorial for WordPress Blogs — July 11, 2007 @ 8:22 am
[...] Cole dot com about htaccess file creation specifically for sites running WordPress blogs. The htaccess file tutorial covers twelve main items that increase security and give you complete control over your [...]

Pingback by josefresco » Blog Archive » Almost Perfect htaccess File with WordPress controls — July 11, 2007 @ 8:26 am
[...] Link to Article linux Almost Perfect htaccess File for WordPress Blogs » Posted at Josiah Cole [...]

Pingback by University Update - Linux - Almost Perfect htaccess File for WordPress Blogs — July 11, 2007 @ 9:59 am
Nice clean and helpful article Josiah.. There are a couple code examples in particular that I think would help you over on my blog.. Check out theUltimate htaccess tutorial.. I especially like the “For Webmasters” chapter.

Here’s code you could use to deny access only when it’s 4pm
# If the hour is 16 (4 PM) Then deny all access RewriteCond %{TIME_HOUR} ^16$ RewriteRule ^.*$ - [F,L]

Comment by askapache — July 11, 2007 @ 9:12 pm
[...] July 17, 2007: Josiah Cole gives a detailed explanation of how to create a .htaccess file that will help you secure your site, and aid the site in handling traffic and visitors. His [...]

Pingback by How to protect your WordPress site » wordpressgarage.com — July 17, 2007 @ 8:48 am
Hi! I just wanted to thank you for your clear and thorough explanation about the “perfect” .htaccess.
I would also like to add that if you run into trouble (403 errors while trying to post or edit pages), you can add the following to the .htaccess file

SecFilterInheritance Off

It drove me crazy during several days. I hope it helps somebody….

Iván

Comment by imelgrat — July 18, 2007 @ 5:43 pm
[...] doing a bit of research, I ran across this posting by Josiah [...]

Pingback by Nice .htaccess for Wordpress Blogs : Musings of a Wired Pig 2.0 — July 22, 2007 @ 4:16 pm
[...] perfecto .htaccess para WordPress [eng]www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-f… por beku76 hace pocos segundos [...]

Pingback by perfecto .htaccess para Wordpress [eng] // menéame — August 15, 2007 @ 1:35 am
[...] learn more about utilizing you .haccess for wordpress, check Josiah Cole’s post about have an almost perfect htaccess file for WordPress. He lists over 10 directives that you [...]

Pingback by How to deny access to your wp-config.php file under WordPress installation by Tdot-Blog — November 6, 2007 @ 11:01 pm
[...] Josaiah Cole has written a nice .htaccess guide on harderning wordpress here. [...]

Pingback by Complete Guide to Protect Your Wordpress Blog! | Earnbux Online — January 30, 2008 @ 8:24 pm
[...] Almost Perfect htaccess File for WordPress Blogs [...]

Pingback by Best Wordpress Beginner Articles and Worthy Plugins - Roundup — March 5, 2008 @ 4:52 am
[...] Beskyt med .htaccess: Du kan bruge .htaccess til at password-beskytte visse dele af din side, blokere adgang fra visse IP adresser, blokere for hot-linking af billeder og meget andet. L�s mere her, og en WordPress specifik .htaccess guide kan findes her. [...]

Pingback by S�dan undg�r du at din side bliver hacket | Gigahost Blog — April 8, 2008 @ 1:51 pm
[...] this article saved my day added by mpty at 09:23 pm to notes – [...]

Pingback by this article saved my day @ mpty - a dirty little scrapbook — May 9, 2008 @ 3:23 pm
[...] Almost Perfect htaccess File for WordPress Blogs [...]

Pingback by GUYA.NET » Blog Archive » My blog has been hacked — June 16, 2008 @ 1:18 pm
[...] is another useful .htaccess reference for WordPress [...]

Pingback by WordPress Security Notes » 70 Tricks — July 19, 2008 @ 1:57 am
[...] terminal on OSX, or a programme like Putty on Windows]. You’ll also need to confirm that your .htaccess file rules and permalinks structure are replicated in the new install. Likely too, you’ll [...]

Pingback by Hummingbird Mentality : Wordpress Hack Attack — January 10, 2009 @ 11:56 pm
Thanks for the code how can I use this for a sub folder ie mysite.com/blog

Mike

Comment by mike2098 — January 25, 2009 @ 1:13 pm
[...] Almost Perfect htaccess File for WordPress Blogs | Josiah Cole dot com [...]

Pingback by My web notables… | Folks Pants: Tailor Made Internet — January 27, 2009 @ 4:10 am
[...] Josiah Cole Dot Com – Published 7-11-07 [...]

Pingback by Securing your WP-Config.php | Web Design Workplace — February 15, 2009 @ 12:04 pm
[...] Almost Perfect htaccess File for WordPress Blogs | Josiah Cole dot com (tags: htaccess wordpress apache) [...]

Pingback by adoption curve dot net » Blog Archive » links for 2009-03-05 — March 5, 2009 @ 8:03 pm
[...] Almost Perfect htaccess File for WordPress Blogs [...]

Pingback by Best of Wordpress Beginner Articles and Plugins « the gypsy — March 20, 2009 @ 3:33 pm
[...] indicate that the attack failed. I follow WordPress security best practices, and have a well-hardened .htaccess policy file. This kind of thing is [...]

Pingback by Interesting SQL Injection Attack | Tim's Words — April 7, 2009 @ 8:09 am
[...] a. Almost Perfect htaccess File for WordPress Blogs [...]

Pingback by BizFractals » Blog Archive » 5 Different Ways of Hacking / Safeguarding your Wordpress blog using .htaccess — April 18, 2009 @ 4:17 pm
[...] Almost Perfect htaccess File for WordPress Blogs (tags: wordpress security blog .htaccess howto webdev via:ohskylab) [...]

Pingback by james holloway’s blog - links for 2009-04-30 — April 30, 2009 @ 7:09 pm
[...] Source – Josiah Cole [...]

Pingback by A to Z of WordPress .htaccess Hacks | Nometech.com — May 17, 2009 @ 7:02 am
[...] tilgang til mappestrukturen din. Hvis du kjenner til .htaccess, sjekk ut denne innføringen i hvordan beskytte WordPress best mulig med .htaccess. Sjekk også denne [...]

Pingback by Viidar.net » Hjelp! WordPress-databasen min er hacket! — June 5, 2009 @ 1:01 pm
[...] Source – Josiah Cole [...]

Pingback by A to Z of WordPress .htaccess Hacks | WPShout.com — July 16, 2009 @ 11:07 am
[...] after super heros or cartoon characters, get used to it). Last night I was fooling around with some WordPress htaccess hacks, and apparently the Apache webserver did not enjoy what I was doing. This morning [...]

Pingback by Waking Up To Problems : Thoughtless Banter — July 29, 2009 @ 10:23 am
[...] Source: Josiahcole [...]

Pingback by 18 Useful Tricks To Speed Up WordPress & Boost Performance — August 19, 2009 @ 12:16 pm
[...] Source: Josiahcole [...]

Pingback by 18 Useful Tricks To Speed Up WordPress & Boost Performance | Minhyeong Magazine — August 26, 2009 @ 12:48 am
[...] 来源 – Josiah Cole [...]

Pingback by Wordpress 的 .htaccess 规则 - 左岸读书_blog — September 4, 2009 @ 9:32 pm
[...] Source [...]

Pingback by 10 Ways to Use .htaccess to Speed Up WordPress | WPShout.com — September 10, 2009 @ 11:03 am
[...] that could help you understand more about what .htaccess does, and how do you tweak your settings (learn more). Some of the stuff you can learn in the article is: This quick tutorial will provide you with an [...]

Pingback by Protecting your .htaccess file - a tutorial « Make Money from Blogs — December 8, 2009 @ 2:36 pm
[...] Source: Josiahcole [...]

Pingback by 18 Useful Tricks To Speed Up WordPress & Boost Performance « Dreamcatcher Creative Studio — December 18, 2009 @ 10:09 am
[...] Almost Perfect htaccess File for WordPress Blogs [...]

Pingback by Best of Wordpress Beginner Articles and Worthy Plugins – Roundup | Design Trip Blog — March 7, 2010 @ 9:42 am
[...] http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ [...]

Pingback by Wordpress Install « Project ESXi's Blog — March 7, 2010 @ 2:02 pm
[...] http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ , que o autor passa o pente fino no htaccess para incrementar a proteção e, [...]

Pingback by Segurança no WordPress — March 18, 2010 @ 11:27 pm
[...] Almost Perfect HTAccess File for WordPress Blogs – Used this as a reference for constructing my htaccess file. AKPC_IDS += "812,"; [...]

Pingback by How To Move Your WordPress Blog to Linode | Ray Wenderlich — March 30, 2010 @ 7:03 am
[...] http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ « « Previous Post: Oracle freshens its VirtualBox Next Post: Mozilla Developer Preview (Number 4) Now Available » » [...]

Pingback by Sun Country's Weblog » Post Topic » ‘Design Flaw’ Led To Wave Of Attacks On Hundreds Of WordPress Blogs — April 12, 2010 @ 6:41 pm
[...] 来源 – Josiah Cole [...]

Pingback by 26个用于Wordpress的 .htaccess 规则 - 候鸟博客 — April 13, 2010 @ 11:55 pm
[...] you get over that problem.More security steps that can be done through htaccess file, here are some 11 more steps that you can use.Jeff Starr has created wonderful instructions for securing servers via htaccess [...]

Pingback by Webmasters! For heaven’s sake start using Mac or Linux! | Blog Design Studio — May 18, 2010 @ 2:07 am
[...] tilgang til mappestrukturen din. Hvis du kjenner til .htaccess, sjekk ut denne innføringen i hvordan beskytte WordPress best mulig med .htaccess. Sjekk også denne [...]

Pingback by Hjelp! WordPress-databasen min er hacket! | viidar.net — May 20, 2010 @ 4:42 pm
[...] in creating a more robust .htaccess file for your site (and know more about coding than I do), this guy has a tutorial. Otherwise, hope you’re not too [...]

Pingback by What the heck is a .htaccess file (and why is my blog messed up?) « Web Tools For The Digital World — May 24, 2010 @ 1:43 am
[...] The almost perfect htacces for wordpress by Josiah Cole. [...]

Pingback by Webdesigner freelancer – Paris – Ile de France – jeveuxmonsiteweb.fr » Blog Archive » Htacces et Wordpress — May 25, 2010 @ 1:47 pm
[...] The Almost Perfect htaccess File for WordPress Blogs by Josiah Cole [...]

Pingback by How to secure your WordPress blog? — May 25, 2010 @ 7:23 pm
[...] permalink -6.304632 106.826999 [...]

Pingback by .htaccess File for WordPress Blogs « c1p1 — June 18, 2010 @ 1:52 pm
[...] nice web host with the best support imaginable, it mattered. Check out Josiah Cole's 'almost-perfect .htaccess file' for WordPress and change all the yourdomainhere.com elements to, well, your domain name before [...]

Pingback by 10 undeniable, unspoken truths about blogging | Dave Thackeray — July 8, 2010 @ 4:18 am
[...] Protect content with .htaccess: You can use “.htaccess” files to password protect one or more parts of your site, block certain IP addresses, block “hot-linking” of images and lots more. Read more here. A WordPress-specific .htaccess guide can be found here. [...]

Pingback by Gigahost Blog » How to avoid being hacked — July 22, 2010 @ 3:30 pm
[...] – Hardening WordPress JosiahCole.com – Almost Perfect htaccess File for WordPress Blogs This entry was posted in WordPress. Bookmark the permalink. ← Another Banned iPhone 4 [...]

Pingback by Basic WordPress Security | Throwing a Brick — July 25, 2010 @ 6:24 pm
[...] Ingat !! Ganti yourdomain.com dengan domain Anda. Sedangkan stealigisbad.gif dapat Anda ganti sesuai gambar yang Anda upload ke root directory. Dimana kode terakhir menunjukkan gambar stealingisbad.gif yang merupakan sebuah gambar yang muncul jika ada blog lain yang mencoba mengambil gambar Anda. Cara lain untuk melakukannya adalah melalui cPanel. Jika Anda menggunakan hosting dengan cPanel ini jauh lebih mudah karena CPanel Anda terdapat pilihan yang disebut Hotlink Protection. Perhatikan pengaturan Hotlink Protection seperti pada gambar di bawah ini: Ingat Anda harus membiarkan feed Anda jika pembaca feed Anda tidak akan melihat gambar. Source: Josiahcole [...]

Pingback by 11 Trik Untuk Meningkatkan Kinerja Wordpress - Part 1 | Blog Muria — July 29, 2010 @ 9:23 am
[...] and sources not previously cited: Reuben Yau Josiah Cole WP [...]

Pingback by 13 Steps To A Better Wordpress Install — BlogTempo — August 1, 2010 @ 8:27 pm
[...] Yau Josiah Cole WP [...]

Pingback by 13 Steps To A Better Wordpress Install | Testing the Waters — August 5, 2010 @ 2:33 pm
[...] If you don’t understand, you can read this other article for detailed instructions. http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ [...]

Pingback by 13 Dead-Simple Wordpress Security Tips And Plugins – Hack-proof Your Blog — August 31, 2010 @ 7:14 pm

RSS feed for comments on this post. TrackBack URI

You must be logged in to post a comment.

Almost Perfect htaccess File for WordPress Blogs

53 Comments »

Leave a comment