5 Tips to Secure your WordPress with .htaccess File

I must shamefully confess that I totally brought down my Wordpress website last week.   It was inaccessible for about 10 minutes while I frantically tried to restore my website.  Do you know what the culprit was?  It was the .htaccess file that I was trying to learn and play around with.    Since then I’ve restored my Wordpress website and have tried to learn everything about the .htaccess file.  It is a very important file as it acts like the security alarm system in your house.  If configured incorrectly it could cause serious security issues but learn about .htaccess and you can use it to your advantage and it will protect your Wordpress website.

*** Always take a backup of your .htaccess file before you make any changes. 


  1. Use .htaccess to protect wp-config file
  2. Use .htaccess to blacklist users and bots
  3. Use .htaccess to protect from script injections
  4. Use .htaccess to protect against hot-linking and content scrapers
  5. Use .htaccess to prevent directory browsing

Below are 5 ways to Enhance your Wordpress Security through your .htaccess file

Please note that the .htaccess file you will be editing is located in the root folder of your WordPress installation.  IE this file will be in the folder that has all your wp- files.

1.  Use .htaccess to Protect Your Wp-config File

Your wp-config.php file contains all the information regarding your WordPress website.   This includes your database username, database password, server name, hostname etc.   This is very critical information that you don’t want to fall in the wrong hands or eyes.


Create a restriction that prevents any access to your wp-admin.php file.  This way it will ensure no harmful scripts can access it.  Insert the following code into your .htaccess file:

<files wp-config.php>
order allow, deny
deny from all

 2.  Use .htaccess to Blacklist Users and Bots

I noticed that I’m getting tons of unrelated comments on my blog most of which are spam bots.  I spend about 10 minutes a day deleting spam until I installed a plugin that did it for me automatically.


Why use a plugin to delete spam bots from leaving spam comments when you can just just block them from accessing your website?    You can insert IP addresses into your .htaccess file.  It will allow everyone to read your site except deny access to those IP addresses from which you listed.  For example, in the comments they leave you will see an IP address, copy that IP and past it in the deny.  I’ve included an example of 3 IP addresses I wanted to block.  If you want to add more, just append it to the last deny statement.  Insert the following code in your .htaccess file:  (Replace my examples with your own)

order allow, deny
allow from all
deny from
deny from
deny from

3.  Use .htaccess to Protect From Script Injections

Developers always protect their <POST> and <GET> statements but injections sometimes still get through.   So you must also protect your site from anyone who is trying to modify your PHP globals and REQUEST variables.


Use this code to check the type of requests made and whether is has tried to modify the PHP GLOBALS or REQUEST variables.  If the script has then the code is blocked and the client is given a 403 error.  Insert the following code into your .htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

4.  Use .htaccess to Protect Against Hot-Linking and Content Scrapers

Yes.  I’ve recently had a bout with content scrapers after finding a site that copied all my Joomla tutorials without my consent.  Hot linking to images is a big thing as it just saps out all my server’s bandwidth.


Protect your images so only you can link to them.   This code will check if your site is linking to the image, if not then it will return an empty string.  Insert the following code into tyour .htaccess file:  Replace mysite.com with your website domain name.

RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

 5.  Use .htaccess to Prevent Directory Browsing

Yikes.  If you type in sitename.com/wp-includes you will see all files listed in that directory.   This is a big security risk and hackers can see when the files were last accessed and modify them.


Protect all your WordPress directories and do not allow anyone access to view your directory structure.  Insert the following code in your .htaccess file.

Options -Indexes

This is just one step you can use to protect your WordPress website.  There are other tips as well such as useful plugins to help Secure your WordPress website.   If you mess up your .htaccess file and need a brand new copy of it, here is what the basic .htaccess file looks like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]</IfModule>
# END WordPress



Source: 10 Useful WordPress Security Tweeks by Smashing Magazine

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha Captcha Reload