Posted on

Hardening WordPress: Security through .htaccess

WordPress Security
Reading Time: 3 minutes

The WordPress world is panicking. A lot of security breaches have been reported recently and it is important to take every precaution not to become the next website on the hackers’ list. It’s up to you to make your WordPress as secure as possible and minimize the risk of spending hours on the phone with your hosting company, trying to get your credentials back.

There are several ways of making your WordPress secure:

Using .htaccess is just one of them, the one that belongs to the domain of prevention.

Configuring .htaccess

.htacess is a configuration file that allows you to override your server’s global settings for the directory that it’s in, by limiting file access.

There’s a couple of ways you can access it:

  • Edit it using WordPress SEO plugin by Yoast
  • Edit it using FTP

Here’s the video our friends from Webucator created on how to secure your WordPress website via FTP.

Here’s a piece of code generated by WordPress and you’ll find it in almost every .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Anything else you decide to apply to harden WordPress security should be added after this.

Protect wp-config.php

WordPress best practices suggest you protect your wp-config.php file and you can do that by adding:

<files wp-config.php>
order allow,deny
deny from all
</files>

Prevent Directory Browsing

You know how you can change a few characters in a URL and continue browsing the website. With this code you’ll prevent any directory browsing:

# directory browsing
Options All -Indexes

Disable any Hotlinking

Sometimes other (non-ethical) site curators will try to use your images and videos and put a strain on your serves, which uses your disk space and bandwidth. While this is not in the domain of WordPress security, it will certainly help your website’s overall health. Adding this to your .htaccess will prevent hotlinking from happening:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

note: Be sure to change “YourDomain” with your domain address and leave out the “www” part

If you need to allow certain websites to use your images, then you can use this online tool for generating the anti-hotlinking code where you can define various parameters.

Protect /wp-content Directory

WordPress holds all your media files in here and they’re an asset you want search engines to crawl. But, “/wp-content” is a place where your themes and plugins reside, too. You don’t want to allow access to those sensitive .php files.

In order to work you need to create a separate .htaccess file (just use your FTP client and create a file with no name and give it an “.htaccess” extension) and put it in your /wp-content directory. This code will allow access to images, CSS, java-script and XML files, but deny it for any other type.

order deny,allow
deny from all
<files ~ ".(xml|css|jpe?g|png|gif|js)$">
allow from all
</files>

That’s it. Your WordPress website should be a lot safer place now. There’s just one last thing we should do and that’s protecting the .htaccess file(s).

Protect the .htaccess Itself

We’ve done a lot to protect WordPress, but the .htaccess file itself is still open to attacks. The following code snippet will stop anyone from accessing (reading or writing) any file that starts with “hta“.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

While you can install various WordPress security plugins, sign-up for monitoring services and content delivery networks which filter your traffic, configuring .htaccess file so it strengthens your WordPress security is a good step toward that peace of mind you, as a website owner, deserve.

Prevention is often the best cure.

note: Making changes to .htaccess should be a pretty relaxing job, but if you use plugins (ex. WordPress SEO) for configuring .htaccess, please make sure to also have FTP credentials, just in case you need to directly access and reconfigure it.

Security, as everything in life, ultimately comes down to user behavior – avoiding risky situations, avoiding untrusted hosting companies and weak passwords, always using plugins developed with WordPress best practices in mind, updating your software regularly, etc.


If you need help hardening your WordPress website, a website audit is a right thing to do. Get in touch with us and secure your online presence.

Dragan Nikolic
I am the SEO & a co-founder at ThematoSoup, sharing marketing best practices, how to simplify your online business and make it more manageable.
Dragan Nikolic
Hey @tj_reinhart do you accept new affiliate partners on Sumo? - 1 month ago
Dragan Nikolic
Dragan Nikolic
Dragan Nikolic

Latest posts by Dragan Nikolic (see all)