How to secure your WordPress site using htaccess

Acclaim/Blog/Snippets/How to secure your WordPress site using htaccess
  • Comments icon
    0 comments
  • 3 minutes of reading
  • 962 views
Share

Protect your WordPress site with htaccess and stop hackers from breaching your system. Securing a website is a must for any online business. Learn more about this useful website security tool.

Secure your WordPress site using htacess

Customers are increasingly asking about security issues. Some things are strictly connected with the code and the way a given solution is implemented. However, there are additional things that should be taken care of after the optimization stage. An example is the headers that we add in htaccess. Below you can find ready to use a snippet, which you should put in htaccess – preferably at the beginning of the file. I simplified it in such a way that there is no need to modify it to a large extent. Of course, there may be a situation where you need to make some corrections, but the snippet itself solves most of the problems.

What is the header responsible for?

I will briefly describe what the header is responsible for. In square brackets there are values which can be taken by the header.

X-Frame Options

X-Frame Options – [DENY, SAMEORIGIN] – header used to specify whether a page can be displayed in , , <embed> or <object> objects</p>

Header always append X-Frame-Options SAMEORIGIN

Referrer-policy

Referrer-policy – [no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url] – controls to what extent Referrer information should be included in the request. A description of each option can be found here.

Header always set Referrer-Policy "same-origin"

Permissions Policy

Permissions-Policy – [] – controls what functions can be used on a given page (geolocation, camera, etc.)

Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),magnetometer=(),microphone=(),sync-xhr=*,usb=(),xr-spatial-tracking=()"

X-XSS-Protection

X-XSS-Protection – [0, 1, 1; mode=block, 1; report=<reporting-uri>] – detects and possibly blocks the loading of the page when the header detects an attempted XSS attack

Header set X-XSS-Protection "1; mode=block"

X-Content-Type-Options

X-Content-Type-Options – [nosniff] – header blocks the possibility of sniffing the content type – when the request is executed – by default the content-type is added so that the browser knows exactly what it wants to display (a page, an image, a text, a video). But without this header – the browser will first examine the resource and determine itself what to render. The nosniff setting blocks the standard behavior of the content-type. The mime-type is imposed in advance – so the browser will know exactly whether a given file is an image or not (even if it is a code saved in a jpg file)

Header set X-Content-Type-Options nosniff

Strict-Transport-Security (HSTS)

Strict-Transport-Security (HSTS) – Rejects and blocks all connections not using HTTPS, forces operation on this protocol. Prevents e.g. sessionHijacking.

Header set Strict-Transport-Security "max-age=31536000"

Content-Security-Policy (CSP)

Content-Security-Policy (CSP) – header defines where additional resources can be loaded from (styles, scripts, media) all resources coming from foreign (undefined) places will be blocked – pay special attention if the page works properly after adding this header

Header set Content-Security-Policy "manifest-src 'self';base-uri 'self'; img-src 'self' data: https://secure.gravatar.com; media-src 'self'; script-src 'report-sample' 'self' https://code.jquery.com/jquery-3.5.0.min.js https://use.fontawesome.com/releases/v5.15.4/js/all.js 'unsafe-inline'; style-src 'report-sample' 'self' 'unsafe-inline';"

Sample htaccess file

A sample htaccess file based on the above descriptions:

Header always append X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "same-origin"
Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),magnetometer=(),microphone=(),sync-xhr=*,usb=(),xr-spatial-tracking=()"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=31536000"
Header set Content-Security-Policy "manifest-src 'self';base-uri 'self'; img-src 'self' data: https://secure.gravatar.com; media-src 'self'; script-src 'report-sample' 'self' https://code.jquery.com/jquery-3.5.0.min.js https://use.fontawesome.com/releases/v5.15.4/js/all.js 'unsafe-inline'; style-src 'report-sample' 'self' 'unsafe-inline';"

Related articles

Comments

Your email address will not be published. Required fields are marked *