September 3, 2024
Securing your WordPress site is more important than ever in today’s digital landscape. A well-crafted .htaccess file can significantly enhance your site’s security by enforcing HTTPS, protecting against various attacks, and controlling access to sensitive areas of your site. Below, I’m sharing a comprehensive .htaccess configuration that works for me on some of my WordPress sites – Your configuration may need to change to your server’s requirements, but this will at least give you an idea of what can be done.
The goal was to get above B+ on securityheaders.com
.htaccess File:Purpose: Protects against clickjacking by ensuring the site can only be embedded in an iframe by the same origin. Standard: Use the SAMEORIGIN directive for all sites unless you specifically want to allow embedding on other domains.
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
Purpose: Forces browsers to always connect to your site over HTTPS. Standard: This is a strong security header that can be applied universally. Make sure your site is fully HTTPS-compliant before applying this.
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>
Purpose: Restricts which browser features (geolocation, microphone, camera, etc.) are allowed on your site. Standard: This setup denies unnecessary permissions, which is good for security. Adjust if your site requires access to any of these features.
<IfModule mod_headers.c>
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), fullscreen=(self), payment=()"
</IfModule>
Purpose:
Standard: These headers are beneficial for all sites and provide additional protection.
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
Purpose: Blocks access to sensitive files like configuration files, logs, and database backups. Standard: Apply this on any WordPress or similar site to protect sensitive files.
<files wp-config.php>
order allow,deny
deny from all
</files>
<files .htaccess>
order allow,deny
deny from all
</files>
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|zip|sql|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Purpose: Prevents PHP code from being executed in the uploads directory, which is a common attack vector. Standard: Apply this on any WordPress site to improve security. Adjust the path to fit the site’s directory structure.
<Directory /path/to/wordpress/wp-content/uploads/>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
</Directory>These sections require customisation based on the domain, external resources, and specific site requirements.
External Domains: You need to customize script-src, style-src, img-src, and form-action for each site based on the domains it uses. For example, if the site integrates third-party services, add those domains. Example Changes: For a new site, replace https://www.zoik.com.au with that site’s domain. Similarly, ensure other external resources like Google Fonts, jQuery, or CDNs are listed.
<IfModule mod_headers.c>
Header set Content-Security-Policy "
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://s.w.org https://ajax.googleapis.com https://cdnjs.cloudflare.com https://www.googletagmanager.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com;
img-src 'self' data: https://secure.gravatar.com;
font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com;
connect-src 'self' https://www.zoik.com.au;
frame-ancestors 'self';
base-uri 'self';
form-action 'self' https://www.zoik.com.au;
"
</IfModule>
Customisation Required: If the site allows form submissions, form-action needs to be adjusted to permit submission to the specific site’s domain and any third-party services (if used) I have added it to the above code.
form-action 'self' https://www.example.com;Customization Required: Adjust the /path/to/wordpress/wp-content/uploads/ directory to the actual uploads directory of each specific WordPress site.
<Directory /path/to/wordpress/wp-content/uploads/>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
</FilesMatch>
</Directory>When adapting this .htaccess for other sites, follow this structure:
.htaccess changes, always test the site with tools like securityheaders.com and in-browser developer tools to ensure that nothing is inadvertently blocked.By following this approach, you can adapt this .htaccess for different sites while maintaining strong security and achieving a high score on tools like securityheaders.com.
I managed to be A+ and A on the security websites securityheaders.com and observatory.mozilla.org
Yah.
More Post to read
Workflows That Work: How Make.com and n8n.io Are Saving Small Businesses Time
June 16, 2025
Cybersecurity for Healthcare Websites: What You Need to Know (and Where to Look)
5 Essential Features for a Small Business Website
June 10, 2025
What to Do If Your Website Starts Sending Spam Emails
April 15, 2025
Simple Membership Plugin: Setup
January 31, 2025
Essential Tools for Checking ARIA Compliance in Web Development
October 1, 2024
Secure Your WordPress Site with a Robust .htaccess Configuration
September 3, 2024
Setting Up a New Business: Should You Choose Google Workspace or Office365?
August 29, 2024
How to Add a Domain that Works with All Google Maps Platform APIs
July 3, 2024
June 20, 2024
May 11, 2024
April 23, 2024
SQL URL Replacer – From Local to Live
April 21, 2024
Building an Accessible Accordion Component
Good Reason to Run both Cloudflare and Wordfence on Your WordPress Website
March 27, 2024