Top .htaccess Tips to Secure Your WordPress Site


Since website security has become a common concern, webmasters exercise great care when maintaining their sites. In addition to some frequently-used methods, like WordPress security plugin installation, password enhancement and the use of SSL, you can take .htaccess into consideration. This is a great method recommend by many experts and web resources sites like PHPMatters

Maybe now, you have been pulled in a fog and thirst after the reason why .htaccess can make a big difference on website security improvement and what you can do with it. Here, we are going to clear all your doubts by showing details on how to secure your WordPress website using .htaccess.

What Is .htaccess?

.htaccess, short for hypertext access, is a configuration file used to store server directives and allows decentralized management on a web server. With the help of this file, you are able to enable or disable directives over the whole site, like rewriting URLs, blocking users, controlling cache, and protecting password, etc. As thus, by overriding some security-related settings, you can safeguard your site effectively.

If .htaccess is not available on your site, you are required to open a new text and include configuration commands required. Then save the .txt file and upload it to your site. Once getting through it, you need to rename the file as .htaccess and upload it using FTP.

Protect .htaccess Itself

If the .htaccess file suffers attacks, other protected files are not immune. Thus, you should attach great importance to the security of your .htaccess file by using the code as below.

<Files .htaccess>

order allow,deny

deny from all

satisfy all


When people get to intrude the .htaccess file, there is a 403 forbidden error opening on their view.

Disable Hotlinking with .htaccess

You may encounter a situation that your peer blogger embezzles your images, and displays these images using your original URL. When visitors load these images on his site, the usage of bandwidth is from your website. This is called as hotlinking.

To prevent your bandwidth from being stolen by other webmasters, you should enable hotlink protection using .htaccess. To do this, you can include the following content in the .htaccess file.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Protect wp-config.php with .htaccess

As a WordPress file of great concern, wp-config.php gets hold of all critical information about database, including username, password, host and database name. The information is used to enable data store and retrieve. Thus, you have to take this file seriously, or your site will be in danger. The following lines tell how to strengthen wp-config.php with .htaccess.

<Files wp-config.php>

order allow,deny

deny from all


Stop Directory Browsing with .htaccess

A directory browsing enabled website allows web browsers to display the content of all your directories when they cannot search the file of index.php or index.html. However, some of these directories may include the confidential files or folders that are important to your website. If web browser makes those details public, your website is more likely to be attacked by hackers, because they have known your secret very well.

In this case, you’d better take some measures to stop directory browsing. The use of .htaccess is a great method to this end when including the following commands. Unlike Godaddy, some companies do this by default.

# directory browsing

Options All -Indexes

Restrict Access to Admin Area

The admin area is a private place of your website, which enables full access for you to handle administrative functions. However, there are also some other admin roles available like editor, author, subscriber and author having partial access. To prevent these additional roles from releasing your valuable information, you’d better take full control of the admin area instead of sharing a portion to others.

To do this, you can add the following code to the .htaccess file and fill your IP address in the designated section.

order deny,allow

allow from {your IP Address}

deny from all

Stop Unwanted Visitors Accessing to Your Site

When suffering some vicious visitors making a threat to your website, you should take action to stop them coming again. Frankly, .htaccess makes it easy to clear up all threats to the website only if you use following snippet.

<Limit GET POST>

order allow,deny

deny from {IP Address of the Denied Visitor}

allow from all


Note that, the mentioned code can only ban one person at a time. If you want to increase the banning number, you can edit the code as below to add the banned users as you want.

<Limit GET POST>

order allow,deny

deny from {IP Address of the Denied Visitor1}

deny from {IP Address of the Denied Visitor2}

allow from all


To be frank, blocking the bad users is just a stalling tactic, for which people can come again after converting the IP address into a new one. Thus, you have to make the safeguarding operation consistent and look for long-term effective methods.

Did I missed any tip? How are you securing your WordPress blog?

6 thoughts on “Top .htaccess Tips to Secure Your WordPress Site”

  1. These tips are useful, but everyone should edit the .htaccess file carefully. Or it can affect your website adversely.
    An alternative way may be using iThemes security as I think most of this can be done using that plugin. It’s free too.

  2. Hi Ammar,

    This is really a so much profitable tutorial for me. All these .htaccess Tips for Securing my WordPress Site has solved my problem and i got the perfect solution from here. Thank you so much for sharing :)

  3. Security has become an important issue lately for me.

    As far as I know a wp site/blog can get some fixes in htaccess to make it stronger. Your top htaccess tips are pretty usefull… which one is the very best of them? I won´t know ´till watch ´em working right?

  4. Hi Ammar,

    .htaccess is most important part of WP site that helps to keep WP site safe and secure from hacking attempts, various, malware, robots etc. We should configure it perfectly.

    You mention here some great way to configure .htaccess file easily and perfectly.

    Thanks for the great sharing.

  5. Hi Ammar,

    Way cool tutorial! I think I added htaccess manually, or, my developer did. I’ve no clue in hell now that I think about it, lol! I did it with my old blog and think that I did it with my new blog. Maybe I should get serious about finding this out ;)

    Thanks Ammar for the share!


Leave a Comment

Your email address will not be published. Required fields are marked *