Almost Perfect htaccess File for WordPress Blogs

Posted by on Jul 11, 2007 in Privacy & Security, Web Development, WordPress | 4 comments

Here There!

If you like this article (and we know you will!), check out the post we published covering even more WordPress Security best practices.

If you manage and edit your own website or run a blog with it’s own domain then you are probably aware of a type of file called the .htaccess file. You may or may not know what this file actually does, or how to create and edit one but fret not, I’m here to help.


This quick tutorial will provide you with an htaccess file that does the following:

1. Protects itself (security)
2. Turns the digital signature off (security)
3. Limits upload size (security)
4. Protects wp-config.php (security)
5. Gives access permission to all visitors with exceptions (security, usability)
6. Specifies custom error documents (usability)
7. Disables directory browsing (security)
8. Redirect old pages to new (optional)
9. Disables image hotlinking (bandwidth)
10. Enables PHP compression (bandwidth)
11. Sets the canonical or “standard” url for your site (seo, usability)

htaccess file creation screenshot in Notepad on Windows XP

1. Step 1, create a blank .htaccess file. This can be done in Notepad or a comparable simple text editor of your choice (no MS Word does not count although it’s possible). Open Notepad and Click Save, name this file htaccess.txt. If you’re using Windows XP the OS won’t allow you to name a file e .htaccess but don’t worry, you can rename it once it’s been uploaded to your server (no idea how Linux, Vista or OSX handle this).

2. Add content to htaccess.txt. Now that you have htaccess.txt saved, you can start to edit the file and use it to better manage your site without relying on complex PHP or bloated JavaScript code.

The example htaccess file below is one that can be used for a website like this one (running WordPress and nothing else), simply un-comment the sections you’d like to use by removing the # at the beginning of the line and copy+paste the contents into your own .htaccess file.

 

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

# disable the server signature
ServerSignature Off

# limit file uploads to 10mb
LimitRequestBody 10240000

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

#who has access who doesnt
order allow,deny
#deny from 000.000.000.000
allow from all

#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php

# disable directory browsing
Options All -Indexes

#redirect old to new
Redirect 301 /old.php http://www.yourdomain.com/new.php

#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

# php compression – use with caution
<ifmodule mod_php4.c>
php_value zlib.output_compression 16386
</ifmodule>

# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]

# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

 

3. Upload htaccess.txt. Once you’ve created your master piece of an .htaccess file upload the htaccess.txt file to your web server via ftp (in ASCII mode) and rename the file to .htaccess. Once it’s been renamed change the file permissions of the .htaccess file to 644 to further protect it from malicious hacker types.


4. Test, Test, Test. Go to your site, is it still up? Good, now check to see if you can access files you protected, or try and see a directory listing. Not all variables are testable but do your best to make sure your file is working.

Lastly Josiah Cole dot com is now running a variation of the htaccess file above with no hotlink protection (I only host a couple images) and no redirects or custom errors docs (yet). No problems *yet* but I’m still running tests to make sure there are no problems. Maybe my visitors can help me do this by commenting? If I like it I’ll add your suggestion to the article and give you some URL lovin’.

Note: If you are already using a custom permalink structure to format page names, you’ll need to keep that code in the htaccess file in order for that to continue functioning. To see your htaccess file in WordPress click Manage>Files>.htaccess (for rewrite rules).

 Hey There!  If you like this article (and we know you will!), check out the post we published covering even more <a href="http://www.josiahcole.com/2012/03/04/wordpress-security-best-practices/">WordPress Security best practices</a>.
468 ad

4 Responses to “Almost Perfect htaccess File for WordPress Blogs”

Newer Comments
  1. askapache says:
    July 11, 2007 at 9:12 pm

    Nice clean and helpful article Josiah.. There are a couple code examples in particular that I think would help you over on my blog.. Check out theUltimate htaccess tutorial.. I especially like the “For Webmasters” chapter.

    Here’s code you could use to deny access only when it’s 4pm

    # If the hour is 16 (4 PM) Then deny all access
    RewriteCond %{TIME_HOUR} ^16$
    RewriteRule ^.*$ - [F,L]

  2. imelgrat says:
    July 18, 2007 at 5:43 pm

    Hi! I just wanted to thank you for your clear and thorough explanation about the “perfect” .htaccess.
    I would also like to add that if you run into trouble (403 errors while trying to post or edit pages), you can add the following to the .htaccess file

    SecFilterInheritance Off

    It drove me crazy during several days. I hope it helps somebody….

    Iván

  3. mike2098 says:
    January 25, 2009 at 1:13 pm

    Thanks for the code how can I use this for a sub folder ie mysite.com/blog

    Mike

  4. stocksduniya says:
    October 13, 2010 at 6:30 am

    When I’m add this code in my .htaccess:
    =========================
    #who has access who doesnt
    order allow,deny
    #deny from 000.000.000.000
    allow from all

    I GOT THIS ERROR:
    ========================
    403 Forbidden
    ————

    Forbidden

    You don’t have permission to access / on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    ________________________________________
    Please guide me soon as possible time. Why I’m getting this error? Why I don’t able to add that code in my .htaccess file.

    Thank you!
    Regards,
    Mr.CK

Trackbacks/Pingbacks

  1. Oomny » htaccess File Tutorial for WordPress Blogs - [...] posted a clean and concise htaccess file example for website’s running Wordpress Blogs. This htaccess file tutorial covers 11 ...
  2. josefresco » Blog Archive » Almost Perfect htaccess File with WordPress controls - [...] Cole dot com about htaccess file creation specifically for sites running WordPress blogs. The htaccess file tutorial covers twelve ...
  3. University Update - Linux - Almost Perfect htaccess File for WordPress Blogs - [...] ...
  4. How to protect your WordPress site » wordpressgarage.com - [...] July 17, 2007: Josiah Cole gives a detailed explanation of how to create a .htaccess file that will help ...
  5. Nice .htaccess for Wordpress Blogs : Musings of a Wired Pig 2.0 - [...] doing a bit of research, I ran across this posting by Josiah [...]
  6. perfecto .htaccess para Wordpress [eng] // menéame - [...] perfecto .htaccess para Wordpress [eng]www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-f... por beku76 hace pocos segundos [...]
  7.   How to deny access to your wp-config.php file under WordPress installation by Tdot-Blog - [...] learn more about utilizing you .haccess for wordpress, check Josiah Cole’s post about have an almost perfect htaccess file ...
  8. Complete Guide to Protect Your Wordpress Blog! | Earnbux Online - [...] Josaiah Cole has written a nice .htaccess guide on harderning wordpress here. [...]
  9. Best Wordpress Beginner Articles and Worthy Plugins - Roundup - [...] Almost Perfect htaccess File for WordPress Blogs [...]
  10. Sdan undgr du at din side bliver hacket | Gigahost Blog - [...] Beskyt med .htaccess: Du kan bruge .htaccess til at password-beskytte visse dele af din side, blokere adgang fra visse ...
  11. this article saved my day @ mpty - a dirty little scrapbook - [...] this article saved my day added by mpty at 09:23 pm to notes - [...]
  12. GUYA.NET » Blog Archive » My blog has been hacked - [...] Almost Perfect htaccess File for WordPress Blogs [...]
  13. WordPress Security Notes » 70 Tricks - [...] is another useful .htaccess reference for WordPress [...]
  14. Hummingbird Mentality : Wordpress Hack Attack - [...] terminal on OSX, or a programme like Putty on Windows]. You’ll also need to confirm that your .htaccess file ...
  15. My web notables… | Folks Pants: Tailor Made Internet - [...] Almost Perfect htaccess File for WordPress Blogs | Josiah Cole dot com [...]
  16. Securing your WP-Config.php | Web Design Workplace - [...] Josiah Cole Dot Com - Published 7-11-07 [...]
  17. adoption curve dot net » Blog Archive » links for 2009-03-05 - [...] Almost Perfect htaccess File for WordPress Blogs | Josiah Cole dot com (tags: htaccess wordpress apache) [...]
  18. Best of Wordpress Beginner Articles and Plugins « the gypsy - [...] Almost Perfect htaccess File for WordPress Blogs [...]
  19. Interesting SQL Injection Attack | Tim's Words - [...] indicate that the attack failed. I follow Wordpress security best practices, and have a well-hardened .htaccess policy file.  This ...
  20. BizFractals » Blog Archive » 5 Different Ways of Hacking / Safeguarding your Wordpress blog using .htaccess - [...] a. Almost Perfect htaccess File for WordPress Blogs [...]
  21. james holloway’s blog - links for 2009-04-30 - [...] Almost Perfect htaccess File for WordPress Blogs (tags: wordpress security blog .htaccess howto webdev via:ohskylab) [...]
  22. A to Z of WordPress .htaccess Hacks | Nometech.com - [...] Source - Josiah Cole [...]
  23. Viidar.net » Hjelp! WordPress-databasen min er hacket! - [...] tilgang til mappestrukturen din. Hvis du kjenner til .htaccess, sjekk ut denne innføringen i hvordan beskytte WordPress best mulig ...
  24. A to Z of WordPress .htaccess Hacks | WPShout.com - [...] Source – Josiah Cole [...]
  25. Waking Up To Problems : Thoughtless Banter - [...] after super heros or cartoon characters, get used to it). Last night I was fooling around with some Wordpress ...
  26. 18 Useful Tricks To Speed Up WordPress & Boost Performance - [...] Source: Josiahcole [...]
  27. 18 Useful Tricks To Speed Up WordPress & Boost Performance | Minhyeong Magazine - [...] Source: Josiahcole [...]
  28. Wordpress 的 .htaccess 规则 - 左岸读书_blog - [...] 来源 – Josiah Cole [...]
  29. 10 Ways to Use .htaccess to Speed Up WordPress | WPShout.com - [...] Source [...]
  30. Protecting your .htaccess file - a tutorial « Make Money from Blogs - [...] that could help you understand more about what .htaccess does, and how do you tweak your settings (learn more). ...
  31. 18 Useful Tricks To Speed Up WordPress & Boost Performance « Dreamcatcher Creative Studio - [...] Source: Josiahcole [...]
  32. Best of Wordpress Beginner Articles and Worthy Plugins – Roundup | Design Trip Blog - [...] Almost Perfect htaccess File for WordPress Blogs [...]
  33. Wordpress Install « Project ESXi's Blog - [...] http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ [...]
  34. Segurança no WordPress - [...] http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ , que o autor passa o pente fino no htaccess para incrementar a proteção e, [...]
  35. How To Move Your WordPress Blog to Linode | Ray Wenderlich - [...] Almost Perfect HTAccess File for Wordpress Blogs - Used this as a reference for constructing my htaccess file. ...
  36. Sun Country's Weblog » Post Topic » ‘Design Flaw’ Led To Wave Of Attacks On Hundreds Of WordPress Blogs - [...] http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ « « Previous Post: Oracle freshens its VirtualBox Next Post: Mozilla Developer Preview (Number ...
  37. 26个用于Wordpress的 .htaccess 规则 - 候鸟博客 - [...] 来源 – Josiah Cole [...]
  38. Webmasters! For heaven’s sake start using Mac or Linux! | Blog Design Studio - [...] you get over that problem.More security steps that can be done through htaccess file, here are some 11 more ...
  39. Hjelp! WordPress-databasen min er hacket! | viidar.net - [...] tilgang til mappestrukturen din. Hvis du kjenner til .htaccess, sjekk ut denne innføringen i hvordan beskytte WordPress best mulig ...
  40. What the heck is a .htaccess file (and why is my blog messed up?) « Web Tools For The Digital World - [...] in creating a more robust .htaccess file for your site (and know more about coding than I do), this ...
  41. Webdesigner freelancer – Paris – Ile de France – jeveuxmonsiteweb.fr » Blog Archive » Htacces et Wordpress - [...] The almost perfect htacces for wordpress by Josiah Cole. [...]
  42. How to secure your WordPress blog? - [...] The Almost Perfect htaccess File for WordPress Blogs by Josiah Cole [...]
  43. .htaccess File for WordPress Blogs « c1p1 - [...] permalink -6.304632 106.826999 [...]
  44. 10 undeniable, unspoken truths about blogging | Dave Thackeray - [...] nice web host with the best support imaginable, it mattered. Check out Josiah Cole's 'almost-perfect .htaccess file' for WordPress ...
  45. Gigahost Blog » How to avoid being hacked - [...] Protect content with .htaccess: You can use “.htaccess” files to password protect one or more parts of your site, ...
  46. Basic WordPress Security | Throwing a Brick - [...] – Hardening WordPress JosiahCole.com – Almost Perfect htaccess File for WordPress Blogs This entry was posted in ...
  47. 11 Trik Untuk Meningkatkan Kinerja Wordpress - Part 1 | Blog Muria - [...] Ingat !! Ganti yourdomain.com dengan domain Anda. Sedangkan stealigisbad.gif dapat Anda ganti sesuai gambar yang Anda upload ke root ...
  48. 13 Steps To A Better Wordpress Install — BlogTempo - [...] and sources not previously cited: Reuben Yau Josiah Cole WP [...]
  49. 13 Steps To A Better Wordpress Install | Testing the Waters - [...] Yau Josiah Cole WP [...]
  50. 13 Dead-Simple Wordpress Security Tips And Plugins – Hack-proof Your Blog - [...] If you don’t understand, you can read this other article for detailed instructions. http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/ [...]

Leave a Reply