Logo Background

WordPress Security Hardening Using .htaccess

  • By on May 2, 2010 | 7 Comments

    It’s not hard to strengthen your WordPress security using the URL rewrite hardening technique of .htaccess. We have research the protection feature in the Apache .htaccess file and came out with the configuration.

    .htaccess file which is located in your root of WordPress installation folder have a basic setting written and there’s no existing security configuration on it.

    No surprise that the .htaccess file was one of the best tools you can configure to maximize WordPress security.

    Apache .htaccess File Security Configuration

    # Security hardening configuration
     
    # Disable the server signature
    ServerSignature Off
     
    # Protect the htaccess file
    <files .htaccess>
    order allow,deny
    deny from all
    </files>
     
    # Protect the wpconfig.php file
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
     
    # Protect from spam comments
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*xyz.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>
     
    # Disable hotlinking of images with forbidden message
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://www.xyz.com/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://www.xyz.com$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://xyz.com/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://xyz.com$ [NC]
    RewriteCond %{HTTP_REFERER} !google. [NC]
    RewriteCond %{HTTP_REFERER} !msn. [NC]
    RewriteCond %{HTTP_REFERER} !live. [NC]
    RewriteCond %{HTTP_REFERER} !yahoo. [NC]
    RewriteCond %{HTTP_REFERER} !gravatar. [NC]
    RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]
    </IfModule>

    The ServerSignature appears on the bottom of pages generated by Apache such as 404 pages, directory listings and others.

    The and ‘deny from all’ setting will deny everyone access to wp-config.php and .htaccess.

    The protect from spam comments section offers protection on wp-comments-post.php where it was used by user to post comment.

    A spammer usually access directly the wp-comments-post.php file, having no referral value in HTTP_REFERER. You can use this piece of code to block spam comments via .htaccess.

    The final section of disable hotlinking of images with forbidden message was written to block any other domain from displaying the image from your blog or site.

    The hotlinking was enabled by default and hosting has the feature to disable hotlinking via CPanel. Or you can choose to install the code from the final section into your .htaccess file.

    The hotlinking configuration only allow images to be display from own domain, google, yahoo, live, msn and gravatar. Any other domain will see the Forbidden error message.

    Reason being is Search Engine has the Image Search feature which will display the image from your site. You should allow that because there’s potential traffic coming to your blog or site based on Image Search.

    Previous
    Next
    » How To Clean Wordpress Database
  1. #1 Salman
    October 29, 2010 2:29 pm

    Hi,

    Is there a way to stop the comment spamming softwares, I have Akismet Installed but still the server is taking too much load, cpu usage is going very high.

    Any Ideas?

    Post ReplyPost Reply
  1. #2 Lucian
    February 3, 2011 6:50 pm

    Thanks, great post!

    Post ReplyPost Reply
  1. #3 Jun Hyong
    June 30, 2011 2:44 am

    You may want to add this in .htaccess to block spambots agent as well.

    #Block spambots

    RewriteCond %{HTTP:User-Agent} (?:Alexibot|Art-Online|asterias|BackDoorbot|Black.Hole|\
    BlackWidow|BlowFish|botALot|BuiltbotTough|Bullseye|BunnySlippers|Cegbfeieh|Cheesebot|\
    CherryPicker|ChinaClaw|CopyRightCheck|cosmos|Crescent|Custo|DISCo|DittoSpyder|DownloadsDemon|\
    eCatch|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|ExpresssWebPictures|ExtractorPro|\
    EyeNetIE|FlashGet|Foobot|FrontPage|GetRight|GetWeb!|Go-Ahead-Got-It|Go!Zilla|GrabNet|Grafula|\
    Harvest|hloader|HMView|httplib|HTTrack|humanlinks|ImagesStripper|ImagesSucker|IndysLibrary|\
    InfonaviRobot|InterGET|Internet\sNinja|Jennybot|JetCar|JOC\sWeb\sSpider|Kenjin.Spider|Keyword.Density|\
    larbin|LeechFTP|Lexibot|libWeb/clsHTTP|LinkextractorPro|LinkScan/8.1a.Unix|LinkWalker|lwp-trivial|\
    Mass\sDownloader|Mata.Hari|Microsoft.URL|MIDown\stool|MIIxpc|Mister.PiX|Mister\sPiX|moget|\
    Mozilla/3.Mozilla/2.01|Mozilla.*NEWT|Navroad|NearSite|NetAnts|NetMechanic|NetSpider|Net\sVampire|\
    NetZIP|NICErsPRO|NPbot|Octopus|Offline.Explorer|Offline\sExplorer|Offline\sNavigator|Openfind|\
    Pagerabber|Papa\sFoto|pavuk|pcBrowser|Program\sShareware\s1|ProPowerbot/2.14|ProWebWalker|ProWebWalker|\
    psbot/0.1|QueryN.Metasearch|ReGet|RepoMonkey|RMA|SiteSnagger|SlySearch|SmartDownload|Spankbot|spanner|\
    Superbot|SuperHTTP|Surfbot|suzuran|Szukacz/1.4|tAkeOut|Teleport|Teleport\sPro|Telesoft|The.Intraformant|\
    TheNomad|TightTwatbot|Titan|toCrawl/UrlDispatcher|toCrawl/UrlDispatcher|True_Robot|turingos|\
    Turnitinbot/1.5|URLy.Warning|VCI|VoidEYE|WebAuto|WebBandit|WebCopier|WebEMailExtrac.*|WebEnhancer|\
    WebFetch|WebGo\sIS|Web.Image.Collector|Web\sImage\sCollector|WebLeacher|WebmasterWorldForumbot|\
    WebReaper|WebSauger|Website\seXtractor|Website.Quester|Website\sQuester|Webster.Pro|WebStripper|\
    Web\sSucker|WebWhacker|WebZip|Wget|Widow|[Ww]eb[Bb]andit|WWW-Collector-E|WWWOFFLE|\
    Xaldon\sWebSpider|Xenu’s|Zeus) [NC]
    RewriteRule .? – [F]

    Post ReplyPost Reply
  1. #4 Jon Zobrist
    August 25, 2011 12:01 am

    Jun, I pasted your htaccess file and even tried just removing the \ and merging into 2 lines, one for the RewriteCond and one for the RewriteRule. I get an error when loading some files (images mostly). I will come through it at a later date, but was hoping you had some formatting already done and working as it looks like a well done chunk of code. Any help is appreciated, thanks.
    Jon.

    Post ReplyPost Reply
  1. #5 David Bradley
    January 17, 2012 2:27 am

    What if your WordPress installation is in a sub-folder, how do you ensure the code works to block “no referer” comments?

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*mydomain.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    Where do I put mysubfolder if my blog is http://www.mydomain.com/mysubfolder
    ?

    Post ReplyPost Reply
  1. #6 Bryan
    February 29, 2012 1:28 am

    The code is the same for a subfolder installation of WordPress. All you have to do is paste that code into an .htaccess file that’s in the WordPress install folder, mysubfolder.

    Post ReplyPost Reply
  1. #7 Delight Designs
    March 13, 2013 6:51 am

    Hello.

    Is there a limit for 301 redirection in htaccess file? I have a website with 400 static html pages (my html file names are not good) and I would like to rename my html file names according to the keywords. Can I use a single .htaccess file ?

    Thank you

    Post ReplyPost Reply
Leave a Comment