How to Secure WordPress Site Using .htaccess


The number of hackers and spammers are growing day by day and the websites are undoubtedly prone to Security Risks. No matter how strong the websites are, hackers find a loop-hole to intrude in their websites. If your website is not secure, with the different Security Breach Techniques, the hackers use different techniques like SQL injectionCross Site ScriptingDDoS Attacks, and much more. Some noob hackers only try to hack the site to test their Hacking Ability but still they can be dangerous in the near future. That’s why Website security is a very must these days. In this article, I am going to write about how to secure WordPress site using .htaccess.

The very first thing you need to consider is your website must be hosted in Secure Web Host Server. This is because you can backup your sites even though the hackers intrude it by destroying contents and files. Changing your site’s passwords very often is highly recommended too. And always remember, you are the responsible for the security of your website. If you site ever get hacked, then you are to blame not hackers. Rather than scratching your heads, do some research how can you protect your website.

Secure WordPress site using .htaccess

Secure WordPress Site Using .htaccess

1. Protecting .htaccess itself from attacks

.htaccess is a heart of the every website which controls the whole websites. This includes multisite too. If not taken proper preventive measures, the .htaccess file may encounter from different malware viruses, attacks, suspicious access, and other strikes. So the .htaccess file must be protected and prevented from editing and rewrite. Add the following code to secure your .htaccess file.

#limit other from [editing] .htaccess
<Files .htaccess>
order allow,deny
deny from all
satisfy all

2. Disable/Prevent Directory Browsing

By default, WordPress Apache Server enables directory browsing on the site automatically. This means the whole files and directory inside the root folder is easily accessed and visible to visitors.Also, this lets spammers or hackers to steal your information.

In recent days, the security is a primary necessity in every websites and networking servers. If you visit high Alexa ranking websites, most of their directory browsings are disabled.

Code Snippet

# Disabling directory browsing
Options All -Indexes

3. Protecting/Preventing wp-config.php to access with .htaccess

wp-config.php is undoubtedly  the most important core file in WordPress which is located in the root of WordPress Directory. This file contains the all the database details like database username and passwords, table prefix, host server names, and much more. wp-config.php must be strongly secured if you want to secure your WP site.

Insert the following code.

# Protecting/defending wp-config file
<Files wp-config.php>
order allow,deny
deny from all

4. Restrict wp-admin to selected IP Address to access

Brutal Force Attack is the most powerful hacking technique in dynamic websites like WordPress. If the hackers know your username, then half of their mission is successful. The only thing they need is only to generate the random passwords by the means Force Attacking tools. The hacker uses different IP via some kinds of tools so that they are impossible to trace. That’s why IP restriction is necessary to secure your site.

The  Code:

# Restrict logins and admins by IP


order deny,allow

deny from all

allow from 123.859.789.52

allow from IP_ADDRESS_2


5. Disable/Prevent Image Hotlinks

Hotlinking, in other words, bandwidth theft, means downloading or using your website’s image and linking them on their own website which leads to an excess use of your site’s bandwidth. And the amusing part is, you are not given any credits for it. Due to this hotlinking will slow down the performance of your website because the data is fetched from your bandwidth. Their bandwidth or space will be optimized by doing so. Use the following codes in your .htaccess file to eliminate such problem.

The Code:

#disable/prevent image hotlinks

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule \.(png|gif|jpeg|jpg)$ - [NC,F,L]

Note: Make sure to replace with your domain name leaving www as it is.


These are the very common and most important steps to Secure WordPress site using .htaccess.However, it is always important that you always take precarious issues under your control. There are also some Plugins available in WordPress repository for free which secure your WordPress site. Do comment in the form below if you got any preventive tips. 🙂

About Prabin Parajuli

Prabin Parajuli has written 12 post in this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.