.htaccess file is a very powerful file used for a number of feature implementation on Apache and Litespeed Web Servers. Most of the settings here can be implemented using plugins such as Bullet Proof Security or Wordfence.
1. Protect against external attacks #
As the .htaccess file is a pwerful file, it should be protected from external attacks. To do so, add the code below to your .htaccess file
#PROTECT HTACCESS
<Files .htaccess>
Order Allow, Deny
Deny from all
</Files><files .htaccess=""></files>
2. Disable directory browsing #
When your site does not have an index.html or index.php file, the files in your document root will all be listed when your domain is accessed. To protect against this, add the following in your .htaccess file
# DISABLE DIRECTORY LISTING
Options All –Indexes
3. Protect wp-config .php file #
This file contains a lot of sensitive data about your wordpress site. Thus, it needs to be protected. The first thing you can do is place minimal permissions for it, such as 0400. Then add the directives below to your .htaccess file
# PROTECT WP-CONFIG FILE
<files wp-config.php=""> <files wp-config.php> order allow,deny deny from all </files> </files>
4. Limit access to wp-content directory #
This folder contains a lot of data and users should only be allowed to access specific data. To do this, create a new .htaccess file inside wp-content folder(not document root) then add the code below
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>
5. Secure wp-admin folder #
The wp-admin folder should only be accessed by users who make posts or edit the admin folder. If you use a static network IP address (one that does not keep changing), you can secure the folder by adding the code below
# RESTRICT WP-ADMIN ACCESS
order deny,allow
allow from 12.34.56.78 # This is your static IP
deny from all
6. Prevent script injection #
Script injection is one of the most popular ways to launch attacks on wordpress sites. Toprotect against this, add the following to your .htaccess file
#PROTECT AGAINST SQL INJECTION
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]