Protect WordPress Config Files From Direct Access

Add following snippet to your “.htaccess” file.

# "-Indexes" will have Apache block users from browsing folders without a default document
# Usually you should leave this activated, because you shouldn't allow everybody to surf through
# every folder on your server (which includes rather private places like CMS system folders).
<IfModule mod_autoindex.c>
  Options -Indexes

# Block access to "hidden" directories or files whose names begin with a period. This
# includes directories used by version control systems such as Subversion or Git.
<IfModule mod_rewrite.c>
  RewriteCond %{SCRIPT_FILENAME} -d [OR]
  RewriteCond %{SCRIPT_FILENAME} -f
  RewriteRule "(^|/)\." - [F]

# Block access to backup and source files
# This files may be left by some text/html editors and
# pose a great security danger, when someone can access them
<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
  Order allow,deny
  Deny from all
  Satisfy All

# Block access to WordPress files that reveal version information.
<FilesMatch "^(wp-config\.php|readme\.html|license\.txt)">
  Order allow,deny
  Deny from all
  Satisfy All
The following two tabs change content below.

Md Jahed

Latest posts by Md Jahed (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *