Useful WordPress .htaccess Security Tips And Rules

WordPress is a popular, free content management system used by thousands of people around the world to create websites. This article includes useful security tips to show you how to secure your WordPress website using the .htaccess file which is used by apache web servers to control how your website works.

You can also use plugins to secure and protect your website. For this article, we will be focusing on using the .htaccess file to help you protect your website from hackers.

What Is A .htaccess File

A .htaccess file is normally located in the public_html directory of a website and used by apache web servers which is used by a majority of servers to run websites. The .htaccess file basically allows you to make changes to your website’s configuration without having to edit the server configuration files.

What Can The .Htaccess File be Used For

The .htaccess file can be used to do a number of different things including

  • Enhance the security of your website to protect it from hackers using .htaccess rules
  • Improve the speed of your website
  • Load custom error pages, like 404 pages
  • Force your site to use HTTPS instead of HTTP
  • Prevent hotlinking

Where Can I Find The .Htaccess File

The  .htaccess file is located in the root directory of your WordPress site. Depending on your hosting provider, the root directory will be labeled public_html, www, htdocs, or httpdocs.

You can locate it by using File Manager in your hosting account’s Cpanel

To access the .htaccess file complete the following steps

  1. Log into your hosting control panel ( Cpanel )
  2. Open the file manager
  3. In the navigation menu on the left-hand side of your screen, click on the public_html folder.
  4. Look for the .htaccess file which should be located in the public_html directory if you cannot see if the file may be hidden.
  5. If the file is hidden select the settings option under the file manager

6. A window labeled Preferences should now be displayed

7. Select the box labeled Show Hidden Files

8. You should now see the .htaccess file which you can edit via the file manager.

How Do I Create A .htacess File

Depending on your WordPress installation, you may not have a .htaccess file so before you edit or add security rules to it you may need to create a new .htacess file. The quickest way to create a .htacess file is via your Cpanel hosting file manager.

  1. Log into your hosting control panel ( Cpanel )
  2. Open the file manager
  3. In the navigation menu on the left-hand side of your screen, click on the public_html folder.
  4. Select the +File button 
  5. Create a file called .htaccess
  6. Add the default WordPress code noted below to the file you have created

Default WordPress .htaccess File

If you have already installed WordPress and enabled permanent links your .htaccess file will look like this which is the default code included in the .htaccess file as per https://wordpress.org/documentation/article/htaccess/

# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Useful .htaccess Security Rules

The following .htaccess security rules will go below the default WordPress rules noted above.

Before making any changes to the file we recommend you make a backup of the .htacecss file first as you can easily take your website offline by adding the wrong rules to the .htaccess file

Prevent Directory Browsing

It’s possible for visitors to see a list of your website directories via a browser as WordPress has a set file structure, anyone visiting your website can view all the files under the wp-content-uploads/ directory

Options All -Indexes

Restrict Access to PHP Files

You can block direct access to your plugin and theme’s PHP files from unauthorized users which is very important from a security point of view

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Restrict All Access to wp-includes

The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress – one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to the content of the wp-include folder. You can disable access using the following code

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Restrict PHP File Execution

The following code will stop PHP files been executed under the /wp-content/uploads/ which is a common directory where hackers try and upload and run PHP files. You will need to create a separate .htacess file and upload it to the /wp-content/uploads/ directory to deny access to PHP files in the /wp-content/uploads/

<Files *.php>
deny from all
</Files>

Deny Access To The wp-config.php file

wp-config.php is one of the most important files as it contains the database name, access credentials, and other crucial data. To secure the wp-config.php file, you can add the following codes to the .htaccess file. This helps to deny access to the wp-config.php file.

<files wp-config.php>
order allow,deny
deny from all
</files>

Deny Access To The xmlrpc.php file

By default, the XML-RPC file is installed on every WordPress site. This file enables your website to utilize third-party plugins, which outside users often take advantage of to infiltrate your site. If you’re not using any third-party apps, you should disable this feature.

<files xmlrpc.php>
order allow,deny
deny from all
</files>

Protect The .htaccess File

To protect the .htaccess file add the following code to your file.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Disable Author Scanning in WordPress

Author scanning is a common technique used in brute force attacks. Hackers scan your website and try to get the author ID. Next, they crack the password by trying different password combinations and then gain access to your WordPress administration.

The easiest way to block author scanning in WordPress is through the .htaccess file.

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

Protect Your WordPress Admin Area

You can protect your WordPress admin area by using .htaccess to limit IP access to wp-admin. The wp-admin directory contains all the files required to run the WordPress dashboard.

It includes administrative functions, such as installing themes, using plugins or writing posts, etc. Allowing only selected IP addresses access to the wp-admin directory helps protect your WordPress site from hackers.

You need to create a .htacess file and upload it to the /wp-admin/directory of your website. Change the IP address to the computer’s IP address you are accessing the website from. To allow another IP address just add another allow from ip address on the next file

order deny,allow
allow from 123.8.83.41
deny from all
Scroll to Top