WordPress Security – .htaccess

Having introduced a series on Wordpress Security, the second post in the series looks at protecting WP-CONFIG and .HTACCESS files etc.

Apache uses the .htaccess file  to serve files from it’s root directory. If it is not protected properly, your site security is definitely at risk.

Making changes could potentially be a turn-off as ‘techy’ language is being used. The reality is that it is not difficult to take a few steps to minimise the risk to your site. In order to carry out the necessary changes, you will need to ‘write’ to your site files. This sounds ominous, but the good news is, if you don’t want to do this the nuts and bolts way, you can use a plugin..

htaccess file edit via yoastEditing the File

Yoast SEO, for one will allow you to write to your .htaccess file. In order to do so, you will need to enable advanced settings in the Yoast dashboard. (Settings Tab) Once advanced settings are enabled, under ‘tools’ you can access ‘file editor’.

If you don’t have a plugin that can do this, you can simply edit the file in text mode in either of the following ways:

  • FTP – if you can access your WP server via FTP software, you can download the old .htaccess file, edit and upload a new one (keep a copy of the original in case of errors). If you don’t currently have FTP access, you may be able to create an FTP account and use ‘Filezilla’ or similar to access and change files on your host server.
  • Cpanel or similar file editor – your hosting server usually has a file editing section where you can open and edit files online via your hosting account logon. Don’t forget to save a copy of the old file in case of errors.

However you edit your .htaccess file, you will need to insert the following text into the writable box:

<Files wp-config.php> 
order allow,deny 
deny from all 
The above will protect the wp-config file, you will also need to protect the .htaccess file itself. You can insert the following into the .htaccess file to achieve this:
<Files .htaccess> 
order allow,deny 
deny from all 

You could also use a Plugin that automatically writes to your .htaccess file. All in One WP Security and Firewall does this. Although the code may look slightly different so that the plugin itself can still access the file.

Leave a Reply