.htaccess Setting Example for WordPress Security

Published on:
Last updated:

This post is also available in: 日本語 (Japanese)



Brute Force Attacks « WordPress Codex

It does not introduce in this article, but it is also such as settings to allow access only specified IP address.
Article becomes longer when I write the details of the IP address, I write only those that can be operated easily for the time being.

For more content, please refer to the above [Brute Force Attacks « WordPress Codex].

In addition, in a separate article How to secure WordPress(wp-login/admin.php) with Basic Authentication, a method of applying a simple lock in the Basic authentication to admin.php and wp-login.php also wrote. Please study the above.

If a problem occurs (such as can not upload image) with [.htaccess] appended to the code below, please delete the code.
But, the following code because it is content to protect the security of the minimum required, it is recommended to think in the direction of solving the problem.

Limit the access to wp-config.php

wp-config.php file is the basic configuration of wordpress.

# protect wp-config.php
<Files wp-config.php>
    order allow,deny
    deny from all

Limit the access to .htaccess

Role of the .htaccess file because there are many, the damage is greater when it is cracking.

#protect .htaccess
<Files ~ "^\.ht">
	Order allow,deny
	Deny from all 

Limit the access to xmlrpc.php

There is likely to be the springboard of a DoS attack using the pinback.

In the case of the update of wordpress only from the management screen of the PC, security will increase more if you add the code below.

Because it is the code to block access to xmlrpc.php, you will not be able to update from the smartphone and external blog editor using xmlrpc.php. Please note

If you need to use the xmlrpc.php absolutely, there is a method that allow access only specified IP address.

# protect xmlrpc.php
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all

Kuniyoshi Takemoto is the founder of Amelt.net LLC, and editor of this blog(www.amelt.net).Learn more and follow me on LinkedIn.