Pedrera Blog

The Simple Guide to WordPress Security: Htaccess - Part 3

March 24, 2016 by Matt Vona

(Part 1) (Part 2)

The file system, at your root level is the vault that holds your most of the pieces of your site. It is the foundation that your site is built upon. Keep your foundation secure in engineering is a key part of keeping the building stable, and protecting it from natural events such as weather. Architecture is closely related to a web page, and that your foundation needs to be securely in place to protect it from falling. In this part, the third and final part of the series, I will go into some detail about how you can protect your core files that make up your site, which applies to not only just WordPress but all of the sites you create.


The .htaccess file is one of the most important files in your Apache web directory. You will have this file that is created and managed in the installation process of WordPress. Sometimes FTP programs and operating systems hide these types of configuration files. Usually FTP programs have file filters that allow you to control what you can see. Set .htaccess file to be viewed using the filter options. The .htaccess file allows you to configure certain files and manage your website. You can route traffic, prevent access to users, block certain IPs, and so much more. Since this happens in whichever folder you have an .htaccess file in, you are allowed to have many over many folders, allowing you to better manage your site. All of the examples I am showing here will be added to the htaccess file, but I will be placing a few in different WordPress directories. Since each directory is different, they each need their own configuration that will help keep your content secure.

Disable Directory Browsing

sw3_1_directyDirectory browsing is a feature in Apache that allows users to view the files of the website. Allowing attackers to see the contents of your website easily can be very dangerous. Would you want to walk around with a t-shirt that shows how much money is in your wallet for everyone to see? It's the same idea. Some server configurations have this "feature" set to on by default, and luckily we can edit this using our trusty .htaccess file. The .htaccess file we want to edit is the main on in the root folder of you WordPress installation. You will see wp-config.php, the directories wp-admin, wp-content, and wp-includes. sw3_2_root This htaccess file controls the entire WordPress installation, and I will refer to this file as the root .htaccess file in this article. We want to edit this to change our settings so users of our site can not view the files in our folders. To do this, open up the .htaccess file and on line 1, above # BEGIN WordPress, you want to add this code:
# Disable directory browsing
Options All -Indexes
  This code will prevent users from browsing the directories and their files.

Protect the wp-config.php file

Your wp-config.php file is the most important file of them all in your WordPress site. This file holds key data for signing in, database credentials, and much more that makes your site work the way it does. If this were accessible outside of using sFTP you are allowing attackers to gain access to your database, which could lead to infecting and stealing information from your users and clients across many sites, depending on the number of sites you have in the database (This is why it is a good idea to separate your sites across many, databases instead of just one). We can protect this file by preventing it from ever being served by the server in any way, shape, or form, except by sFTP (or FTP and SSH). While you are in the root .htaccess file, add the following line outside of the WordPress configurations:
# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
This prevents the wp-config.php file from being served and will secure your site a little more than normal.

Password Protecting The Admin Area and Login Page

A huge part of "hacking" is guessing the users' passwords by brute force. This is the equivalent to constantly bashing your door in until it breaks. The idea is to run a script that constantly tries to guess your password. If it doesn't, move on to the next attempt. Attackers build robots that do all of this hard work and guessing for them. Preventing your log in page from being accessible by adding another username and password makes this process even more difficult, as it adds another layer of security that most robots might skip over.

Making the Htpasswd file

First, in order to password protect your wp-login file and the admin area, you need to tell the server these specific users are allowed to connect. You need to tell the server which usernames and password are okay. This is what the .htpasswd file is, a file that contains the credentials of users that can access the site. Head on over to the htpasswd generator which allows you to create the htpasswd file contents for your site. You need to encrypt your password, and this is what this site does. You will be left with text that looks like this: pedrera:$apr1$ce5bn7aA$6F0Xvfe1TdbntcCAjcJmN/ Create a file in your root web directory called .htpasswd, and place the contents of the generator inside of this file. Remember your password as it will not be in plain text! This is your credentials to access the site when you use htaccess as a security layer.

Adding Security to the wp-login.php file

sw3_authUse this if you want to prevent users from gaining access to the log in page. Place this in the root .htaccess file of your WordPress site:
# protect wp-login.php
<files wp-login.php>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /var/www/vhosts/folderpath/.htpasswd
require valid-user
This layer of security will prevent unwanted users from gaining access to the log in page, where they can attempt to brute force your username and password.

Adding Security on the Admin Area

To Add the same kind of security to the wp-admin area, you need to create a new .htaccess file in your /wp-admin directory of your WordPress site. Then paste this inside of that htaccess file:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /var/www/vhosts/folderpath/.htpasswd
require valid-user

# Allows for admin ajax calls
<Files admin-ajax.php>
 Order allow,deny
 Allow from all
 Satisfy any
You do need to do some work here, though. You need to change after where it says AuthUserFile to the location of where your .htpasswd file is. Remember this is the server path, and depending on what you are using to host your site this could be different. Usually, on a Linux production server it will be in the var/www/ folder, but could be different in your case. This will prevent unauthenticated users from accessing your page, and will allow the admin-ajax to still function correctly.

Secure the Includes Directory

The includes directory holds all of the logic to WordPress. It is best to secure this as well. You can add this code to the root .htaccess file:
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Keeping Your WordPress Site Secure

Keeping your site secure is important for you and your client, and adding extra layers of security will help prevent attacks to your site. If anything, keep everything updated and backed up, just in case something goes wrong, you will have a fallback plan. I hope you gained some knowledge and information that will help you keep your websites secure. Feel free to comment with questions.

Learn More

To learn more about Pedrera and how we might help with your project, please contact us.