Do I need an htaccess file in wp-admin folder?

  • Hi –

    I don’t really understand .htaccess files.

    Could somebody briefly explain why it is important to have an htaccess file in my wp-admin folder, and why specifically that folder? Also, what is the minimum essential code that should be in an htaccess file in the wp-admin folder? Do I have a serious security hole in my WP installation if I don’t have an htaccess file in my wp-admin folder?

    Many thanks – I would like to get this cleared up!

Viewing 15 replies - 1 through 15 (of 16 total)

  • Before answering any of those questions, its important to understand the context — what did you read that led you to believe that you do need one?

    You don’t need one (as far as I know), but one will be created when you (for example) use the Ask Apache plugin to put that folder behind a password. The htaccess in the root is also for “pretty permalinks” and some other stuff. Maybe the glossary sheds some light on the subject for you?

    Thread Starter wpuk567

    (@wpuk567)

    Hi – thanks for getting back to me –

    I didn’t have a htaccess file until I set my permalinks up (Day & Name) – then one was created for me at the bottom of the screen (Settings | Permalinks).

    Unfortunately, the screen did not say where to put the htaccess file, so i put it in my web hosting root folder (i.e. outside my ‘wordpress’ folder – my file structure is root/wordpress/-> all the wordpress folders. So the htaccess file is currently one level up from /wordpress

    Thing is, everything seems to be working fine – but then I installed the WP-Security scanner plugin to security-check my setup, and one of the things it is coming up with is ‘The file .htaccess does not exist in wp-admin/. ‘ (which is true – but doesn’t really get me anywhere!).

    I would be grateful for any further thoughts.

    The permalink htaccess should always be in the WP root, not the site root – in your case /wordpress/.

    For the wp-admin you should contact the plugin author with your questions.

    Thread Starter wpuk567

    (@wpuk567)

    Thanks Moshu –

    Is leaving the htaccess where it is (site root) a security risk then? Having it where it is doesn’t seem to be affecting my WP site at all.

    What a shame you didn’t receive any more responses on this topic.

    I am in the same position. I set up and ran the ‘Wp Security Scan” and was told the same thing: that my wp-admin folder has no .htaccess file.

    Setting up my permalinks is always one of the first things I do (/%postname%/)but it’s never created an .htaccess file for me automatically.

    Actually, I suspect there is something wrong with the reporting of the security plugin. I have it installed on two blogs, one I have removed the admin user on and the other I have not. Yet in the innitial scan results of the security plugin for both blogs, I given the same result. That is, a GREEN sentence that says:

    “No user ‘admin'”.

    Obviously this cannot be the case for both blogs, which makes me dubious of the credibility of the rest of the security report.

    I’ll write to the creator Michael Torbert, and report back here if I can get a response.

    Security scanner tells me the same thing as the subject of this post – also it wants me to chmod my root directory from 750 to 755 which doesnt seem to make any sense – the site works just fine set to 750 and 755 seeems possibly less secure.

    I just contacted the author of the plugin and will add his response to this thread.

    I can’t seem to find a .htaccess file anywhere. I’m having trouble with 1and1, php, and getting the thumbnails to show up/be created within the nextgen gallery update.

    Could some one please step by step walk me through this? How do I make an htaccess file, what all exactly do I need to put in it, where do I upload it?

    Thank you
    stacy

    Some handy tips here that may answer some questions: https://www.guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/

    hey UmbertoNZ, cheers for linking to guvnr.com. jolly kind, Sir.

    … if anyone has any q’s on that, lemme know at the 10 tips post and i’ll try to help.

    the_guv.

    I am using WP Security Scan too. I think the basic issue is that the plugin detected a vurnerability in wp-admin folder.
    If I merely add a blank .htaccess file, my WordPress installation went wrong. But it’s all solved now after applied some tips from these sites:
    https://www.websecurity.mobi/wordpress/698-protecting-wp-admin-fold
    er.html
    https://www.reubenyau.com/protecting-the-wordpress-wp-admin-folder/

    .htaccess files can sometimes be hidden in your FTP program. Mine are and I have to “show hidden files” in my FTP program. Of note… if you’re on a mac you’ll want to duplicate and rename the file before downloading it. Macs wont by default show a file that begins with a . I duplicate and rename mine to this.htaccess so i can work on it then rename it once its uploaded.

    guvnrDOTcom nails it on his post. Create a new blank file in a text editor and paste this into it : 

    # BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

    Save it as .htaccess and upload it to https://www.yourblog.com/wp-admin. Security scan now ok’s the change and the site continues to work as intended.

    One final note i didnt see any one address. DO NOT mess with the .htaccess file in your root folder. Dont move it or try to reuse it. Its there for a reason. Create a blank new file in a text editor and follow the directions above.

    Nods to guvnrDOTcom on the fix.

    @lostgorilla – followed your instructions and everything went perfect.
    @rrhobbs – WP security scanner works perfectly for me.

    @lostgorilla – you’re welcome, pleased to help, best to you.

    the_guv

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘Do I need an htaccess file in wp-admin folder?’ is closed to new replies.