Introduction to .htaccess

.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on your WordPress site on a per-directory basis.  A .htaccess file, containing one or more configuration directives, is placed in a particular document directory on your WordPress site, and the directives apply to that directory, and all subdirectories thereof.  Using directives in .htaccess, you can block spam, secure your website, and control other website actions.

In general, you should never use .htaccess files unless you don’t have access to the main server configuration file. .htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system.  This is particularly true in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.  However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.

On reason not to use .htaccess is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.  Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply.  Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present.

The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. However, it is important to also remember that there may have been .htaccess files in directories higher up. Directives are applied in the order that they are found. Therefore, a .htaccess file in a particular directory may override directives found in .htaccess files found higher up in the directory tree. And those, in turn, may have overridden directives found yet higher up, or in the main server configuration file itself.

.htaccess Tweaks for WordPress Sites

Given that .htaccess is enabled on most Apache driven websites, directives can be used to tweak WordPress.  Below are some interesting and effective uses of .htaccess directives.

Note that lines beginning with “#” are comment lines.  You can add your own comments as needed.

Deny all from Russia

Many hack attacks come from Russia and their infamous Russian Business Network technological “mafia”.  Many also arrive from Netherlands.  These countries use specific IP address ranges that can be blocked from your web site entirely.  This may be overkill for sure and if the attack is coming from a botnet then the IP address of the attacker could even be your next door neighbor.  Still, if you feel Russian visitors to your site are rare, you can add these lines to your .htaccess to block all visitors from those countries.

Note: that the 188.142. range is Netherlands and Hungary while 188.143. is the Russian Federation IP address range.

Note: a complete list of IP blocks as well as the top spamming countries, may be found at http://www.countryipblocks.net/,  The list can be quite large and will greatly increase the size of your .htaccess (which is hit on every page request).

#DENY ALL FROM RUSSIA, NETHERLANDS, AND HUNGARY (THOSE COUNTRIES COMPRISE THESE RANGES)
order allow,deny
deny from 188.142.
deny from 188.143.
allow from all

Protect important configuration files

Some files in your WordPress file system should never be read by anyone.  Case in point is the wp-config.php file.  This file contains highly sensitive information such as your WordPress database name and login information.  The directives below can be added to your .htaccess file to block all access to those files.

# DENY PUBLIC ACCESS TO YOUR wp-config.php File
<files wp-config.php>
order allow,deny
deny from all
</files>

# DENY PUBLIC ACCESS TO YOUR php.ini file.
<Files php.ini>
order allow,deny
deny from all
</Files>
# DENY PUBLIC ACCESS TO YOUR php5.ini file.
<Files php5.ini>
order allow,deny
deny from all
</Files>

Block Other Sites from using your Images

Some inconsiderate (or ignorant) webmasters will link directly to your images effectively stealing your content and consuming your bandwidth.  Rather than copying the images to their own server, they simply link off your web server.  You can add a directive to your .htaccess file that will only allow images from your server to be served if the referring URI is your own website.
In the directive below, be sure to change the domain name to your own domain name.  If you do not, no images on your website will load.  Also, the “nohotlink.jpg” image can be replaced with any image you like (create a image by that name that says “JERK” and that image will appear on the bandwidth theft’s website) or you can simply leave it as is and no image will be served to the bandwidth thief.
#Disable ability for outside domains to link to our images. Add this root and /main to .htaccess
#Only allow images to be linked from thsi website
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourdomainname\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Block spam comment posts

Lots of automated spam attacks are directed at the Comments functionality on your WordPress web site.  In many cases, these attacks originate from “bots”, or automated programs, that simply scan random files on your server.  They typically do not have a “referrer” or the referrer will be something other than your website (or at least until they wise up and start reading your domain first and passing that in as a referrer value).  You can use this to your advantage by adding the directives below to redirect any requests that do not have a referrer.  In this case, you simply redirect them right back to themselves.
# Spam blocker. Check if referrer for comments is our site or no referrer. If so, redirect back to themselves
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*brianhaddock.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Leave a Reply