Protect Files and Directories using .htaccess
Here now we going to see how to protect files and directories using .htaccess. By default, Apache allows access to everything inside the Document Root folder. That means all the subdirectories, files & contents are can be listed in the root folder. However, you can use .htaccess to build the security of your Apache Server.
.htaccess is the most required file for any website. Using .htaccess file here you can do a lot of things. You can restrict your website access and it can be placed in any folder of the website to change the action of that folder.
The whole website control room is .htaccess that already you aware of it. Even a single spelling mistake can stop the complete website. Always keep the backup before making any changes in the .htaccess file. By default, every web hosting has a .htaccess file in the root directory. If it is not available here an article.
1. Protect the .htaccess
Most important in the whole website is .htaccess file and it is very necessary to protect first from unauthorized users. .htaccess have only owned the capacity to control your entire website. To protect this file from unauthorized users by adding the following code, you can restrict access to unauthorized users.
|
1 2 3 4 5 |
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files> |
2. Protect the wp-config.php
The wp-config.php is a very important file in WordPress. Because all the server, database, and other details are stored in the wp-config.php file. So it is also necessary to protect from unauthorized access to this file. Add the following code in your .htaccess file to protect your wp-config.php.
|
1 2 3 4 |
<files wp-config.php> order allow,deny deny from all </files> |
3. Protect the WordPress Login Page
In WordPress, the wp-login.php file is important because users can login through wp-login.php only. For this, you can protect the login from unauthorized users by adding your IP address so others can’t able to access the wp-login.php. To allow multiple IP addresses, repeat the last line and change the IP address to suit your needs.
|
1 2 3 4 5 |
<Files wp-login.php> order deny,allow deny from all allow from 443.232.333.876 </Files> |
Note: Don’t forget to change “443.232.333.876” to your own IP address.
4. Protect the wp-contents
To protect your themes, plugins, and media from the hackers here you have a solution, the main target for hacker and spammers are the themes and plugins using that only they insert malware code. Here below you have the code. Copy and paste it in your .htaccess file to protect wp-contents folder and files.
|
1 2 3 4 5 |
Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files> |
Now here you can upload only XML, CSS, JPG, JPEG, PNG, Gif, and Javascript files in the wp-contents folder. All other file types will not be allowed.
5. Protect the Includes files
In WordPress some sections that never have to be accessed by the user. It’s better to block access to these folders and files. You can block by adding the following code in your .htaccess file.
|
1 2 3 4 5 6 7 8 9 |
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> |
6. Disable Directory Browsing
In the websites, unauthorized access to your files and folders can be a high-security risk. So here you add the following to protect your directories.
|
1 2 |
# disable directory browsing Options All -Indexes |
