There are a number of ways hackers could use your .htaccess file maliciously. They could use rewrite rules to redirect your visitors to a site other than yours, but that’s the sort of thing you’d notice immediately, and it doesn’t happen very often. A subtle attack is more likely. One particularly nasty hack involves writing a file full of spam links to a writeable subdirectory deep in the WordPress package, then using PHP’s auto_prepend_file or auto_append_file directives to include that file in your theme’s index.php file. At first, it looks like someone has mauled your theme, but in fact the theme files haven’t changed at all. This is the sort of attack that can leave you chasing your tail for hours, unless you realizethat .htaccess is a big point of vulnerability in your installation.
WordPress needs write access to your .htaccess file only to make changes to your permalink structure. If you are using WP Super Cache, the plugin also requires write access to add the cache rewrite rules to the file. However, in both cases, if WordPress cannot write to the file, it will print the necessary rules on the screen and ask you to update the file manually. Therefore, I recommend that you adjust permissions on .htaccess so that your user account is the only one allowed to write to it. On UNIXbased operating systems, you can use the chmod 744 command to make sure you can write to it while everyone else can read only. You can also modify the .htaccess file itself to secure your wp-config.php file. Normally, any visitor requesting your configuration file will just see a blank page, since the file doesn’t echo anything to the screen.
Securing .htaccess and wp-config.php
Previous post: Add a Share Button to your Thesis Themes
Next post: Moving wp-content