The WordPress default

Let us start by looking at a “standard” WordPress .htaccess file, to understand how requests are handled in a typical WordPress installation:

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

1. Start the mod_rewrite engine.
2. Set the base for rewrite paths (the root of the web directory in this case). All paths will be interpreted as being below the path in this directive.
3. If the file name the request maps to is not a file…
4. …and it is not a directory…
5. Then let it through to WordPress’ index.php for further handling.

This effectively means that as long as the request is not for a file or a directory below your web directory root, then WordPress handles it. If it is for a file or a directory, then Apache handles it (it falls through all the rewriting rules). This means that Apache will serve any file or directory as long as it can be read, which of course includes the WordPress installation files.

The solution

The desired situation is that people should only be able to read this files through “indirect” requests from your website, and not by accessing them directly. This can be achieved through a simple check of the HTTP Referer header :

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^https?://(www.)?example.com/.* [NC]
RewriteRule ^/?wordpress/?.* http://example.com/ [NC,L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [NC,L]

1. If the request did not come from a reference on the website, then…
2. If the request was for a WordPress installation file, then redirect the request to the root of my website with a 301 response (moved permanently).

This rather simple and elegant solution denies direct access to the WordPress installation files from browsers.

Why does it say “hiding”?

Because people are still able to spoof the referer header to access your installation, meaning that it’s not an unbreakable solution.

Caveats

The drawback of this setup is mainly that denying direct access to the installation files means that you cannot access any of the files directly. This includes direct access to any images or other files you have uploaded, your administrator pages, etc.

To allow access to specific files and/or folders below your directory, add the following lines to your .htaccess file for each file or folder below the first RewriteCond line:

RewriteCond %{REQUEST_URI} !^/some/directory/or/file

Note that this last example is case-sensitive, so be accurate. Also note that if the rule is for a folder, you should include /? at the end, to make sure the rule matches requests for both /some/folder and /some/folder/.

Another caveat is that this makes your blog inaccessible to people who don’t send referrer headers. If you think that people should be allowed not to do so, then don’t implement the solution in this post.