WordPress Security Through .htaccess

Configuring .htaccess

.htacess is a configuration file that allows you to override your server’s global settings for the directory that it’s in, by limitting file access.

There’s a couple of ways you can access it:

  • Find it in the root of your website
  • Edit it using WordPress SEO plugin by Yoast

Here’s a piece of code generated by WordPress and you’ll find it in almost every .htaccess file:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

Anything else you decide to apply to harden WordPress security should be added after this.

Protect wp-config.php

WordPress best practices suggest you protect your wp-config.php file and you can do that by adding:

<files wp-config.php>

order allow,deny

deny from all

</files>

Prevent Directory Browsing

You know how you can change a few characters in a URL and continue browsing the website. With this code you’ll prevent any directory browsing:

# directory browsing

Options All -Indexes

Disable any Hotlinking

Sometimes other (non-ethical) site curators will try to use your images and videos and put a strain on your serves, which uses your disk space and bandwidth. While this is not in the domain of WordPress security, it will certainly help your website’s overall health. Adding this to your .htaccess will prevent hotlinking from happening:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

note: Be sure to change “YourDomain” with your domain address and leave out the “www” part

If you need to allow certain websites to use your images, then you can use this online tool for generating the anti hotlinking code where you can define various parameters.

Protect /wp-content Directory

WordPress holds all your media files in here and they’re an asset you want search engines to crawl. But, “/wp-content” is a place where your themes and plugins reside, too. You don’t want to allow access to those sensitive .php files.

In order to work you need to create a separate .htaccess file (just use your FTP client and create a file with no name and give it an “.htaccess” extension) and put it in your /wp-content directory. This code will allow access to images, CSS, java-script and XML files, but deny it for any other type.

order deny,allow

deny from all

<files ~ ".(xml|css|jpe?g|png|gif|js)$">

allow from all

</files>

That’s it. Your WordPress website should be a lot safer place now. There’s just one last thing we should do and that’s protecting the .htaccess file(s).

Protect the .htaccess Itself

We’ve done a lot to protect WordPress, but the .htaccess file itself is still open to attacks. The following code snippet will stop anyone from accessing (reading or writing) any file that starts with “hta“.

<files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all

</files>


While you can install various WordPress security plugins, sign-up for monitoring services and content delivery networks which filter your traffic, configuring .htaccess file so it strengthens your WordPress security is a good step toward that peace of mind every website owner needs.

Prevention is often the best cure.

note: Making changes to .htaccess should be pretty relaxing job, but if you use plugins (ex. WordPress SEO) for configuring .htaccess, please make sure to also have FTP credentials, just in case you need to directly access and reconfigure it.

Security, as everything in life, ultimately comes down to user behavior – avoiding risky situations, untrusted hosting companies and weak passwords, always using plugins developed with WordPress best practices in mind, updating your software regularly, etc.

Was this answer helpful?

 Print this Article

Also Read

How to Change Your Header in WordPress

This tutorial will teach you how to change your header in WordPress. You will need to be logged...

How to Update Your WordPress Installation

This tutorial will teach you how to update your WordPress installation. You should be logged in...

How to Install WordPress from wordpress.org

This tutorial will teach you how to install WordPress, directly from WordPress.org. First, you...

How to Install WordPress from Fantastico

This tutorial will show you how to install WordPress from directly from Fantastico, which is...

How to Edit Your Profile in WordPress

This tutorial will teach you how to edit your profile in WordPress. You should be logged in, and...