What is a “Htaccess File”?
Photo by Shahadat Rahman on Unsplash
A Htaccess file (often referred to as “htaccess”) refers to files in the site’s “files” directory — sometimes called the “directory listing”. The name htaccess comes from the way that they work — by replacing the old version of your site’s main index page with a new version, this file acts as a sort of index for all other pages on your website.
A Htaccess file allows you to make changes to your website without having to edit HTML source code. This helps you to keep your website updated and secure.
The Htaccess file is primarily used to prevent unauthorised access to your website. Some hosting providers include the Htaccess file for this purpose, but it is not required for your site to be protected.
How does a Htaccess File Work?
The Htaccess file works by replacing your original index page (formerly known as “About Me”) with a new index page that blocks unauthorized access. For instance, the Htaccess file may replace your website’s main index with the following text:
If you are seeing this message, you are NOT authorized to view this page. Please contact your administrator for help.
The Htaccess file is simple and easy to use. It can be configured and tested on any website without having to alter HTML source code. It’s a great way to better protect your website from unauthorized access without having to edit anything on your site!
How Can You Use a Htaccess File?
The Htaccess file can be used in several ways — some are more complicated than others! But each method offers its own unique advantage that makes using it worthwhile.
The most common way to use a htaccess file is to block IP addresses from accessing your site. This can be done by placing the following code in your Htaccess file:
order deny,allow deny from all
This will block any IP address that tries to access your website, including hackers and search engine bots. The exception is if you have a static IP address — for instance, if you own your own personal computer, or if you are a business and you have your own office’s network. If this is the case, you can change the second line from “deny” to “allow” so that only people with static IPs are able to access it (for instance, www.mywebsite.com/exposed).
You can also use the Htaccess file to hide your WordPress login page. If you are using a domain name other than “www” or if you are using a domain with multiple websites, you can use the Htaccess file to block all visitors except for those who enter your domain and login information correctly. This code will let people get to your website, but won’t allow them to view it until they enter correct information:
<Files "wordpress"> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files> <Files "wordpress/wp-admin"> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
The above code will only allow people who are accessing your site through a computer with the IP address of xxx.xxx.xxx.xxx to get to your login page and website, where they can type in their information and access it normally. It is not possible to enter this code in the WordPress interface, but you can find detailed instructions on how to implement it here: http://codex.wordpress.org/Changing_The_Site_Address.
Security Tips and Tricks:
Remove any unnecessary code, themes, or plugins that you don’t need to lessen the number of security holes in your system and the number of potential risks your server may encounter in general.
You should aim to install any available updates as soon as they become available. It is best practice to keep all programs updated, even if you install a new firewall or virus scanner on top of them already, but it is even more important when it comes to WordPress.
If you have a WordPress site, make sure it’s up to date. Hackers will always be looking for holes in outdated software and may try to exploit them if you have an outdated website. For more information check out our article about WordPress software vulnerabilities.
Keep updated
Keep your website updated and use recommended plugins only, although this isn’t always possible with older sites or less popular ones.
The WordPress core has also recently improved security by making “default” the option to update plugins automatically after installation from within the dashboard rather than having to set a schedule in plugin settings.
Use strong passwords
Use strong passwords to protect your login details and restrict access to the WordPress dashboard to only those who need it.
There is no reason why a site administrator should ever have their login details handed over to a website hacker, so never do this.
Make sure you write down your password and keep it somewhere safe just in case you need to change something on your site.
Limit access
Limit access and use of the WordPress dashboard with a plugin such as iThemes Security or Limit Login Attempts which will block IP addresses from accessing your login page after a set number of failed attempts.
This can be very useful if you notice that someone may have guessed or obtained your login details, which has happened with WordPress sites before.
robots.txt
You may also consider adding a robots.txt file to your site which will prevent search engines from indexing pages on your site and even worse, crawling it.
If you use an Htaccess file to control access to your WordPress login page, make sure that the code does not block access to other pages and posts on your site which may contain useful information for visitors.
For example, if you use a plugin (such as the ones I recommend above), hackers will be able to easily access the back-end of your site, allowing them to obtain access to other portions of your site rather than just the login page.
To prevent this, make sure to use a more generic code such as the one below:
<Files "wordpress"> order deny,allow deny from all allow from xxx.xxx.xxx.xxx !important; </Files>
Also Checkout:- How To Choose Domain Name For Your Brand Or Business?
