Your cart is currently empty!
Website with good content in necessary but you also need to secure website using htaccess file and other different methods. Because there are many of theft and hacker who just want to stole your data and some time harm you business too. I’m blog writer but I face these kind of attacks too This is my only way of earning If someone attack then it can me worse to me.ย So I always try to be safe by backup data time to time and apply necessary updates.
Nobody is can be 100% sure some time big giants also hacked you have listen in news so we can just hope and apply some tricks to secure our website. Below we discuss different type of method and simple tips to Secure website using htaccess and without .htaccess.
How to Creating .htaccess file
First you need to create a .htaccess using notepad because without it you can’t be secure website using htaccess file. some of website scripts automatically create a .htaccess file on server you can edit this file. If file not showing make sure you checked hidden files and folder check mark like shown in below picture.
You can create file on your system as well but some operating systems don’t let you create a .htaccess file. The easiest way to get around this is to:
- Using Notepad or a similar plain text editor, add your configuration commands.
- Save the file as a .txt file.
- upload the file to your site.
- Once uploaded, rename the file to .htaccess
Also, it’s a good idea to refresh your site after making each of the changes below so you can quickly switch back to a previous version of your .htaccess file in case any changes throw up errors.
HOW TO ENABLE X-FRAME-OPTIONS
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. This can be used to avoid clickjacking attacks, by ensuring that your content is not embedded into other sites.
Secure Website Using htaccess or .htaccess Policy Headers XSS and this directive is pretty similar to the frame buster code explained in “Double Trouble on Google Images” except that it is only supported in the following browsers:
Internet Explorer 8+,ย Opera 10.50+,ย Safari 4+,ย Chrome 4.1.249.1042+,ย There are three possible values for this header:
DENY – This setting prevents any pages served from being placed in a frame even if it is on the same website it originates from. should be used if you never intend for your pages to be used inside of a frame.
SAMEORIGIN โ This setting allows pages to be served in a frame of a page on the same website. If an external site attempts to load the page in a frame the request will be denied.
ALLOW-FROM origin โ If the value contains the token ALLOW-FROM origin, the browser will block rendering only if the origin of the top-level browsing context is different than the origin value supplied with the Allow-From directive.
# Prevent from Clickjacking attack Header set X-Frame-Options DENY
<ifModule mod_headers.c> # Security improvements Header unset Server #Header unset X-Pingback Header unset Accept-Ranges # <FilesMatch "\.html> Header set X-Frame-Options "SAMEORIGIN" # BrowserMatch MSIE ie Header set Imagetoolbar "no" env=ie Header set X-Content-Type-Options "nosniff" env=ie Header set X-UA-Compatible "IE=edge" env=ie Header set X-XSS-Protection "1;mode=block" env=ie Header set X-Content-Security-Policy "default-src 'self'; img-src 'self' analytics.example.com; \ script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=ie # BrowserMatch Firefox ff Header set Content-Security-Policy "default-src 'self'; img-src 'self' analytics.example.com; \ script-src 'self' analytics.example.com ajax.googleapis.com; \ font-src 'self' data:" env=ff # BrowserMatch SAFARI safari Header set X-XSS-Protection "1;mode=block" env=safari Header set X-WebKit-CSP "default-src 'self'; img-src 'self' analytics.example.com; \ script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=safari # BrowserMatch CHROME ch Header set X-Content-Type-Options "nosniff" env=ch Header set X-WebKit-CSP "default-src 'none'; img-src 'self' analytics.example.com; \ script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=ch # BrowserMatch chromeframe chf Header set Imagetoolbar "no" env=chf Header set X-Content-Type-Options "nosniff" env=chf Header set X-UA-Compatible "IE=edge,chrome=1" env=chf Header set X-XSS-Protection "1;mode=block" env=chf Header set X-WebKit-CSP "default-src 'none'; img-src 'self' analytics.example.com; \ script-src 'self' analytics.example.com ajax.googleapis.com; font-src 'self' data:" env=chf </FilesMatch> </IfModule>
Forย reference for CSP is http://www.w3.org/TR/CSP/
Specific Browser support can be seen herehttp://caniuse.com/#feat=contentsecuritypolicy
Secure Website Using htaccess : CSP Challenges
It is biggest challenge that you need to resolve because user might experience some difficulties and you have to resolve all of errors some tools like Caspr Google Chrome Plugin and Report-URI.io. These are the amazing tools which allow you to analysis and send you report about errors. Helps toย Secure Website Using htaccess
report-uri https://report-uri.io/report/<key>;
#Header: X-Frame-Options for XSS Protection add_header X-Frame-Options SAMEORIGIN; #Header: X-Content-Type Options add_header X-Content-Type-Options nosniff; #Header: X-XSS Protection Header add_header X-XSS-Protection "1; mode=block"; #Header: Strict-Transport-Security add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; #Header: Content-Security-Policy add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.api.twitter.com https://gist.github.com https://syndication.twitter.com https://platform.twitter.com https://js-agent.newrelic.com https://*.nr-data.net https://*.wp.com https://*.gravatar.com https://*.wp.com https://pagead2.googlesyndication.com https://ssl.google-analytics.com https://connect.facebook.net https://www.google-analytics.com https://cdnjs.cloudflare.com https://ajax.cloudflare.com; img-src 'self' data: https://pbs.twimg.com https://platform.twitter.com https://syndication.twitter.com https://dashboard.wordpress.com https://s-ssl.wordpress.com https://dashboard.google.com https://wordpress.org https://*.w.org https://*.gravatar.com https://*.wp.com https://ssl.google-analytics.com https://s-static.ak.facebook.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://assets-cdn.github.com https://platform.twitter.com https://*.wp.com https://*.gravatar.com https://fonts.googleapis.com; font-src 'self' data: https://s0.wp.com https://fonts.gstatic.com https://themes.googleusercontent.com; frame-src 'self' https://syndication.twitter.com https://platform.twitter.com https://*.cloudfront.net https://*.wp.com https://*.doubleclick.net https://www.facebook.com https://s-static.ak.facebook.com; object-src 'none'; report-uri https://report-uri.io/report/<ommitted>;";
Secure WordPress using .htaccess file some of method to disable direct access to secure files and folders.
Prevent Directory Browsing:
This method will hide your website directory to directly access from browser using website URL use below code in htaccess file
Options All -Indexes
Protecting wp-config.php
This file is most important file of WordPress because it contains all access to database and other security folders.ย It is located in root folder.
<files wp-config.php> order allow,deny deny from all </files>
Prevent Image Hot Linking
Hot linking image that anybody can open images on your website directly from address of your .jpg, .png, .gif or .bmp file. This code will prevent user from doing so.
RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.yoursite.com/hotlink.png [R,L]
Protect Your .htaccess File
Last but least you must protect .htaccess file itself as well because it’s can me the main file for attack because without it how you can Secure Website Using htaccess below is code can help you.
<Files .htaccess> order allow,deny deny from all </Files>
Hope you like these please share this post and don’t forget to comment.
Comments
Grabber Pro
Original price was: $ 59.00.$ 39.00Current price is: $ 39.00.Insertcart Custom WooCommerce Checkbox Ultimate
Original price was: $ 39.00.$ 19.00Current price is: $ 19.00.Android App for Your Website
Original price was: $ 49.00.$ 35.00Current price is: $ 35.00.Abnomize Pro
Original price was: $ 30.00.$ 24.00Current price is: $ 24.00.Medical Portfolio Pro
Original price was: $ 31.00.$ 24.00Current price is: $ 24.00.
Latest Posts
- How to Use AWS SES Email from Localhost or Website: Complete Configuration in PHP
- How to Upload Images and PDFs in Android Apps Using Retrofit
- [Fix] File Permission Issue in Apache Website WordPress Not Writable to 775
- Best PHP ini Settings for WordPress & WooCommerce: Official Recommendations
- Script to Get Users System or Browser Data When Link Open Grab Using PHP & JavaScript
Leave a Reply