Top .htaccess Tips to Secure Your WordPress Site


Since website security has become a common concern, webmasters exercise great care when maintaining their sites. In addition to some frequently-used methods, like WordPress security plugin installation, password enhancement and the use of SSL, you can take .htaccess into consideration. This is a great method recommend by many experts and web resources sites like PHPMatters

Maybe now, you have been pulled in a fog and thirst after the reason why .htaccess can make a big difference on website security improvement and what you can do with it. Here, we are going to clear all your doubts by showing details on how to secure your WordPress website using .htaccess.

What Is .htaccess?

.htaccess, short for hypertext access, is a configuration file used to store server directives and allows decentralized management on a web server. With the help of this file, you are able to enable or disable directives over the whole site, like rewriting URLs, blocking users, controlling cache, and protecting password, etc. As thus, by overriding some security-related settings, you can safeguard your site effectively.

If .htaccess is not available on your site, you are required to open a new text and include configuration commands required. Then save the .txt file and upload it to your site. Once getting through it, you need to rename the file as .htaccess and upload it using FTP.

Protect .htaccess Itself

If the .htaccess file suffers attacks, other protected files are not immune. Thus, you should attach great importance to the security of your .htaccess file by using the code as below.

<Files .htaccess>

order allow,deny

deny from all

satisfy all


When people get to intrude the .htaccess file, there is a 403 forbidden error opening on their view.

Disable Hotlinking with .htaccess

You may encounter a situation that your peer blogger embezzles your images, and displays these images using your original URL. When visitors load these images on his site, the usage of bandwidth is from your website. This is called as hotlinking.

To prevent your bandwidth from being stolen by other webmasters, you should enable hotlink protection using .htaccess. To do this, you can include the following content in the .htaccess file.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?YourDomain [NC]

RewriteRule .(jpg|jpeg|png|gif)$ – [NC,F,L]

Protect wp-config.php with .htaccess

As a WordPress file of great concern, wp-config.php gets hold of all critical information about database, including username, password, host and database name. The information is used to enable data store and retrieve. Thus, you have to take this file seriously, or your site will be in danger. The following lines tell how to strengthen wp-config.php with .htaccess.

<Files wp-config.php>

order allow,deny

deny from all


Stop Directory Browsing with .htaccess

A directory browsing enabled website allows web browsers to display the content of all your directories when they cannot search the file of index.php or index.html. However, some of these directories may include the confidential files or folders that are important to your website. If web browser makes those details public, your website is more likely to be attacked by hackers, because they have known your secret very well.

In this case, you’d better take some measures to stop directory browsing. The use of .htaccess is a great method to this end when including the following commands. Unlike Godaddy, some companies do this by default.

# directory browsing

Options All -Indexes

Restrict Access to Admin Area

The admin area is a private place of your website, which enables full access for you to handle administrative functions. However, there are also some other admin roles available like editor, author, subscriber and author having partial access. To prevent these additional roles from releasing your valuable information, you’d better take full control of the admin area instead of sharing a portion to others.

To do this, you can add the following code to the .htaccess file and fill your IP address in the designated section.

order deny,allow

allow from {your IP Address}

deny from all

Stop Unwanted Visitors Accessing to Your Site

When suffering some vicious visitors making a threat to your website, you should take action to stop them coming again. Frankly, .htaccess makes it easy to clear up all threats to the website only if you use following snippet.

<Limit GET POST>

order allow,deny

deny from {IP Address of the Denied Visitor}

allow from all


Note that, the mentioned code can only ban one person at a time. If you want to increase the banning number, you can edit the code as below to add the banned users as you want.

<Limit GET POST>

order allow,deny

deny from {IP Address of the Denied Visitor1}

deny from {IP Address of the Denied Visitor2}

allow from all


To be frank, blocking the bad users is just a stalling tactic, for which people can come again after converting the IP address into a new one. Thus, you have to make the safeguarding operation consistent and look for long-term effective methods.

Did I missed any tip? How are you securing your WordPress blog?


You might also like this video