Skip to content

19 Tips for configuring .HTACCESS file to prevent your WordPress site from hacking

prevent wordpress hacks

Do you know the WordPress .htaccess file? The .htaccess file is a directory level configuration file that allows decentralized management of the web server configuration. A .htaccess file is always added to the root directory and with it many WordPress configuration parameters can be modified.

With the .htaccess file you can edit the server’s global configuration, the content type and the character set. With all these properties the .htaccess file becomes the key that guarantees and improves the functionality of web pages and blogs that have a WordPress installation.

how to prevent wordpress website from hacking

SEO and .htaccess

The .htaccess file is vital to do a good job of positioning in search engines. As an SEO consultant, when it comes to positioning a page or blog in search engines like Google, I use it for:

  • Create redirects: For example for a domain change job, where it would be necessary to maintain the visits of the previous domain.
    Improved loading speed by enabling compression with .htaccess: It is a section that very few web pages use and that gives very good results.
  • Link rewriting (URL)
  • Solutions to duplicate content: For example, capturing access to certain contents so that they are no longer duplicated.
  • Moderate comments

When you install WordPress, a .htaccess file is always created which WordPress uses by default. This file can be improved using the following tips. While you should be careful when implementing them, and always keep a backup before changing anything, in case you have to go back.

Tips for configuring the .htaccess file

Here are the “19 htaccess hacks to prevent your WordPress site from hacking” to know how to configure and optimize .htaccess to avoid “Hacking” that will greatly hinder and prevent piracy on your website or blog in WordPress. Some of these tips are for:

  • Block specific IP addresses
  • Reroute visits to the maintenance page when designing a particular website or blog
  • Restrict IP addresses so that no one can access your WordPress admin panel
  • Other different tricks or tips for configuring and optimizing the .htaccess file in WordPress.

This article will help you configure .htaccess to avoid “Hacking”, but if you really want to deepen and configure your .htaccess file correctly you should read the .htaccess reference guide.

how to prevent wordpress site from hacking

#1 Block IPs from unwanted users or bots

Apache can be used to block unwanted users or bots to our website or blog. This code allows anyone to visit the website or blog, except anyone who has the following IP addresses (change the IPs with the IPs you want to block):

order allow,deny
allow from all
deny from 135.456.789
deny from 95.131.738
deny from 253.916.729
deny from 135.468.910

#2 Redirect the day and name of the permanent links to /% postname%/

The first thing you need to do is access your WordPress admin panel, go to Settings → Permalinks and select “customize”. Fill in the field with /% postname%/:

Now we have to redirect all backlinks using the old permanent link structure (permalinks) to the new permanent link structure. To do this, you will have to edit the .htaccess file and insert the following lines of code:

RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://$4

If you want to configure more optimal permanent links, I advise you to change /% postname%/ to /% category%/% postname%/.

#3 Reroute visits to a maintenance page

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^
RewriteRule $ /maintenance.html [R=302,L]

#4 Redirect to www or without www with .htaccess

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^ [NC] RewriteRule ^(.*)$$1 [L,R=301]

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} &lt;font color=”#ffff00″&gt;Sync by honeybunny &lt;font color=”#ffff00″&gt;

#5 Configure canonical URLs with .htaccess

# Set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^$ [NC] RewriteRule ^(.*)$$1 [R=301,L]

#6 Redirect your feed to FeedBurner

This trick redirects to .

# temp redirect wordpress content feeds to feedburner
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC] RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC] RewriteRule ^feed/?([_0-9a-z-]+)?/?$ [R=302,NC,L] </IfModule>

#7 Redirect your comment feed to FeedBurner

# temp redirect wordpress comment feeds to feedburner
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC] RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC] RewriteRule ^comments/feed/?([_0-9a-z-]+)?/?$ [R=302,NC,L] </IfModule>

#8 Redirections 301 for SEO with .htaccess

Use the following code to redirect to a specific page without displaying the old error page.

<a class=”_hootified” a=”” href=”#” #seo”=”” onclick=”javascript:var e = document.createEvent(“CustomEvent”); e.initCustomEvent(“hootletEvent”, true, true, {type: “hash”, value: “#SEO”}); document.body.dispatchEvent(e); return false;”>#SEO</a> Friendly 301 Redirects
Redirect 301 /abc/file.html

wordpress sql injection

#9 Forcing the cache from .htaccess

This code for the .htaccess will not help in the initial load of the web page or blog, but it will do it significantly in later loads sending 304 states when the requested elements have not been modified.

FileETag MTime Size
ExpiresActive on
ExpiresDefault “access plus x seconds”

#10 Allow only your IP to access the WordPress administration panel

Replace the IP in the “with allow from xx.xx.xx.xx.xx” code line with yours so that only your IP can access the wordpress wp-admin administration panel.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx.xx

#11 Block comments to unreferenced requests (Spam)

Simple trick to prevent spammers from publishing or attacking your website or blog.

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.** [OR] RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

#12 Blocking an IP Spam

To block certain IP addresses from accessing your website or blog, add the following lines of code in your .htaccess file and replace the IP address of the example you want to block.

<Limit GET POST>
order allow,deny
deny from
allow from all

#13 Deny access to WordPress wp-config configuration file

The WordPress wp-config.php file includes all important information, such as the database name. It is vital to have it well protected.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

#14 Limit the weight of uploaded files to 20mb

To limit the size of the files you upload in wordpress to 20MB, use the following code:

# limit file uploads to 10mb
LimitRequestBody 10240000

#15 Customize 404 error page with .htaccess
# custom error pages
ErrorDocument 401 /err/401.php
ErrorDocument 403 /err/403.php
ErrorDocument 404 /err/404.php
ErrorDocument 500 /err/500.php

#16 Add slash (/) at the end of URLs

To add a bar at the end of your links (URLs), insert the following code into your .htaccess file:

<a class=”_hootified” a=”” href=”#” #trailing”=”” onclick=”javascript:var e = document.createEvent(“CustomEvent”); e.initCustomEvent(“hootletEvent”, true, true, {type: “hash”, value: “#trailing”}); document.body.dispatchEvent(e); return false;”>#trailing</a> slash enforcement
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$$1/ [L,R=301]

#17 Password-protecting directories

A simple way to password protect your blog directories.

AuthType Basic
AuthName “restricted area”
AuthUserFile /usr/local/var/www/html/.htpasses
require valid-user

#18 Fix bugs in links (URLs) with .htaccess

This trick can be useful for auto-correcting spelling errors in your links (URLs).

<IfModule mod_speling.c>
CheckSpelling On

#19 Securing WordPress Plugins

WordPress plugins usually have “backdoors” and are usually sites where hackers can enter your website or blog. To prevent others from having direct access to your plugin files, use the following code:

<Files ~ “.(js|css)$”>
order allow,deny
allow from all

Do you know any more tricks? Leave it in the comments!