Htaccess files are hidden plain text files that are on the server to help control how your visitors interact with your website. The htaccess file is also used to block specific traffic from being able to view your website. If you look for your .htaccess file you’ll see that there’s no filename. The extension is .htaccess which tells the server what type of file it is. In cPanel you can see if you have a current .htaccess file using file manager but you will need to make sure you have selected to view hidden files. If you are not familiar with using file manager please read our article. To view hidden files in file manager, select the ‘file manager‘ icon in cPanel and make sure the box is checked next to ‘Show Hidden Files.’ Then click ‘OK‘ and you will be able to view hidden files.
What can I do with my .htaccess file?
You might have a private area of your website you wish to keep password protected. This password protection is actually set up in the .htaccess file. Most of the functions of the htaccess file, you do not have to concern yourself with as they will be automatically written through cPanel. This is the case of password protecting directories. While you set it up in cPanel, it actually writes a directive to your htaccess file.
Other functions of the htaccess file include, prohibiting hotlinks, rewriting URLs, setting default pages, creating redirects, reconfiguring account settings, and much more. It’s really important to realize how the htaccess file can affect your entire account. Changing something in the htaccess file can alter how your website functions so it’s really important BEFORE making changes to your htaccess to backup your current htaccess file.
Troubleshooting Errors..
If you are getting errors on your website, the .htaccess file can often be the culprit.
- This is easily tested by renaming your current htaccess file. Often, during troubleshooting I’ll simply rename the .htaccess to .htaccess.ops and now you can try reload the website. If the site loads I then know the issue resides in my configuration of the .htaccess file. If it does not fix the issue I was having, I’ll rename the htaccess by removing the .ops I added to the end. That way, it won’t affect my website after I resolve the issue.
- If you are not seeing a change in your PHP settings, you may have to make your php.ini file affect all child folders as well. This is referred to as making the file “recursive“.
A few years ago, only hackers where able to crack websites and bring them down due to their level of knowledge in systems, networking and coding. In recent times, however, things have changed and just about anyone can find tutorials on the Internet that show step by step procedures to penetrate a websites running vulnerable software.
At Keenweb Hosting, we take security seriously, and have implemented several systems to protect your applications from being exploited. We cannot, however, protect every piece of software that clients operate on their sites, as there is no guaranteed way to protect your websites from being exploited due to vulnerabilities resulting from not upgrading to the latest releases, poorly coded plugins or custom code.
This tutorial aims to focus on a common web application used by our clients – WordPress. We’ll provide some tips and suggestions that will help you add an extra layer of security to your WordPress installations.
Important Points
- Always keep your WordPress installation up to date, including (crucially!) any plugins that you have installed
- Create a new admin user with a custom username, and then delete the default ‘admin’ user as many attacks will target standard usernames
- Change your admin account password regularly
- Only install plugins that are well reviewed by the WordPress community, and are actively developed
- When installing WordPress, change the default database prefix. All default WordPress installs use the database prefix of “wp_” which makes any exploiter’s job much easier. You can change this prefix to something unique during installation, and if you’ve already installed then the following plugin can easily help you changing your WordPress database prefix with a few clicks: http://wordpress.org/extend/plugins/db-prefix-change/
Securing WordPress
Below is a list of recommended modifications or adjustments to make to your WordPress installations. Read it carefully and if you have any questions feel free to get in touch with our support team before proceeding.
1) Configure the WordFence Plugin – WordFence is a fantastic plugin for WordPress that will dramatically increase the security of your WordPress blog. It is our recommended plugin for any WordPress site – with WordFence properly installed and configured, the likelihood of your blog being hacked is dramatically reduced.
2) Prevent access via wp-login.php…
3) Hide your WordPress version. Hiding the WordPress version makes it harder for bots collecting information about your site from identifying whether or not you run a vulnerable version.
4) Secure access to your wp-includes directory. This is often used by hackers to place malicious files when they find a vulnerable installation. Add the following lines to the .htaccess file in your WordPress installation directory:
# Block include-only files.
RewriteEngine On
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# End block include-only files
Note that this won’t work well on Multisite WordPress installations, as the line RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] will prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
5) Block search engine bots from browsing your directories. Google and other search engines can crawl unwanted urls and expose them to hackers. It’s best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site’s root folder and is just a text file. Edit/Create your robots.txt files at your public_html folder and ensure it has the following parameters:
User-agent: *
Crawl-delay: 10
Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-*
User-agent: msnbot
Crawl-delay: 10
Extra Precautions:
Read this article: 3 Great WordPress Security Plugins recommended by keenweb.co.uk
This week we take a look at five of the best WordPress security plugins available today which will keep your website secure and boost you your WordPress website security.
WordPress is the most popular Content Management System (CMS) available today and is also very secure. Regular security updates and patches are released which help prevent hacks.
However, as with any website, there are weak links. More often than not an attack can be traced to a simple admin password that’s not been changed since your site was setup.
The good news is WordPress’ awesome plugin system lets you boost your website security quickly and easily, helping you close loopholes and prevent attacks on your website.
We’ve brought together 5 of the best WordPress security plugins available. You can keep your WordPress site secure by installing any of the following plugins today:
1. Jetpack Protect (Formerly BruteProtect)
Stop brute-force attacks on your WordPress websites by botnets in one easy step by enabling Protect from the Jetpack plugin.
Jetpack Protect blocks malicious bots and users from accessing your WordPress website.
Jetpack Protect works by tracking login attempts to your website. When there are too many failed attempts, Jetpack Protect logs and blocks that IP across the entire network of WordPress websites running Jetpack Protect.
View JetPack WordPress.org Plugin Listing
2. WordFence
Wordfence Security is one of the most popular all in one security plugins available for WordPress. This means it includes a whole range of features in just one plugin.
In our experience, it’s easy to setup and use and has a great range of features including a website scanner which will scan your WordPress files, themes and plugins and find any malware or code changes which may have been made.
Wordfence also includes real-time tracking of visitors to your website and will also block IP addresses of suspicious users and protect against brute force attacks.
If you’re an advanced WordPress user you’ll also be pleased to know you have granular control of each setting, so you can configure WordFence exactly as you want.
Thee Wordfence plugin is free to install but also includes some premium features which are a paid extra.
View Wordfence WordPress.org Plugin Listing
3. Clef
Your WordPress admin password is so often the weak link in the security chain and the easiest way for a hacker to gain access to your website.
The Clef WordPress plugin replaces your passwords entirely with a password free, two-factor authentication system.
Instead, you install and use the Clef app on your smart phone to login to your website instead.
View Clef WordPress.org Plugin Listing
Secure WordPress Hosting
These WordPress security plugins are just one part of the security chain. At the base you’ll want to run your WordPress site on secure Web Hosting.
The more secure your web hosting, the great the chance of avoiding hacking attempts leading to an increase in sales and leads. We offer a range of Web Hosting packages, built on our optimised Web hosting platform which include special features which can help reduce the chance of an attack.
- Intrusion Detection System which monitors your account and blocks attackers.
- Built-in virus scanner for website files and uploads.
- Free UK-based Technical Support who are on hand to offer tips and help you to secure your WordPress website.
See our fast, secure Business Web Hosting, Managed VPS – Save 20% and Domain Registration for an online identity.
All web hosting packages include free UK-based support and free money back guarantee (Days depends entire on the package).
Feel free to contact us for more details.
At Keenweb, everything we do is focused on earning your trust. For this reason, we use strong encryption and strict security policies to protect your personal data.
Security, alongside speed and support, is a core pillar of our business ethos. At every level, from our data centres and web servers powering our web hosting platform, to our staff training, we place emphasis on your security and privacy.
Whilst we deliberately take a discreet approach to security, we are able to briefly outline some high-level security measures and policies we use to keep you safe;
Strong Encryption
Encryption scrambles data sent between your computer and Keenweb. We use encryption across our systems and services to ensure your key personal details are encrypted and not left in plain-text, readable form. We also use encryption across our website so when you login, or fill in an order form your personal data is kept safe.
We Do Not Store Your Full Credit Card Details
We do not store your full payment details on our own servers making it impossible for someone to gain access to your credit card details.
Secure Payments
When you enter your payment details into our secure website, your payment details are encrypted and sent to our secure payment processor. In return we receive a token, which is randomly set of numbers and letters. The token cannot be turned back into card details and is useless on its own.
PCI Compliance
We comply with Payment Card Industry Data Security Standards (PCI DSS). Our payment provider is a PCI Service Provider Level 1. This is the most stringent level of certification available.
Protecting Personal Data
Handing over your details online is daunting. We know this. That’s why, as a registered UK Limited company we strictly follow the Data Protection Act to ensure your personal data is always handled securely. Unlike some providers, we’re not a marketing company. We do not data mine or collect your details to profile you and help sell services or offer this information to third parties for marketing purposes. Our interest solely in providing you with fast, secure web hosting with great support.
Committed To Protecting Your Security
We know being pro-active about security is a necessity to maintain your trust.
With this in mind we monitor our systems and services 24/7, with checks every minute of every day and use Intrusion Detection Systems to automatically respond and block attacks.
In addition, we actively update and ensure our systems run the latest security patches. Our staff are continually trained in new threats and best practices for keeping your data safe.
It doesn’t end there…
The above represents a very small part of our total security policies and our daily commitment to protecting your data.
If you have questions about security please tweet, or email us.
