WordPress Security Tweaks (.htaccess)

As I get more familiar with WordPress I keep making tweaks to my blog to lock things down more. I thought I would share some of the things I have put in place to help others.

One of the first things I did was monitor the Apache access.log (/var/log/apache2/access.log) to see what kind of traffic was hitting my site.

Here is a summary of web calls I found interesting:

  • /xmlrpc.php
  • /wp-admin
  • /wp-login.php
  • /wp-content

With the REST API on later versions of WordPress the /xmlrpc.php is no longer needed and is therefore a security risk that can allow login attempts to the website. Please read up on it before you disable it if you don’t know what it is.

/wp-admin & /wp-login.php are of course the login page for the site and if we can limit who can access this, this would also drastically increase security

The last one was I was noticing a lot of browsing happening in the /wp-content folder which by default has directory browsing turned on, so anyone can browse any of the files there. We can add a little more security here by turning off directory browsing.

Edit Root .htaccess file

Open up your .htaccess file in the root directory of your WordPress web site. This will already have some WordPress specific items in it.

This is what I added onto the file:

#END WordPress

# Make Sure Hidden Files Are Not Accessible (dot files)
RedirectMatch 403 /\..*$

# Block WordPress xmlrpc.php requests
<Files ~ "xmlrpc\.php">
                Require all denied

# Block WordPress login page requests unless from certain IP
<Files ~ "wp-login\.php">
                Require ip xxx.xxx.xxx.xxx #Put IPs you want to allow here can space separate them

#Disable Directory Browsing
Options -Indexes

This makes sense for me because I am the only one accessing the administration of this website so it does not need to be open to the world.

The last change I made was I created a .htaccess file in the /wp-admin folder.

/wp-admin .htaccess file

This is what the .htaccess file looks like that I created in the /wp-admin folder

# Block WordPress Requests to /wp-admin
                 Require ip xxx.xxx.xxx.xxx #Replace with your IP

These security settings make sense for me as this is a simple blog with one user but they may not make sense for you. I also run no plugins on the site to lower my risk threshold.

Of course the one downside to doing things this way, is if my IP at home changes or I’m out traveling I’ll have to SSH in to the server to allow myself to login, but I’m ok with this. As far as SSH goes I would also strongly suggest key authentication instead of username/password.