Security is an essential part of website management. Along with firewalls and spam prevention, an often-overlooked site protector is the .htaccess file. 

Optimising overall performance, .htaccess can help prevent unauthorised access, ensure encryption, and protect sensitive data from malicious attacks. When used correctly, the file becomes a central part of combating WordPress security vulnerabilities.

This comprehensive guide delves into the intricacies of .htaccess file management. You’ll discover how to create, modify, and protect the .htaccess file. We’ll also detail its significance, its function, and the crucial role it plays in keeping your website and users safe. 

What is the .htaccess file for Your WordPress site? 

Found on all WordPress installations hosted on the Apache server, .htaccess is a file that enables web administrators to manage server features – without needing to alter server configuration files. 

The file provides a flexible, secure way to manage a website’s functionality from within its own directory structure. Some of its typical uses include:

  • Password protection.
  • URL redirection/rewriting.
  • Custom 404 error pages.
  • Access control to the site or specific pages.
  • Performance optimisation.
Alt text: Sample .htaccess file

Altering or adding to the .htaccess code naturally affects the performance of your site. Given its role in website management, it’s vital to ensure that your .htaccess file is protected. 

Why securing your site’s .htaccess is vital to WordPress security 

The .htaccess file presents a tempting target for hackers. Unauthorised alterations may see malicious code placed that can harm your site and visitor. The file can also be a gateway to accessing sensitive consumer information stored elsewhere on the site.

Shield Security PRO’s File Locker feature has been designed to combat such issues. The function automatically alerts web owners when any change has been made to the .htaccess file. File Locker allows you to check whether such changes are legitimate, or the result of unauthorised access, letting you quickly rollback (or accept) any changes.

Shield Security PRO Call-To-Action: Purchase

Reminder: backup your site! 

Before making any changes to your .htaccess file, be sure to backup your website. Invalid edits to the file can inadvertently break the site, and having a backup removes any pressure while you’re making these modifications!

The easiest and safest way to backup your site is using a plugin, such as UpDraftPlus or Duplicator. Once installed, you’ll have options to set automatic and manual updates. Alternatively, you can back up your site through your site’s web hosting control panel. If you haven’t tried this before, consult your hosting provider’s documentation for specific instructions.

To give an example, many hosts use cPanel. Go to the Files section of the panel, find Backup Wizard, and follow the step-by-step process.

Alt text: cPanel’s Backup Wizard feature

If you’re a specialist when it comes to making changes to the .htaccess file, you can make a backup of the file alone as a precaution. However, remember that a single punctuation mark out of place can be hard to identify, and resulting problems can take a long time to fix! 

How to modify your .htaccess file 

Let’s take a look at how to modify your .htaccess file. With a little coding experience, you can do this manually, or simply get a plugin to do the job for you.

Create your .htaccess file 

To modify a .htaccess file, you’ll need to find out if one exists in the first place. Depending on developer preferences, there’s a chance the file was removed at the build stage. Having one makes it easier to keep things safe, so it’s well worth the time spent.

Check for an existing .htaccess file: Go to your WordPress site’s root directory using an SFTP client, or your hosting provider’s control panel. Through Files, access File Manager, and search for a file named .htaccess. If it doesn’t appear, it doesn’t exist.

cPanel’s File Manager feature

Creating a .htaccess file: Use a text editor, such as Windows Notepad, or Mac’s TextEdit. Create a new file and save it as .htaccess. Remove any file extension, such as .txt. Save the file.

Uploading a .htaccess file: The WordPress Codex sets out the code to add the .htaccess file to your site, depending on which WordPress version you use. Once added, save the file and upload it to your WordPress root directory, using an SFTP client or through the File Manager on your control panel.

Setting file permission: Immediately after uploading, set the file permission to protect your .htaccess file from potential attacks. This is often set at ‘644’ or ‘chmod 644’ automatically, allowing you to both read and alter the information, while others can only read it.

Setting permission on the .htaccess file

If using an SFTP client, you’ll need to right-click on the file, then access Permissions. On some clients, permissions will be found through Info, or Properties. 

If using the File Manager, select the file, then locate the Set Permission button. Enter 644 if the box is not already filled.

Making changes to your .htaccess file 

When editing the .htaccess file, exercise caution at all times, and be aware of the following points:

  1. Lines which begin with a hashtag (#) are comments that aren’t included in the actual rules set by the file. 
  2. Avoid editing between the lines # BEGIN WordPress and # END WordPress, as future WordPress updates will likely override it.
  3. Add your modifications below the “# END WordPress” line. This makes it easier to identify your changes.
  4. Refresh your site after every change and test it out – this way, you’ll be able to pinpoint problems to a specific piece of code.

Secure WordPress .htaccess with a plugin 

Using a reliable plugin helps you to secure your site with little chance of anything going wrong. It’ll also save you or your developer aeons of time.

While plugins come at a cost, the benefits of choosing a great security partner far outweigh any expense.

File Locker with Shield Security PRO

The Shield Security PRO plugin provides all-round protection for WordPress websites. We’ve designed the platform to meet the needs of all users, even those with little to no technical experience. 

While it doesn’t offer the option to edit the .htaccess file, it provides critical protection around the file in with its exclusive File Locker feature. It does this in in several ways:

  • Backup and encryption: File Locker stores encrypted backup copies of essential files on your WordPress site, safeguarding them against unauthorised access.
  • Automatic Encryption Management: The backup copies are encrypted using a key provided by the ShieldNET API, so the private key is not stored on your site.
  • On-demand decryption: Files can only be decrypted ‘as required’, through the ShieldNET API, giving website owners full control over access.
Shield Security PRO Call-To-Action: Purchase

Shield Security PRO’s File Locker detects when you, or anything else, makes changes to these critical files. This ensures you’re immediately alerted to any untoward access, so you can take swift action to address any threat.

If you’re already enjoying the benefits of Shield Security PRO, you can access File Locker through Dashboard > Config > Scanners. From here, scroll down the File Scans and Malware tab and find File Locker.

Shield Security PRO’s File Locker feature

Manual .htaccess security 

If you wish to avoid plugins, or prefer the manual route of making changes to your .htaccess file, site security remains a must. Consider taking the following steps to keep hacking attempts at bay.

Disable XML-RPC 

The XML-RPC protocol was initially designed to allow communication between your website and external systems. Although some apps, themes, and plugins still rely on the function to work, XML-RPC is vulnerable to the likes of DDoS and brute force attacks

Disabling XML-RPC can be achieved through code snippets, or through a plugin. Shield Security PRO comes with an option to easily disable the plugin with an option switch. Before doing so, however, always consider the pros and cons of using XML-RPC, as certain features of your website may depend on it.

For a detailed understanding, refer to our guide on disabling XML-RPC in WordPress

Restrict PHP files and execution 

Through .htaccess, you can effectively disable PHP execution in directories where its use is unnecessary. This approach reduces the number of potential gateways that hackers may exploit to gain unauthorised access. To restrict PHP files and execution using .htaccess, you can use the following code:

<Files "*.php">
    Order allow,deny
    Deny from all
</Files>

For those running Apache 2.4 or later versions, use the following code instead:

<Files "*.php">
Require all denied
</Files>

Require SSL

Enforcing SSL for all traffic through .htaccess ensures encrypted connections, enhancing site security and user trust. Visitors can see their connection to your site is secure, removing any concerns about entering personal or financial information. 

User trust also has a positive impact on SEO, with 93.2% of Google Chrome browsing taking place on sites with SSL. Force SSL for all traffic by adding the following code to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Develop a disaster recovery plan 

In the event of your .htaccess plan being compromised, make sure you have an excellent disaster plan in place:

  • Backup strategies: Backup copies are essential. Consider automating scheduled backups through the use of WordPress plugins such UpdraftPlus. Ensure your plan includes .htaccess and wp-config.php files.
  • Secure storage practices: Saving backups remotely, on a different server to your web host, is advisable. Google Cloud, Microsoft Azure, and pCloud are three options, or you can use an SFTP client. Make sure your chosen location is encrypted.
  • Response to different disaster scenarios: Attacks can come from many different sources, including hacking, server failure, or data corruption. Have a plan in place for dealing with any security breaches. Identifying and solving such issues as quickly as possible is essential when it comes to minimising disruption to your business. Shield Security PRO excels at swift diagnoses of site problems, and is equipped with solutions to mitigate the impact of security issues and guide you to resolving any issues that arise.
  • Restoration procedures: Restore from backups in a structured manner, starting with website directories and core WordPress files, themes, and plugins. Check that your .htaccess file is present and remember to set permissions for personal access.
  • Testing the plan: It’s worth simulating various disaster scenarios so that you and your team members are familiar with recovery procedures.
  • Documentation and accessibility: Create a document detailing recovery instructions that are easy for non-techies to understand. Make sure everyone on your team has access to the document.

Secure your WordPress site with Shield Security PRO’s unique protection

The .htaccess file proves its usefulness by governing various tasks, from page redirects, to forcing HTTPS over HTTP, and controlling user access. Given its central role in website management, securing the file is essential. 

Coders will be able to do this manually, although it’s time-consuming. Furthermore, the slightest error introduced into the file will break your site, causing problems that might be difficult for non-technical users to resolve.

Securing WordPress .htaccess with a dedicated plugin is the most logical solution. Shield Security PRO’s File Locker feature automatically alerts webmasters to any changes made to the .htaccess file. You’ll be able to review the code, making sure a change was legitimate, and if not, instantly address the problem.

Aside from the File Locker feature, Shield equips your site with many other features designed to protect it from attacks and malicious bots.

Our AntiBot Detection Engine analyses bot-behaviour patterns, identifying signals such as rapid or repeated login attempts. When suspicious patterns are found, the related IP address is instantly blocked – an invaluable defence against malicious attempts to access or modify the .htaccess file.

The plugin also offers cutting-edge deep scans with both manual and automatic response options, keeping you safe from malware and other intrusions. Furthermore, it can hide your login and admin pages, deterring those seeking unauthorised access from even making an attempt.

Remember to secure your own .htaccess file as a priority in the battle against cybercrime! Why not check out File Locker and get Shield Security PRO to do the job for you?