Day 3. Protect your WordPress Files and Dirs Carefully
And I want to say – yes – WordPress is very safe and in ordinary situation, when you use clean WordPress install with the default Twenty Seventeen theme you have nothing to worry about (unless your password is «querty» or «12345678»).
But there are no ordinary situations in life – you may use a plugin with vulnerabily or not good enough hosting — in this case any of security tips matter and could safe your website.
Step 1. Protect wp-config.php
First of all – place your
wp-config.php in the directory above your installation folder. Do not worry – WordPress will find it without problems there.
Second – in the same directory create a file named
.htaccess with the following content.
<files wp-config.php> order allow,deny deny from all </files>
It may look something like this:
On the screenshot
public_html is the directory with WordPress.
Third – set file permissions (chmod) to 400. You can do it in your FTP/SFTP client usually via right click on file.
But what means 400 (or 440 and 444 as well) ? It means that nobody can edit this file. You can not even do it in your WordPress admin area (using a plugin for example).
I also recommend to set 444 chmod for every
.htaccess file on your website. In addition, the official WordPess codex recommendation is 755 for all directories and 644 for files.
Step 2. Disable directory browsing
Try to open
yourdomain/wp-content/plugins URL in your browser and this is something you shouldn’t see:
Usually WordPress already includes empty
index.php file in
But what about all the other directories without
index.php, even like
Simple — just open
.htaccess file which is in your WordPress installation folder and insert at the beginning of the file just this single line:
Now, when someone tries to access your dirs directly, he will receive «403 Forbidden».
Step 3. A special attention at uploads folder
Well, uploads directory is a very problematic place in WordPress. If it seems like your website is under attack, look into the uploads folder, I suppose you can find something interesting there.
Our task now is to disable PHP-execution there. There are two ways to implement it (I prefer the first way).
# Way 1 # at first we completely disable access to all the files <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> # after that add file extensions you want to allow access <FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$"> Order Deny,Allow Allow from all </FilesMatch>
# Way 2 # Kill PHP Execution <Files *.php> deny from all </Files>
No matter what way you choose, you have to create another
.htaccess in you uploads directory.
Step 4. /wp-admin/
By the password
In this method, by adding two simple files in your
/wp-admin directory you will completely block everything inside it from unauthorized access.
First file is
AuthType Basic # Welcome message AuthName "Hi, this area is protected!" # Full path to .htpasswd file, you can use getcwd() function to find out it AuthUserFile /home/rudrastyh.com/public_html/wp-admin/.htpasswd require valid-user
This is the content of the
/wp-admin/.htpasswd file, each line is the
user:encrypted_password. To generate the passwords you can use my tool.
By the IP
Protection by the IP is better, but it doesn’t fit for me because I work from many different places and sometimes in my trips.
This code should be placed in
<limit GET> satisfy any order deny,allow deny from all allow from 126.96.36.199 allow from 213.21.34. # add your own lines with allowed IP addresses here require valid-user </limit>
Issue with admin-ajax.php
The interesting thing is that when you block your
/wp-admin directory, the
admin-ajax.php file will be blocked as well. So, you can not run ajax scripts outside your admin area.
How to avoid this? — use custom
ajaxurl instead, as an option you can add
ajax.php file in your WordPress directory with the following content in it:
<?php require( dirname(__FILE__) . '/wp-admin/admin-ajax.php' );
Hey guys and welcome to my website. For more than 10 years I've been doing my best to share with you some superb WordPress guides and tips for free.
Need some developer help? Contact me
Awesome article with very practical .htaccess codes!
Hey Misha really helpful article but I have some trouble to implement step 3 to hide/protect the WordPress Upload folder.
I’ve tryed to write htaccess rule like this:
1) Options All -Indexes
Deny from all
but I can still see them with google dev tool
Any help will be appreciated
Did I understand correctly – you would like to block all the files in your uploads directory?
.htaccessfile with the following content in your uploads directory
It will take some time to disappear from Google.
thanks for your post!
Maybe you can help me with that one:
I want to embed/display a video within my wordpress site (to be viewed by everyone) but I want to deny direct access to that file via URL (www.xxx.mp4). I tried different htaccess-options, but either the video is shown and can be accessed or the access is denied but also not shown within wordpress. Any idea?
Help ist appreciated!
Hmm, I think you could try htaccess authorization with the login / password for these files.
Thank you for your post. Very neatly written with easy to understand language. I have book marked your website. Cheers !!
Hi and thank you very much! :)
Won’t be able to use this on PHP 7.4