Improves WordPress htaccess Security Rules

WordPress .htaccess Security Rules for Your Website

If you are searching for WordPress .htaccess security tricks for your WordPress website, you will get all the details to step by step that you can try right away.

What is the.htaccess file?

“Hypertext access” is abbreviated as .htaccess, this is the most powerful server configuration file for Apache webserver which is responsible for the working structure of your WordPress site, it defines the rules for your server to follow for your website and you can improve WordPress htaccess security rules.

WordPress permalinks will not work properly without the .htaccess guidelines. This file defines the root folder that is applied to rewrite rules. It also affects the SEO of your website and the effects can be huge, so maximum bloggers and website owners use .htaccess to fix their SEO problem.

Use of .htaccess

It stores the WordPress permalink, it stores various settings of the file such as password protection for the website, block and allows access to certain IPs, block a file or folder from public access, PHP settings, redirecting URLs, and many more.

Location of .htaccess file?

Login to your cPanel, click on File Manager under Files section, search for public_html (root folder) clicks on there you will find WordPress htaccess security file.

If you are connecting through FTP Client, search for public_html (root folder) clicks on there you will find .htaccess file.

How I Find My .htaccess File?

If you cannot find .htaccess inside public_html (root folder) then go to settings in the top right side, clicks on that, and enable the check box Show Hidden Files (dotfiles) as, In Linux file systems, filenames that begin with a dot (.) are hidden files, all the dotfiles are hidden by default.

How to edit .htaccess?

You can easily edit it with a text editor, Download .htaccess, rewrite rules – edit it, save it and upload the file to its location inside public_html.

Note: Download a copy of the .htaccess file before editing, in case if anything goes wrong you can use the downloaded copy of the file. 

Here are some of the tips for WordPress htaccess security :

1. Disable access to your wp-config.php file
2. Disable Directory Browsing in your htaccess file
3. Disable access to your WordPress file for security
4. Limit access to your ADMIN folder in WordPress
5. Blocking cross-site scripting (XSS) add WordPress Security rules
6. Blocking Author Scans in WordPress security rules
7. Disable image hotlinking to improve WordPress Security
8. Ban Suspicious IP Addresses in WordPress security rules
9. Disable PHP Execution in Certain WordPress Directories
10. Only Selected Files from wp-content are permitted.
11. Restrict All Access to wp-includes
12. Switch on browser caching for WordPress security rules.

The default rules for WordPress htaccess security look as follows:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME}!-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Imp: You can edit the files in between – BEGIN WordPress and END WordPress lines.

Note: If you misplace your WordPress .htaccess file you can copy and use the above code for your default .htaccess files.

Improve WordPress htaccess Security By Using The Below Rules

1. Disable access to your wp-config.php file

wp-config.php file is the most important file of WordPress, this file contains MySql setting, Secret Keys, Database table prefix, and login credentials. As the wp-config.php file contain many important pieces of information, this file should be protected from unauthorized access.

To prevent entry to your wp-config.php file, in WordPress htaccess security rules add the following codes to your root directory .htaccess file.

The code given below rejects access to the wp-config.php file to everyone.

#Disable access to wp-config.php
<files wp-config.php>
order allow, deny
deny from all

2. Disable Directory Browsing to improve WordPress htaccess Security

In Apache webserver directory browsing is enabled by default, about 99% of the website designed in WordPress are hosted in Apache webserver. If you allow the WordPress directory permission rule, then there is a big chance of a security threat to your website, hackers can easily gather the information of files and folders structure in your directory. To make sure your website root directory is not visible to anyone, add the following lines of codes or rules to your .htaccess file to improve your WordPress htaccess security.

# Disable all directory browsing
Options All -Indexes

3. Disable access to your WordPress .htaccess Security file

.htaccess file creates another layer of protection, so it’s important to protect. Add the following lines to your file to ensure that no one can access it.

# Prevent Access to .htaccess
order allow, deny
deny from all

4. Limit access to your ADMIN folder in WordPress

Another important folder in WordPress is a wp-admin folder. It contains all the files required to get access to the WordPress admin panel or dashboard. This file is totally for the administrator.

To prevent the WordPress admin panel from hackers, you need to make sure that you, only allow specific IPs or ranges of IP and block other IPs WordPress htaccess Security rules from getting accessed your admin panel.

Before you apply this code to your.htaccess file, there are a few things to bear in mind. If you have a static or dedicated IP address then this code will work properly but If your IP address changes frequently then the administrator will also find login issues. You can use FTP or cPanel to remove or edit the codes written in .htaccess file.

You can check your IP address through Google, just type what is my IP? you will get an IP v6 or IP v4 you can use this IP in your .htaccess code

Copy and paste your .htaccess file with the following code in the wp-admin folder inside public_html, don’t use this .htacces code in your root directory to improve WordPress htaccess security rules.

# deny access to wp-admin
# Limit logins and admin by IP
order deny,allow
deny from all
allow from
allow from IP_ADDRESS_2

Note: Don’t forget to replace “” with your allowed IP address. IP_ADDRESS_2 is the 2nd IP address you want to give access to, likewise, you can add more IPs to give access to your WordPress Administrator.

5. Blocking cross-site scripting (XSS)

Cross-Site Scripting (XSS) attacks are an injection kind that loads malicious scripts into the code to modify variables in global scripting and querying. To protect your WordPress website or blog from Cross-Site Scripting (XSS), add the following code given below into your .htaccess file of the root directory.

# Blocks some XSS attacks
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]

6. Blocking Author Scans add Extra WordPress Security Rules

A common technique used by attackers to crack usernames and passwords is known a brute force attacks, through this technique they do author scans to crack usernames registered in your WordPress blog. Once the username is cracked, they crack the password for those usernames. To block author scanning on your WordPress website or blog, you can block such type of scan by adding the following rules in your WordPress .htaccess security file of the root directory.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* – [F]
# END block author scans

Note: If you use Limit Login Attempt, you’ll be well shielded from brute-force attacks.

7. Disable Image Hotlinking in WordPress Using Security Rules

Image hotlinking may harm the performance of your website. This is a very big issue, if someone uses your website image your server bandwidth is utilized for delivering the image, this will slow down your website. To reduce your bandwidth consumption, you can add the following code to the .htaccess file of your root directory.

#Disable image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Note: Replace with your domain name.

8. Ban Suspicious IP Addresses in WordPress Security Rules

If you notice an extraordinarily high number of requests to your website from a single IP address, your website is under threat. You can manually deny all IP address from where requests are coming by adding the following line to your .htaccess file.

# Block one or more IP addresses.
<Limit GET POST>
order allow,deny
deny from
deny from IP_ADDRESS_2
allow from all

Note: Replace IP_ADDRESS_* with the IP you want to block
Note: Remember to change “” to the IP address you wish to ban. IP_ADDRESS_2 is the 2nd IP address you want to deny, likewise, you can add more IPs to deny access to your website.

9. Disable PHP Execution in Certain WordPress Directories

This is an extra step to give security to your WordPress by disabling PHP execution on the directories. You need to create .htaccess file and upload it inside the directory like wp-content or wp-includes.

# Disable PHP execution
<Files *.php>
deny from all

10. Only Selected Files from wp-content are permitted

Because the wp-content folder contains theme files, widgets, and all media assets, you don’t want others to be able to access it. You can block directory browsing but at the same time you can give access to other files like JPG, DOCX, CSS, PDF, JS, XML, etc and you can deny the other files.

# Disable access to all selected files except the following
Order deny,allow
Deny from all
<Files ~ “.(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$”>
Allow from all

Note: You create a new .htaccess file with this code and upload it to the wp-content folder, do not add this code to your root, htaccess file.

11. Restrict All Access to wp-includes

Only the files needed to run the WordPress website are stored in the wp-includes folder. There is no reason for accessing these files including the administrator. So, it is better to give WordPress htaccess security to the wp-includes folder and restrict all access. You can disable access by adding the lines below to your .htaccess file.

# Disable access to wp-include folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ — [F,L]
RewriteRule !^wp-includes/ — [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ — [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php — [F,L]
RewriteRule ^wp-includes/theme-compat/ — [F,L]

12. Enable Browser Caching for WordPress Security Rules

Browser caching improves your website load speed and decreases your load time, if you want to leverage browser caching in WordPress add the following code to the WordPress .htaccess security file of your root directory.

# Enable browser caching
<IfModule mod_expires.c>
FileETag MTime Size
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
ExpiresActive On
ExpiresByType text/html “access 600 seconds”
ExpiresByType application/xhtml+xml “access 600 seconds”
ExpiresByType text/css “access 1 month”
ExpiresByType text/javascript “access 1 month”
ExpiresByType text/x-javascript “access 1 month”
ExpiresByType application/javascript “access 1 month”
ExpiresByType application/x-javascript “access 1 month”
ExpiresByType application/x-shockwave-flash “access 1 month”
ExpiresByType application/pdf “access 1 month”
ExpiresByType image/x-icon “access 1 year”
ExpiresByType image/jpg “access 1 year”
ExpiresByType image/jpeg “access 1 year”
ExpiresByType image/png “access 1 year”
ExpiresByType image/gif “access 1 year”
ExpiresDefault “access 1 month”

#Expires cache end

Note: Copy the code and paste it at the end of your .htaccess file content.

13. Secure Important WordPress htaccess Rules File

To secure important files in WordPress htaccess security rules like error logs and php.ini, You can disable access by adding the lines below to the .htaccess file of your root directory.

#Secure important files
<FilesMatch “^.*(error_log|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all

To know more about WordPress Security go through our another article

Hardening The WordPress Security Of Your Website

To know more about WordPress Security go through our another article

How to Secure your WordPress Website?
Conclusion :

We’ve learned some of the finest htaccess hacks to help you secure your WordPress website today. I recommend that you test each module one at a time, making a backup of the.htaccess file before and after each test. This is due to the importance of the.htaccess file.

The integrity of your site might be compromised by a missing ‘#’ character or a misplaced ‘/IfModule>’. It’s not a good idea to permit selected IPs to your wp-admin folder if you use your WordPress dashboard regularly on the move.

Now it will be your turn: what are your thoughts on this article about additional security to WordPress Website? Is it worthwhile to go through the hassle of updating the htaccess file? Do you have a better security suggestion? We’d be delighted to hear from you.


Please enter your comment!
Please enter your name here

Stay in Touch

To follow the best weight loss journeys, success stories and inspirational interviews with the industry's top coaches and specialists. Start changing your life today!


Related Articles