WP-Mix

Here are some examples of how to use .htaccess to protect any sensitive files on the server.

Protect all text files

Add this snippet to your site’s root .htaccess file:

<Files *.txt> 
	Deny from all
</Files>

Here we are using Apache’s Files directive to block external access to any files ending with .txt. To match a different type of file, change .txt to whatever extension is desired. For example, to block access to all ZIP files, you can change the first line to <Files *.txt>.

Protect the WordPress configuration file

Add this snippet to your site’s root .htaccess file:

<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

This works just like the previous method, but here we are matching the wp-config.php file. So any requests for the file will be denied.

Protect the PHP configuration file

Add this snippet to your site’s root .htaccess file:

<Files php.ini> 
	Order Allow,Deny
	Deny from all
</Files>

This works as previous examples, only here we are matching the php.ini, such that any requests will be denied.

Protect the PHP5 configuration file

Add this snippet to your site’s root .htaccess file:

<Files php5.ini> 
	Order Allow,Deny
	Deny from all
</Files>

Same as before, but matching the php5.ini file.

Protect the WordPress xmlrpc file

Add this snippet to your site’s root .htaccess file:

<Files xmlrpc.php>
	Order Allow,Deny
	Deny from all
</Files>

Note that you should only block access to this file if you are 100% sure that it is not needed.

Protect the WP installation file

As explained at Perishable Press, it may be a good idea to protect your site’s installation file. This file is named install.php and is located in WP’s /wp-admin/ directory. To protect it against unwanted access, create an .htaccess file in the /wp-admin/ directory, and then add the following code:

<Files install.php>
	Order Allow,Deny
	Deny from all
</Files>

That will ensure that your site’s install.php remains secure in the case of an unexpected database failure. Call me paranoid, but better safe than sorry.

Protect the WordPress Login Page

Add this snippet to your site’s root .htaccess file:

<Files wp-login.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.123.123.123
</Files>

I use this technique on several of my own sites. It’s a fast, easy way to keep everybody else out. To use, lookup your IP and then replace the one given on the “Allow from” line. To allow multiple IP addresses, repeat the last line and change the IP address to suit your needs.