10 .htaccess WordPress Security Tips You Must Follow

10 .htaccess WordPress Security Tips You Must Follow

Suppose your site is under attack! It is very painful to resolve an attacked website. So better we take precautions, right? Don’t worry! In this article we are going to list 10 .htaccess WordPress Security Tips you must follow to increase your website security.

The WordPress .htaccess file in directories of your website is a configuration file that can be used to override the configuration of the webserver.

Here, we show some simple changes that can be carried out in WordPress using the .htaccess file to increase the security of the site.

With the appropriate codes, it is possible to enable or disable additional functionalities and features to protect your site from spammers, hackers, and other threats.

Some of these features include basic redirects, blocking external access to specific files, or using more advanced features such as password protection of content or prevention of inappropriate use of website images on external sites.

Configure the .htaccess File

Apart from the use of plugins, there are a series of improvements that can be carried out in the .htaccess file, and that together with the use of the appropriate plugins and updating regularly. Security will be reinforced by adding an extra level of protection to the one implemented by the server itself.

The minimum and typical .htaccess files that any WordPress installation should include by default are:

# BEGIN WordPress
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^ index.php $ - [L]
	RewriteCond% {REQUEST_FILENAME}! -F
	RewriteCond% {REQUEST_FILENAME}! -D
	RewriteRule. /index.php [L]
# END WordPress

It should be noted that any addition to this file should be done “after” # END WordPress and never before.

This would ensure that none of the .htaccess-based WordPress functions are broken. Before making changes to the .htaccess file, it is highly recommended to make a backup copy.


Edit the .htaccess File in WordPress

When permalinks are enabled in WordPress, a .htaccess file is automatically created in the site’s root directory.

When WordPress writes a .htaccess file, it always appends the data between # BEGIN WordPress and END WordPress. The hash character # means that these lines are comments and will not affect the settings.

These files are powerful and a syntax error, such as forgetting an opening or closing character, can render your site inaccessible. So it is important to back up your .htaccess file before making changes to it.

Some operating systems do not allow creating a .htaccess file so the easiest way to do it is:

  1. Use Notepad or a similar plain text editor (Notepad ++) to add the necessary commands.
  2. Save the file as a text file, for example, htaccess.txt
  3. Upload the file to your site in the appropriate folder.
  4. Once uploaded, rename the file htaccess.txt to .htaccess

Protect the wp-config.php File

One of the most important files in your WordPress installation is the wp-config.php file. That’s why it is also one of the most essential WordPress security tips for users.


This file is located at the root of your WordPress file directory and contains configuration details for your site’s database, and WordPress security keys, and database-connection information. This information is sensitive and anyone who accesses it can end up affecting your site.

The best way to protect this file is by adding the following code snippet in the .htaccess file:

	<files wp-config.php>
	order allow, deny
	deny from all

Of course, even with this protection, this file will still be accessible via FTP, cPanel, etc.

Prevent Access to the wp-content Folder

The wp-content folder contains images, themes, and plugins and is a very important folder within your WordPress installation. So it makes sense to prevent this folder from being accessed in an unauthorized way.

This requires adding to the .htaccess file the prompts that allow users to view images, CSS, etc., but protect important PHP files:

	Order deny, allow
	Deny from all
	<Files ~ ". (Xml | css | jpe? G | png | gif | js) $">
	Allow from all

Disable the TRACE of HTTP and TRACK

TRACE and TRACK are HTTP methods, they are default functionalities of most Apache web servers used for the purpose of debugging errors. However, these methods can compromise the security of your WordPress site, as there are some attacks such as Cross-Site Tracing (XST) and Cross-Site Scripting (XSS). These can steal cookies and much other sensitive information from your web server.

Fortunately, these methods can be easily disabled by placing the following lines of code in the .htaccess file at the root of your Hosting:

	RewriteEngine on
	RewriteRule. * - [F]

Avoid Directory Browsing

Protection of WordPress directories is important and security from obscurity, in this case, is justifiable. In other words, it is about hiding these folders from view, which prevents unauthorized people from browsing through the directories.

This is a good practice to avoid directory browsing, along with other measures aimed at protecting your site.

To disable directory browsing you must add this in the .htaccess file:

	# Directory navigation
	Options All -Indexes

Avoid Hotlinking

The Hotlinking or theft of bandwidth occurs when images or files of your items are linked or post to articles and/or post where the width. Usually external and alien to you, different server band consumed is yours.

Adding this code to your .htaccess file will avoid being a victim of hotlinking :

	RewriteEngine On
	RewriteCond% {HTTP_REFERER}! ^ $
	RewriteCond% {HTTP_REFERER}! ^ Http: // (www.)? Your_domain.com /.*$ [NC]
	RewriteRule. (Gif | jpg) $ http://www.your_domain.com/hotlink.gif [R, L]

Note: Change “your_domain.com” to the actual name of the domain you use on your website.

You will have to change the image hotline.gif to the name of the image file that you want to display on your server that explains that hotlinking is disabled on your site.

Restrict Access to the Administration Area (dashboard)

There are many ways to protect access to the WordPress dashboard (/ wp-admin directory). Some of which we have explained in this blog, in other articles.

An easy way to restrict access if your Internet connection uses a fixed IP address and you always access your site from the same place is by creating a new .htaccess file with the following fragment in the / wp-admin folder :

	order deny, allow
	allow from
	deny from all

Note: Change the IP address by which you want to allow access to your website or by your IP address.

This will allow you to access the administration area of ​​your site. By blocking all other attempts to access this folder from other IPs.

Additionally, you can add the IP address of other administrators of your site, or even of other places from which you usually connect. One of the valuable tips is that it is not recommended to add dynamic IPs for security reasons in WordPress.

Prohibits Access to Unwanted IPs

If you use extensions that allow you to see that IPs persistently and constantly try to access your site, mainly the dashboard / wp-admin to launch a brute force attack, you can ban these IPs using the following code in the file .htaccess:

	<Limit GET POST>
	order allow, deny
	deny from
	allow from all

Note: Change the IP address for which you want to block access to your website.

This code will prevent the aforementioned IP from being able to access your site again. You can also add more IPs by replicating the deny from the line, for example:

	<Limit GET POST>
	order allow, deny
	deny from
	deny from
	allow from all

Note: Change the IP address for which you want to block access to your website.

You May Also Read: How to Add UGC Links in WordPress

Protect the .htaccess File

It does not make sense to apply additional protections to folders, etc. But the .htaccess file itself is protected as this file is often targeted by attackers to override other additional protections.

When someone tries to access your .htaccess file, the server automatically generates a 403, Forbidden error, even with the file’s default permissions.

Protecting it is simple by implementing the following code in the .htaccess file in the main folder of the WordPress site:

	<Files .htaccess>
	order allow, deny
	deny from all

Avoid SPAM in Comments from .htaccess

You can avoid SPAM in the native WordPress comment form, coming from visits without HTTPS header (without URL), common spam bots, by adding the following code in your .hatccess file:

	RewriteEngine On
	RewriteCond% {REQUEST_URI} .wp-comments-post.php *
	RewriteCond% {HTTP_REFERER}!. * Domain.com. * [OR]
	RewriteCond% {HTTP_USER_AGENT} ^ $
	RewriteRule (. *) ^ Https: //% {REMOTE_ADDR} / $ [R = 301, L]

Note: Change “domain.com” to the actual name of the domain you use on your website.


Editing your existing .htaccess file or creating new ones for subdirectories can increase the security of your site. Still, it is good to use the tips in this article to complement other security measures that you have in place on your WordPress site.

You can share your feedback with us by commenting below. You can also inform us if you face any problem, we will try our best to solve your problem as soon as possible.

Last Update:

About the Author