Introduction to .htaccess
.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on your WordPress site on a per-directory basis. Â A .htaccess file, containing one or more configuration directives, is placed in a particular document directory on your WordPress site, and the directives apply to that directory, and all subdirectories thereof. Â Using directives in .htaccess, you can block spam, secure your website, and control other website actions.
In general, you should never use .htaccess files unless you don’t have access to the main server configuration file.Â .htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. Â This is particularly true in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration. Â However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.
On reason not to use .htaccess is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested. Â Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. Â Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:
And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present.
The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. However, it is important to also remember that there may have been .htaccess files in directories higher up. Directives are applied in the order that they are found. Therefore, a .htaccess file in a particular directory may override directives found in .htaccess files found higher up in the directory tree. And those, in turn, may have overridden directives found yet higher up, or in the main server configuration file itself.
.htaccess Tweaks for WordPress Sites
Given that .htaccess is enabled on most Apache driven websites, directives can be used to tweak WordPress. Â Below are some interesting and effective uses of .htaccess directives.
Note that lines beginning with “#” are comment lines. Â You can add your own comments as needed.
Deny all from Russia
Many hack attacks come from Russia and their infamous Russian Business Network technological “mafia”. Â Many also arrive from Netherlands. Â These countries use specific IP address ranges that can be blocked from your web site entirely. Â This may be overkill for sure and if the attack is coming from a botnet then the IP address of the attacker could even be your next door neighbor. Â Still, if you feel Russian visitors to your site are rare, you can add these lines to your .htaccess to block all visitors from those countries.
Note: that the 188.142. range is Netherlands and Hungary while 188.143. is the Russian Federation IP address range.
Note: a complete list of IP blocks as well as the top spamming countries, may be found atÂ http://www.countryipblocks.net/, Â The list can be quite large and will greatly increase the size of your .htaccess (which is hit on every page request).
#DENY ALL FROM RUSSIA, NETHERLANDS, AND HUNGARY (THOSE COUNTRIES COMPRISE THESE RANGES)
deny from 188.142.
deny from 188.143.
allow from all
Protect important configuration files
Some files in your WordPress file system should never be read by anyone. Â Case in point is the wp-config.php file. Â This file contains highly sensitive information such as your WordPress database name and login information. Â The directives below can be added to your .htaccess file to block all access to those files.
# DENY PUBLIC ACCESS TO YOUR wp-config.php File
deny from all