How to Secure WordPress with htaccess

Secure WordPress with htaccess

Htaccess is a plain text system file that resides in the hosting server. It is a great tool that can be used to do some amazing things by using directives and commands to control websites.  Leaning how to use htaccess to secure WordPress sites is an important skill any webmaster or website owner should get.

By adding certain codes to htaccess file, you can enhance the security of WordPress website.

Here are some of things  you can do with htaccess to enhance WordPress Security:

  • Prevent access to .htaccess
  • Prevent directory browsing
  • Prevent access to wp-config file
  • Protect wp-content folder
  • protect the wp-includes folder
  • Prevent script injections
  • Restrict PHP file execution
  • Restrict access to plugins and themes in PHP files
  • Ban query strings ending with question mark “?”
  • Prevent username enumeration
  • Stop spam on WordPress blogs and websites
  • Prevent image hot linking
  • Limit logins by IP
  • Prevent unauthorized access to wp-admin directory
  • Ban Bad User Agents, referrers, script-kiddies and more

You can also use htaccess to speed up your site by adding directives to compress files and enable caching for faster loading.


Be careful when editing htaccess files. Your website may stop working if you make any mistakes. It is always recommended to make a backup copy of the htaccess file before modifying it.

Secure WordPress with htaccess Examples:

The following htaccess snippets should work with any WordPress Website without any modifications.   Just copy the snippet and paste in your htaccess file. please read the notes below before starting.

 Note 1 – Make a backup of htacess file.

 Note 2 – Copy the code below  section by section and add to the end of your htaccess file, and save. Then check your website. If any section is not compatible with some plugins, your site will stop working. If this happens ( which rarely happens) , then delete that section, and go to the next section.

Note 3 – The following .htaccess snippets should work with any  WordPress Website without any modifications.
Just copy the snippet (between Start and End  including the #) and paste at the end of  your website htaccess file.

# === Code Starts Here

# Enable Rewrite This will enable your mod_rewrite module for for the server so  that you can add and edit htaccess. It is done done only once in .htaccess. It may be already enabled in your server, It doesn’t harm to do it again.

# start —-

Options +FollowSymlinks
RewriteEngine on

# End —–

# ========= Prevent Directory Browsing ========

This code will prevent attackers from viewing the folder contents of your website.

# start —-

Options All -Indexes

# End —–

# ========== Disable the server signature ==========

# start —-

ServerSignature Off

# End —

# —————Force https  ——————

# start —-

#RewriteEngine On

# If we receive a forwarded http request from a proxy…
#RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]

# …or just a plain old http request directly from the client
#RewriteCond %{HTTP:X-Forwarded-Proto} =””
#RewriteCond %{HTTPS} !=on

# Redirect to https version
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# End —

# ========== Prevent access to wp-config File ==========

wp-config.php contains WordPress configurations. It important to prevent anyone from changing it.
This following code code will prevent access to it.  Copy the code to your .htaccess file

# Start —–

<files wp-config.php>
order allow,deny
deny from all

# END —–

# ========== Securing the wp-includes Directory ==========

WP-Includes directory is an important directory that contains many important files.  By blocking all unauthorized access to it, you can protect those files from being tampered with by hackers.

# Start —–

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

# End

# ========== Prevent script Injections ==========

The following code will prevent hackers form injecting malicious code in WordPress GLOBALS and _REQUEST variables.

# —– Start

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

# —– End

# ========== Protect Your Site Against Script Injections ==========

Many hackers try to change the WordPress GLOBALS and _REQUEST variables in an attempt to inject malicious code. You can prevent those injections by adding the following code to .htaccess.

# Start —–

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

# End —-

# =========== Restrict Access to Plugins and themes PHP Files ==========

Since PHP files can be used to inject malicious code on your website, it is important that you protect all
PHP files by restricting access to them. Adding the the  following code will do that.

# Start —–

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

# End —–

# ====== Ban Query strings ending with question mark “?” =====

Many malicious RFI attempts always have a question mark t the end of the query string. You can ban those attempts by adding the following code to .htaccess.

# Start —–

RewriteCond %{QUERY_STRING} (\?|%3F) [NC]
RewriteRule .* – [F,L]

# End —–

# ================= Prevent username Enumeration ==================

Hackers may be able to find your user name. Add this code to make it difficult for them.

# Start

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

# End

Implementing the above will definitely improve your WordPress security. The are more htaccess codes that can be used to do more things for your website.  You can learn more about them in the htaccess  guide.

1 thought on “How to Secure WordPress with htaccess”

Leave a Comment