Hardening WordPress with htaccess

This article will discuss some security techniques to better harden and secure your WordPress blog; this is especially effective in a hosted environment.

Let me start by saying this guide may not be for everyone, and chances are that it may break some third party plugins and templates.

It is not all doom and gloom; if you are able to use this guide it will significantly increase the security of your blog. It will prevent many attacks including brute force attacks, plugin enumeration, directory listings, sensitive information disclosure and file include vulnerabilities. Additional hardening guides will be required for different circumstances, so if this is not for you let us know so we can plan additional guides to meet user requirements.

Important Note: Please ensure that your WordPress files and database are backed up before attempting any of these changes.

Step 1 - Restricting wp-content and wp-includes
Using htaccess <files> directive, we can restrict all files accept images, CSS and JavaScript. The .htaccess file will look as follows:
Order Allow,Deny
Deny from all
<Files ~ "\.(css|jpe?g|png|gif|js)$">
Allow from all
</Files>
If we want to allow certain plugins such as Livexp, we can append the following to our wp-content/.htaccess file:
<Files "livexp.php">
Allow from all
</Files>
Put this into your .htaccess file within your wp-content and wp-includes directories. As a side note, you can also allow specific files to get your plugins and/or templates to work, if needs be. This is a much cleaner method to do it then discussed in a previous version of this document.

If you got through that, well done.
Step 2 - Restricting access to wp-admin
Now to restrict wp-admin you have two choices. Put a .htaccess file into your wp-admin directory with one of the two choices below.

You can resrict it by IP:
order deny,allow
allow from a.b.c.d # This is your static IP
deny from all
The above code will prevent browser access to any file in these directories other than “a.b.c.d” which you should change to be your static IP address.

OR restrict the directory with a password:
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
OR improved version:

There is a bug where the above rules will cause a password box to appear to the user if they submit a comment without an e-mail address. This occurs, because some CSS and image files are located inside the wp-admin directory. To get around this we can wrap the above rule set in a file directive which disallows .PHP files but permits the rest. This still prevents alot of direct attacks and also provides alot of additional features.
<Files ~ "\.(php)$">
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
</Files>
Thats it! you now have a more secure blog and hopefully everything still works for you.

Related articles:

• Improving Wordpress Security In Easy Steps
• Common set of custom functions for wordpress
• Replace wordpress Content in PRE Tags with HTML Entities
• Automatically empty wordpress Trash
• Put HTML tags into wordpress post title