10 Essential .htaccess Directives For A New WordPress Blog

htaccess fileInstalling a WordPress blog is not that difficult, especially through helper scripts. What matters is post-installation configuration and tweaks to ensure you get a secure and optimized blog for better visitors' experience. Some of these settings and tweaks are very easy to implement and can be configured directly from within the dashboard, while others require more effort. One of the important files used for configuring various settings is .htaccess file present in the root directory of the blog. It supports a standard syntax for interpreting user-defined directives to implement the desired tweaks and settings. Although there are a large number of directives for specifying from simple to very complex settings, an average blog can do well with about a dozen important directives. Let's see some of these extremely important directives that are so vital for every new WordPress installation.

htaccess file

www to non-www OR non-www to www

Some bloggers prefer to prefix www just before their domain name, while others do not use it at all. This is a personal choice, but it also affects your blog's SEO if you've not properly configured the settings. Crawlers from various search engines may find two versions of the same page - one with a www prefix and another one without any prefix. This dilutes your content and you may have to suffer the duplicate content penalty. To avoid this catastrophic situation, you must redirect all your posts and pages to a single preferred format - either www or non-www.

#Redirect www to non-www

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.yourdomain.com [NC]
RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]

#Redirect non-www to www

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^yourdomain.com [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [L,R=301]

You can use one of the directives given above that matches with your preference to prevent any kind of confusion for the crawlers as well as for the visitors. There's no best alternative between the two. You can choose either of them provided you've specified the right directive in your .htaccess file to implement your preference.

Preventing directory browsing

Hackers often employ direct in-browser directory browsing to know the contents and directory structure of a website. This can prove fatal as they can know the files location as well as their contents. To prevent this from happening, you must employ a technique to disable any kind of directory browsing. Simply add a single line .htaccess directive given below and you'll completely block such kind of browsing activity on your WordPress blog.

#Disable directory browsing

Options All -Indexes

This directive is one of the most vital security measures employed by almost every blogger to secure their directory tree from invasion.

This is one of the first settings I implement while installing a fresh WordPress blog. Make sure you prefix the minus sign in the directive as shown above.

Restrict access to .htaccess file

Since large numbers of security and system settings are configured in .htaccess file, it is often a target for hackers and intruders. Other than the blog owner, no one else should have access to this file. You can impose this restriction very easily by the following directive given below.

#Deny access to .htaccess file

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

This security directive ensures that no intruder can open this file as it may lead to an insecure blog that can be easily hacked by anybody. Apart from this directive, you must also set proper file permissions for .htaccess file to harden its security. This gives you a dual layer of security to safeguard this important file.

Restrict access to wp-config.php file

This is yet another extremely important WordPress file that contains important configurations and system data necessary to run your blog. You must provide a similar directive to prevent hackers from gaining access to wp-config.php file. As I mentioned earlier, simply applying this directive is just one of the security measure.

#Deny access to wp-config.php file

<files wp-config.php>
order allow,deny
deny from all

To harden its security, you must apply appropriate file permissions to this file for denying any kind of access attempt by the intruders. This directive is so important that it can cost you a hacked blog that will be unrecoverable from your end. The only solution will be a fresh install. Make sure you test your blog against this directive to ensure you've implemented it correctly. In fact, you can use various security plugins that can scan and find this shortcoming (free access to wp-config.php file) very easily.

Disable display of server and software versions

Hackers often exploit the vulnerabilities found in different versions of LAMP stack installed on web servers. Whenever a visitor land on a non-existent (404) page, your web server returns an error along with the versions of different software installed on it. This information can be used by hackers to exploit the version-specific vulnerabilities on that web server.

#Disable server signature display

ServerSignature Off

To avoid this situation, you can use the directive given above that will disable leakage of version information of LAMP stack installed on your web server. This will keep the hackers in the guessing mode and their task will be more difficult in the absence of any concrete information about the version of LAMP stack used on your hosting provider's web server.

Disable image hotlinking

Sometimes newbies ignorant about image thieves fail to discover that webmasters of other websites are not only stealing their images but also their precious bandwidth. There are two things you can do about it. Firstly, you must watermark all your images uploaded for use on your blog. Secondly, you can use the directive given below to stop such type of image hotlinking.

#Disable hotlinking of images

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourdomain\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/thief.jpg [L]

This directive will do two things. First, it will not let anyone directly link and download images from your web server. Secondly, if anyone attempts to do that, your web server will deliver (/images/thief.jpg) file at their end in every hotlinking case. Now it's up to you what your put in that file - a simple message or a NSFW illustration.

Redirect visitors to custom error pages

At times, a visitor may land on your blog through a broken link. In such situation, your web server returns a 404 page to the visitor. Quite similar to this, there are several other kinds of error pages that may be served to the visitor in different circumstances. You must configure your own custom error page for these conditions to let visitors choose some other location on your blog.

#Divert traffic to custom error pages

ErrorDocument 400 /400.php
ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php

To do this, simply create pages for each of these error conditions giving them the same name as the error code itself and update your .htaccess as shown above. Now whenever a visitor encounters these error conditions, he will be diverted to the custom page mentioned in the file. Bloggers use this technique prevent bouncing of traffic landing on error pages.

Stop spam comments

This is a simple yet effective technique to fight spam comments left by bots where the referrer is nowhere. Although you can also use Akismet plugin to fight spam effectively, usage of this important .htaccess directive adds an extra anti-spam layer on your blog. This directive prevents a good number of spam comments coming from nowhere that are easily identified by this check.

#Stop spam comments from bots

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post.php
RewriteCond %{HTTP_REFERER} !yourdomain.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

WordPress uses wp-comments-post.php file to post comments on the blog. Whenever the comment referrer is other than this file, it is easily identified as a spam comment coming from an unknown resource and is immediately blocked by this directive. This lowers the burden of Akismet or any other similar plugin installed on your blog.

Redirect default WordPress feed to Feedburner

Almost every WordPress blogger uses Feedburner for providing feed subscribing options to the visitors. In case, somebody uses the default WordPress feed he won't be counted in your Feedburner dashboard as a subscriber. This way you can lose count of a large number of subscribers who're subscribing through default WordPress RSS feed.

#Redirecting default RSS feed to Feedburner

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/feedname [R=302,NC,L]

To prevent this from happening, you can divert your default WordPress feed to your Feedburner feed so that you can track each and every subscription no matter what feed URL they initially used for subscription. Make sure you replace feedname with the actual feed name used in your Feedburner account. Once you've done this, you get the right subscriber statistics without losing the actual count of readers who're accessing your blog content through an email or a feed reader.

Restrict uploading of large files

If you're running a multi-author blog or a membership site powered by WordPress, you may consider putting a check on media files upload sizes. Sometimes notorious users upload large media files eating up your precious bandwidth. To avoid this unpleasant situation, you must put a limit on the maximum file size that can be uploaded to your blog.

#Prevent uploading of files large than 10 MB

LimitRequestBody 10240000

The directive shown above limits the file size to 10 MB. You can easily change this limit depending on your requirements. All you need is changing the numeric value mentioned in the directive. This is a handy feature for blogs where multiple users regularly upload different types of media files on the daily basis.

Note: You must replace yourdomain.com mentioned in the directives with the actual domain name of your blog.