WordPress – Enhance your site’s performance and harden its security
This is all about the details of making use of the htaccess file on an Apache server to speed up WordPress as well as enabling a variety of security enhancements. The `.htaccess` file is located in the WordPress root installation directory and is sometimes used in subdirectories as you will discover below. This file is a hidden file, accessible to you through cPanel and/or your FTP file browser tool. In most cases you will have to purposefully select “show hidden files” to make it accessible.
Note: In some few cases, your hosting service places this file out of your reach. The one mistake to avoid here is creating a new htaccess file when one already exists, simply because you will over-write the existing one and you will not be able to step back in time. If you are uncertain, contact your hosting support. In all cases, WordPress will create the htaccess, or write to the existing file when you make a selection under Admin-Dashboard -> Settings -> Permalinks
For the sake of my presentation, I’m going to assume that you have one and you have write access to it.
The Security Enhancements
Place the following code into your htaccess file, uncommenting lines as appropriate. The pound sign (#) is the commenting marker in this context, when in place, a line of code that follows it is not executable. This is the common method for actually providing code comments defining the expected functionality.
# begin WP security enhancements
# to protect the htaccess file itself - uncomment - remove the pound sign from lines other than this line
# <Files .htaccess>
#order allow,deny
#deny from all
# </Files>
# to protect the wordpress config file - uncomment - remove the pound sign from lines other than this line
# <Files wp-config.php>
#order allow,deny
#deny from all
# </Files>
# if you use one - protect your php.ini file - uncomment - remove the pound sign from lines other than this line
# <Files php.ini>
#order allow,deny
#deny from all
# </Files>
# protect directory content from getting displayed - uncomment - remove the pound sign from lines other than this line
#Options All -Indexes
# end security enhancements
Speeding Up WordPress Using Expires Headers
# begin speeding up wordpress through browser caching and compression of page elements
<IfModule mod_expires.c>
# Enable expirations
ExpiresActive On
# Default directive
ExpiresDefault "access plus 1 month"
# My favicon
ExpiresByType image/x-icon "access plus 1 year"
# Images
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
# CSS and fonts
ExpiresByType text/css "access 1 month"
ExpiresByType application/x-font-woff "access 1 month"
ExpiresByType application/x-font-woff2 "access 1 month"
# Javascript
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>
Speeding Up WordPress Using GZIP Compression
<IfModule mod_deflate.c>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json application/x-font-woff application/x-font-woff2
</IfModule>
# end speeding up wordpress
Disable PHP execution in WordPress `wp-includes` directory
PHP Files inside the wp-includes directory are not meant to be accessed directly. Enhance security of your WordPress site by disabling access to these PHP files. Create another htaccess file inside the wp-includes directory and paste the following code into it, but only this code. There is no need for anything like we put in the main htaccess file.
<Files *.php>
deny from all
</Files>
Disable Image Hot-Linking – protect your content
If you are running a website with lots of images, other users might hog your bandwidth by hot-linking to your content. This can slow down your website in addition to increasing your bandwidth consumption. The following code snippet will stop others from hot-linking to your image content. Replace `yourdomain.com` with your specific domain.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds.feedburner.com/layerpoint [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
That is the end of our enhancements to secure and speed up your WordPress installation. Should you have a question, feel free to leave a comment or get hold of us via email.
