Here are a few .htaccess tips you can use to secure a WordPress website:
- Limit access to your wp-admin directory by IP address. You can do this by creating a .htaccess file in the wp-admin directory and adding the following code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist IP address
allow from xxx.xxx.xxx.xxx
</LIMIT>- Block access to your wp-config.php file. You can add the following code to your .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>- Protect your .htaccess file from being modified. You can add the following code to your .htaccess file:
<files .htaccess>
order allow,deny
deny from all
</files>- Block script injection attempts by adding the following code to your .htaccess file:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]- Block access to your xmlrpc.php file. You can add the following code to your .htaccess file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Please note that these are general tips, and you may need to adjust them to fit your specific needs. Always make sure to backup your .htaccess file before making any changes, and test your website after making changes to ensure that it is still functioning properly.