Ultimate Guide to Securing WordPress Folders: Protect Your Site from Unauthorized Access

Securing your WordPress folders is crucial to safeguarding your website from unauthorized access and potential attacks. In this guide, we’ll walk you through essential steps to enhance the security of your WordPress directories using .htaccess rules and other methods.

Table of Contents

1. Protect the wp-config.php
2. FilePrevent Directory Browsing
3. Restrict Access to the wp-admin Directory
4. Protect the .htaccess File
5. Block Access to wp-includes Folder
6. Disable PHP Execution in Uploads Directory
7. Disable XML-RPC
8. Limit Access to the wp-content Directory
9. Secure the readme.html and license.txt Files
10. Use Security Plugins

Protect the wp-config.php File

The wp-config.php file contains sensitive information like database credentials. Prevent direct access to this file by adding the following to your .htaccess file:

<files wp-config.php>
    order allow,deny
    deny from all
</files>

Prevent Directory Browsing

Directory browsing allows visitors to see the contents of your directories, which could expose sensitive information. Disable directory browsing by adding this line to your .htaccess file:

Options -Indexes

Restrict Access to the wp-admin Directory

Limit access to the wp-admin directory by IP address to enhance security. Add the following to your .htaccess file in the wp-admin directory:

<Limit GET POST>
    order deny,allow
    deny from all
    allow from xx.xx.xx.xx
</Limit>

Replace xx.xx.xx.xx with your IP address. You can add multiple allow from lines for additional IPs.

Protect the .htaccess File

Ensure that your .htaccess file itself is not accessible. Add the following to your .htaccess file:

<files .htaccess>
    order allow,deny
    deny from all
</files>

Block Access to wp-includes Folder

The wp-includes folder should not be accessible directly. Add the following to your .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Disable PHP Execution in Uploads Directory

The uploads directory should only contain media files. Disable PHP execution in this directory by creating an .htaccess file in the wp-content/uploads directory with the following content:

<Files *.php>
    deny from all
</Files>

Disable XML-RPC

XML-RPC can be a security vulnerability. Disable it if you do not need it by adding the following to your .htaccess file:

<Files xmlrpc.php>
    order deny,allow
    deny from all
</Files>

Limit Access to the wp-content Directory

Only allow access to specific file types in the wp-content directory by adding the following to your .htaccess file in the wp-content directory:

Order deny,allow
Deny from all
<Files ~ "\.(xml|css|js|jpe?g|png|gif|woff|woff2|ttf|svg|eot)$">
    Allow from all
</Files>

Secure the readme.html and license.txt Files

These files can provide attackers with information about your WordPress version. Add the following to your .htaccess file:

<FilesMatch "^(readme|license)\.(txt|html)$">
    order deny,allow
    deny from all
</FilesMatch>

Use Security Plugins

Consider using security plugins such as Wordfence, Sucuri, or iThemes Security to enhance the security of your WordPress installation. These plugins offer features like firewall protection, malware scanning, and login security.

Conclusion

By implementing these measures, you can significantly improve the security of your WordPress folders and reduce the risk of unauthorized access and attacks. Always remember to keep your WordPress core, themes, and plugins updated to the latest versions to benefit from security patches and improvements.

By following this guide, you’ll fortify your WordPress site against common threats and keep your data secure. Happy securing!