Securing a website is a challenge, there are many different aspects of website security and countless holes to plug. We have collected some useful htaccess security tips, tweaks and code snippets to fix common website security issues. These fixes all work great on our web hosting platform. Security scanners will often pick up issues like these so here is how to fix them to improve the overall security of your website. You can use these htaccess security tips and code snippets for WordPress and also any other website.
.htaccess is a file used by Apache web server to set server environment variables and configuration settings for the specified directory only. It is usually found in your website root directory, e.g. /home/username/public_html/.htaccess
HTTP Strict Transport Security (HSTS) support is often flagged up by SEO and security scanners. What does it do? It simply tells web browsers that you want your website to only be accessed over a valid https connection. To enable it just add this line to htaccess:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
This is a quick .htaccess website security tweak that works for WordPress or any other custom website that has directories you want to protect from PHP code execution. Using this .htaccess trick you can easily block PHP execution in your core WordPress directories to stop common attacks, but check your website carefully in case it breaks existing theme or plugin functionality. For finer control, we recommend the Sucuri WordPress security plugin which enables you to whitelist specific files while blocking the rest. To implement this just create a .htaccess file in each of the directories that you want to protect and add this code:
<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch>
If you have a static IP address then you can use this to control access to specific files or directories on your website such as your login page or admin area. This is often used to secure WordPress websites by restricting the wp-login.php and /wp-admin/ directory, but works equally well for other content management systems and custom websites and apps.
To limit access to a specific file:
<Files <YOUR FILENAME>.php> Order deny,allow Deny from all Allow from <YOUR IP ADDRESS> </Files>
To limit access to a whole directory, create a .htaccess file in the directory you want to protect, and add this code:
Order Deny,Allow Deny from all Allow from <YOUR IP ADDRESS>
This one is often set by default by your hosting provider, but if not then you can add the following line to your .htaccess file to prevent browsing of your directories via a web browser.
Options All -Indexes
This stops other websites displaying images hosted on your website. This isn’t a huge issue but if the culprit has a lot of traffic it can quickly use up your bandwidth and cause your website to be suspended or incur extra bandwidth costs. You can also replace the image with one that shows your website name and address to give yourself a bit of promotion, or replace it with something a bit cheeky as you see fit. Just add this code to your .htaccess file and change yourdomain and your no hotlinking image URL as appropriate:
RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC] RewriteRule .(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG)$ https://www.yourdomain.com/no-hotlinking.png [R,L]
This was flagged by a recent website security scan on a client website. Basically this header limits access to resources like CSS stylesheets, images, and scripts to only the specified domain. We suggest reading more about CORS on the Mozilla Developers website, and then if you want to enable this just add the following line to .htaccess:
Header set Access-Control-Allow-Origin https://www.yourdomain.com
Another one often flagged up by security scans is to disable HTTP TRACE and HTTP TRACK methods. This can be done in Apache either by adding TraceEnable Off to your httpd.conf or by adding the following code to your .htaccess file:
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
We’ve previously posted our website performance & SEO tweaks which also use the .htaccess file. Looking for more htaccess security tips to secure your website? Check out our developer resource code.hostasean.com for more code snippets and also our own WordPress plugins. Having problems or got more tips? Let us know in the comments.