Hardening WordPress on Apache, Nginx, or IIS

Labs Note

Server configuration files allow administrators to restrict access and make changes at the server level. Depending on the server software you use, there are different configuration files that instruct the server how to respond to requests from visitors.

  • Apache: .htaccess
  • Nginx: nginx.conf
  • Windows/IIS: web.config

These files are commonly used to implement 301 redirects.

We include a guide below with locations you can place these files, the rules they should have, and the reasons we included them. You can copy as many of the rules as you like!

Here is how you will implement the rules:

  • Connect to your website. Use encrypted SFTP with your favorite FTP tool or an SSH console.
  • Backup existing configuration file. If the file already exists in the location we specify, you should back it up first – it may already contain important rules. If you do not see the configuration file in the location we recommend, you can create one.
  • Edit the file. We recommend making changes locally and using a staging server.
  • Always test changes.

The majority of WordPress installations run on Apache servers, but we also have instructions for Nginx and Microsoft IIS servers. Each server has their own configuration files. If you aren’t sure which web server you use, scan your website with SiteCheck and click the Website Details tab.

Apache Servers – .htaccess

The Apache .htaccess file is a server configuration file that allows you to restrict access. You can put an .htaccess files in other folders to specifically restrict those locations.  Now you can add any of the rules below or confirm that they already exist.

You May Also Like