Menu Close

Secure your Website with .htaccess security tips

Secure your Website

Most WordPress installation tutorials demonstrate how to deploy WordPress quickly and easily in minutes, but they skip out on some important security factors. But here you will learn some useful tricks for your WordPress site. The .htaccess file is a strong setup file that helps you to do a lot of nice things on your website. I will show you some of the most useful .htaccess tricks for ‘How to Secure WordPress.’

Know About Fact of .htaccess

The .htaccess directory is a configuration file for the server. It enables you to describe your server’s rules. WordPress uses this file to build an SEO-friendly URL. The .htaccess file is in the root directory of your WordPress site.

In this file, you can store various settings such as password protecting a directory, blocking IPs, blocking a file or folder from public access, etc.

Note: It is important to download a copy of it to your computer as a backup before editing your .htaccess file. If anything goes wrong, you can use that file.

  • Disable Directory Listing

Several web servers allow any user to search the files where there is no index directory. This can lead to leakage of information and help an attacker to compromise your site.

Add the following line to your .htaccess file to disable the listing of directories:

Options -Indexes


  • Disable PHP Execution

    Hackers often hack into a WordPress website and create a backdoor. These backdoor files are often disguised as core WordPress files and stored in the folders of /wp-includes / or /wp-content / uploads/.

    An easier way to improve your security for WordPress is to disable the execution of PHP for some directories of WordPress. Add the following line to your .htaccess file.

<Files *.php>
deny from all

Also Read: How to increase website loading speed. – Leverage Browser Caching

  • Allow only targeted wp-content files

You can also refuse the access of all file kinds, save a handful of them on the wp-content folder, including most your themes, plugins and all media uploads. Add the following line to your .htaccess

# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all


  • Protect Configuration wp-config.php File

Wp-config.php file possibly is the most significant file in the root folder of your WordPress page. This includes information on and access to your WordPress server.

Just add this code to your .htaccess file in order to protect your wp-config.php file from unauthorized access:

<files wp-config.php>
order allow,deny
deny from all


  • Restrict Access to wp-includes

The directory wp-includes only the files which are strictly necessary to run WordPress ‘ core version – one without themes or plugins. Just add this code to your .htaccess

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]


  • Allow Selected IP Addresses to Access wp-admin

Just a few select IP addresses to access the wp-admin directory are allowed by a good security measure. The folder of wp-admin contains the files needed to run the WordPress table. The IPs of the persons requiring access to the dashboard WordPress – editors, contributors, and other admin. Just add this code to your .htaccess.

# Limit logins and admin by IP
order deny,allow
deny from all
allow from
allow from IP_ADDRESS_2


  • HTTP Trace Method & X-XSS-Protection

You should disable the TRACE Method on your webserver to improve the security of your web site (and your users). In order to enhance the protection of your Website against certain forms of XSS attacks. Just add this code to your .htaccess.

RewriteEngine On 
RewriteRule .* - [F]
Header set X-XSS-Protection "1; mode=block"

Also Read: How to find vulnerabilities in a website.

  • Increase File Upload Size

One of the approaches that have succeeded for many users is that the following code is applied to their .htaccess file. Sometimes a small file upload limit will prevent you from uploading files via media uploader or installing themes and plugins. Add the following code, It just tells your webserver to increase your upload size and total runtime in WordPress by adding these values.

php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300


  • Blocking Author Scans

One of the common methods for brute force attacks is to search writers on a WordPress page and then attempt to break their passwords.

If you apply the following code to your .htaccess file, you will block these scans:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans


  • Prevent Access to XML-RPC File Using .htaccess

This file enables applications from outside the WordPress site to connect. Most security experts in WordPress suggest you can disable this feature if you don’t use third-party apps. Add your .htaccess file with just the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all


  • Protect .htaccess From Unauthorized Access

As you have seen, there are so many things to do with the .htaccess directory. It is important to protect it from unauthorized access by hackers, given the power and control it has on your web server. Add your .htaccess file with just the following code:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Final Word

The coolest hacks to reinforce your WordPress site. I recommend that you test each module one by one before and after checking that module when you back up the .htaccess folder. This is due to the very critical .htaccess file. A missing’ #’ or’ </IfModule >’ character could destroy the integrity of your site. It is advisable not to allow specific IPs for the wp-admin directory when you regularly go into your WordPress dashboard.

” Keep Sharing & Keep Learning “


  1. Pingback:how to find vulnerabilities in a website : KPWebSpot

  2. Pingback:What is Smishing? : Understanding by KPWebSpot

  3. Pingback:How to increase website loading speed - Leverage Browsing Caching – KPWebSpot

Leave a Reply