Introduction
A powerful configuration tool named .htaccess file (starts with a dot, and has no extension) allows you to do many things, such as:
- Add re-directs
- Force SSL / HTTPS
- Harden security and WordPress files
The more your HyperText Access file is optimised, the better, because your web host server will read it and follow its rules for your WP site. It’s even recommended to use several of those files, at various places, with different content (more information below).
Overview
- Main WP .htaccess File
- Additional WP .htaccess Files
Main WP .htaccess File:
Location and Access
Location
You will find it in your site’s root folder ; such as https://seo-services-bristol.co.uk/.htaccess
Access
You won’t reach it via the WP admin area, but via your web hosting control panel (cPanel, hPanel, SG SiteTools, etc.). Then go to Site > File Manager > “My domain” > public_html > .htaccess
Main WP .htaccess File:
Creation and Edit
Create
If you do not see it, it might be “missing” – if your website had no use of it so far.
- One way to create it is to go to your WP admin area
Go to Settings > Permalinks > click Save Changes
Then once in your server control panel, you should find it. - Another way is to go to your cPanel/hPanel/SG SiteTools
Go to Site > File Manager > “My domain” > public_html
Click “New file” > Create “new file” > Name it “.htaccess”.
Amend
Double-click on it, edit and save. We highly recommend to save a copy on a NotePad .txt file everytime you amend your .htaccess. Even if you have backups of your site. Obviously this critical file will change a lot over the years, due to plugins adding some rules on it, possibly due to scripts add-ons / tests you’ll do to improve things, which might end up in altering the front end… Having a copy of your .htaccess prior amending it allows you to revert to your previous working version, if needed, within a couple of minutes, without replacing your whole site content (with a backup).
Main WP .htaccess File:
Essentials
Permalinks Rules
The URL of your posts (their web address) can just mention the post name, or the date and post name, or the archive number, or other settings. Based on your preferences and on where exactly your site was installed, basic WordPress might add a script looking like this:
# BEGIN WordPress
# The directives (lines) between “BEGIN WordPress” and “END WordPress” are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Notes:
- Despite you see # BEGIN WordPress, it does not mean that this script must be top content of your .htaccess ; you might have more important rules than those.
- If you change your permalinks settings and click save, WP will adjust the script on your file. But if you change anything from the script yourself, directly in the file, WP will recopied the original script anytime you’ll save the permalinks in the WP admin area, as stated in the script.
HTPPS Enforce
In order to force HTTPS, some plugins will add a rule in your hypertext access file, forcing all requests to go through encrypted connection. For ex, we use the SG Speed Optimizer that adds this script:
# HTTPS forced by SG-Optimizer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END HTTPS
Note:
- We do not recommend to combine this script with another one as this might create issues.
Hardening WordPress
An important layer of protection should be added to the wp-includes files to protect them from being accessed by any user. We follow WP securing wp-includes recommendations:
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
Main WP .htaccess File:
Extra Steps
Disable Directory Listing
Prevent someone trying to browse the contents of any directory of your site, by adding the following lines of code:
# Deny Directory Listing
Options – Indexes
Disable Server Signature
Use the following code to prevent identifying your website server:
# Disable server signature
ServerSignature Off
Disallow Access to Files
Protect sensitives files from attacks and intrusions by adding the following lines:
# Block sensitive files
<Files .htaccess>
order deny,allow
deny from all
</Files>
<Files wp-config.php>
order deny,allow
deny from all
</Files>
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Additional WP .htaccess Files
/wp-admin Directory
Protect your WordPress admin area by blocking access to installation files
Create a new .htaccess file in the /wp-admin directory and add the following lines:
# Block installation files
<Files install.php>
order allow,deny
deny from all
</Files>
<Files setup-config.php>
order allow,deny
deny from all
</Files>
/wp-content/uploads Folder
Block the option to execute PHP code in the “wp-content” folder via PHP file uploads.
Create another .htaccess file in the /wp-content/uploads folder and use the following lines:
<Files *.php>
deny from all
</Files>
/wp-content/plugins Folder
Limit the unnecessary execution of PHP code in the plugins folders that shouldn’t be accessed directly. Create another .htaccess file in the /wp-content/plugins folder and copy the exact same code as above.
/wp-content/themes Folder
Similarly, disable PHP execution in the themes folders. Again, create one more .htaccess file in the /wp-content/themes folder with the exact same code used above for the folders: plugins and uploads.
/wp-content Directory
This is an easy one if your site is hosted with us. Just to let you know that the following code will be added for you on an extra .htaccess file, in the /wp-content directory.
# SGS Directory Hardening
<FilesMatch “\.(?i:php)$”>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
# SGS Directory Hardening END
/wp-includes Directory
Another easy one if we take care of your site. You will find the following code already added for you on an additional .htaccess file, in the /wp-includes directory.
# SGS Directory Hardening
<FilesMatch “\.(?i:php)$”>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
<Files wp-tinymce.php>
<IfModule !mod_authz_core.c>
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Files>
<Files ms-files.php>
<IfModule !mod_authz_core.c>
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Files>
# SGS Directory Hardening END
Conclusion
It is not unusual to find up to seven HyperText Access files in your website content, with only three of them similar to each other. Take some time to optimise them all to reinforce the security of your site. You can lean more by visiting our web security projects and by reading SG web security tips. Take advantage of our security package for WordPress that covers login and site security, spam prevention, and more. Get in touch to discuss your needs.
