WordPress Security with .HTACCESS File | Secure Your Blog

WordPress is the world’s most popular CMS with over 60 % market share. WordPress is a powerful blogging CMS but what about security ?, some thousands of WordPress websites getting hack by hackers. Here learn how to Protect and Secure your WordPress website with .htaccess file.

WordPress website hacked what to do next, here WordPress security is a most important topic. Before happening it, protect your WordPress site with the custom .htaccess file.

Where to Find WordPress .htaccess File

Locate your WordPress website .htaccess file location in cPanel and as well as in WordPress admin dashboard.

  1. Find it in the root of your website using C panel
  2. Edit it using WordPress SEO plugin by Yoast under Edit files section.

Note: If you are not using WordPress SEO by Yoast plugin, then edit .htaccess file through C panel.

Default .htaccess File

Typically, the WordPress .htaccess file looks like the following. To secure your WordPress site have to add more code snippets. Don’t delete default WordPress htaccess file functions.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

WordPress Security with .htaccess File

1. How to Protect wp-config.php file With .htaccess File

Wp-config.php is the file in your root directory which stores the important information about your website and as well as website complete databases passwords. Protect Wp-config.php with the following snippet.

<files wp-config.php>
order allow,deny
deny from all

2. How to Limit Directory Browsing Using .htaccess File

Due to a huge number of WordPress plugins availability, hackers try to discover plugins installed in your website and they can easily find other required information through files, so protect and limit directory browsing with the following code snippets.

# directory browsing
Options All -Indexes

3. How to Protect wp-content Directory using .htaccess File

The following code allows search engines to cache images, CSS, javascript and XML files, but deny it for any other type. By Default, all major search engines like Google, Yahoo, and Bing will cache your WordPress Plugins and Themes, it will increase your server response time. So restrict them by adding the following code to your WordPress .htaccess file.

order deny,allow
deny from all
<files ~ ".(xml|css|jpe?g|png|gif|js)$">
allow from all

4.How to Disable Hotlinking Using .htaccess File

Smart guys will use your images and videos and keeps the pressure on the server, which causes data storage and bandwidth problems. So prevent or disable hotlinking from any other websites by using the following code.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Replace your domain with your website address

5. How To Restrict Admin Access From One IP Adress Only Using .htaccess

you can limit someone who can access your admin folder by IP address by adding the following code snippet.

# Limit logins and admin by IP
# this goes in the /admin folder NOT root folder .htaccess
order deny,allow
deny from all
allow from

Replace with your own IP address.

6. How to Protect Specific File Using .htaccess File

Sometimes you may want to protect the individual or specific file instead of the entire folder. Add the following snippet into .htaccess file easily for individual file protection.

# Protect the .htaccess
<files .htaccess="">
order allow,deny
deny from all

7. How To Ban Specific IP address Using .htaccess File

In order to ban bad users, who brute force your admin pages than ban them by IP address.

<Limit GET POST>
order allow,deny
deny from
deny from
allow from all

8. How To Protect .htaccess File Iteself

All the above methods will help to secure and protect your WordPress plugins, themes, Files and other valuable databases. even though, the .htaccess file is still opened. So Protect  .htaccessItself to stop anyone scans the files which begin with “hta” by adding the following code snippet.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

If you face any problem while adding the code to your WordPress .htaccess file, let me know in the comment section. I will help you with my best efforts to solve your problem