Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’
Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…
I see it all to often: blog posts telling you to use the following snippet in a
.htaccess file to secure / protect WordPress’
<Files wp-config.php> Order Allow,Deny Deny from all </Files>
This is wrong!
Unfortunately this does not work with Apache 2.4.6 and higher! And I find it hard to believe so called “WordPress Security” companies still write posts explaining the old, non-functional, syntax without even mentioning the new, correct syntax…
Satisfy, Order, Deny and Allow have all been deprecated and replaced with new Require directives.
Yes, there is Apache’s
mod_access_compat, that provides compatibility for old directives like Order, Allow, Deny and Satisfy. But depending on such a module is not recommended, since it’s deprecated by mod_authz_host: https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html.
So now, for once and for all: how to use the new Apache 2.4.6+
mod_authz_host syntax in your WordPress .htaccess:
# Protect wp-config.php <Files wp-config.php> Require all denied Require ip 198.51.100.15 # substitute with your IP address </Files>
For compatibility with older Apache versions, you can wrap this up in a condition:
<Files wp-config.php> # Apache 2.2 <IfModule !mod_authz_core.c> Order Deny,Allow Deny from all Allow from 198.51.100.15 </IfModule> # Apache 2.4 <IfModule mod_authz_core.c> Require all denied Require ip 198.51.100.15 </IfModule> </Files>
Note: by using an .htaccess file you’d normally leave Nginx and IIS web servers unprotected! You can use .htaccess in IIS though, but don’t rely on just .htaccess files for your website defense.
Another change is the syntax to block an IP address in .htaccess. Where you used to use the following:
Order Allow,Deny Allow from all Deny from 203.0.113.0/24
Don’t use this above .htaccess code! You now have to use mod_authz_core syntax again:
<RequireAll> Require all granted Require not ip 203.0.113.0/24 </RequireAll>
Hope this helps! 🙂
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization. Want to support me and donate? Use this link: https://paypal.me/jreilink.
Reduce Wordfence CPU usage, disable Wordfence “Live Traffic View”
Automatically flush Redis cache after publishing a WordPress post
Set WP_MEMORY_LIMIT value correctly in wp-config.php
How to: Protect WordPress from brute-force XML-RPC attacks