The .htaccess file is an essential piece of your website security. With simple changes to your .htacess file you can password protect areas of your website, allow or deny the ability of users to browse the filesystem on your web server, configure redirects for your website, and allow or deny script execution in particular areas of your website. The official Apache site has a nice tutorial on .htaccesss configuration, but it can be pretty confusing and intimidating if you’re not a server administrator and you’re just trying to make a few tweaks to keep your personal WordPress site safe. I ‘ll briefly go through some of the simple tweaks you can make without any special tools or system administration experience.
Although you’ll find many, many tutorials on the web telling you that there is no way to edit your .htaccess files through WordPress, that is bad information. You can edit your .htaccess file through WordPress by using the Yoast SEO plugin. This plugin is a simple one-click install and the free version gives you access to a host of tools to optimize your site so it gets higher ranking in web searches. Additionally, the Yoast SEO plugin gives you access to edit some of your server files that you otherwise wouldn’t have access to edit through WordPress.
Installing the Yoast SEO plugin is simple. Go to your WordPress Dashboard, on the left side open up the Plugins area, click on the ‘Add New’ menu and the main page will bring you to an area where you can search all available plugins. Yoast SEO plugin is a popular and recommended plugin, so it might be on the splash page already. If not simply type the name into the search box on the right side of the page. Once you’ve found the plugin, simply click ‘Install Now’ and wait a few seconds while your server downloads and installs the plugin.
Once you’ve got Yoast SEO installed it should appear on the left hand menu of your WordPress Dashboard. Expand the SEO menu and at the bottom of that section expand the Tools menu. In the Tools – Yoast SEO main page you will see a series of links, click on File editor. The main window will then list a series of system files you have access to edit. Scroll down until you see the .htaccess file.
Behind the scenes PHP is powering your WordPress site, malicious bots may troll your site trying to determine exactly what version and modules of PHP are configured so they can better aim their attacks. Add the following lines to block that information from broadcasting:
This edit is to disable your server from broadcasting what software it is using to serve up pages. This information can be useful to an attacker and there’s no reason you need to be sharing it with the world. Newer versions of Apache disable the ServerSignature from broadcasting by default, but it’s good practice to add this to your .htaccess file just to be sure. Explicitly disabling this feature requires adding one line of code to your root .htaccess file:
This next bit is doing quite a lot, so we’ll break it down by each directive.
ExecCGI this tells your webserver to treat everything as though it is a CGI program. It’s required by WordPress, don’t mess with it.
Includesthis allows server side includes (SSI) to be used on your site. This allows the user to load their page while dynamic content is being generated, it’s required by WordPress and if you could remove it your site might suffer performance issues, just leave it alone.
IncludesNOEXEC this blocks your site scripts from opening up a shell when they execute. Unless you really know what you are doing there is no reason to run exec commands on your website. In fact it’s a feature that attackers often try to exploit by injecting code into GET/POST requests. Close that hole with this directive.
SymLinksIfOwnerMatch this one should be pretty self explanatory, don’t allow users to follow a link if the source file isn’t owned by the same user as the link. Why would you have links on your WordPress site that are owned by another user, you ask. You shouldn’t have any, there’s no reason for it in WordPress, so just don’t allow it.
-Indexes this directive blocks users from browsing all the files on your browser your website like a remote file server. If you fail to add this to you .htaccess files you may be allowing users to browse not only all your pages, but all your system files, config files, and all your images. Files you probably aren’t even aware of may be available to the internet. To close all these security holes in one line, simply put this in your .htaccess file:
The .htaccess file is a powerful tool in protecting your website. The additions of just a few lines of code can go a long way towards protecting your site from malicious attacks. These edits can be easily be accomplished by any WordPress administrator without any special programming knowledge required.