Home » IT & Tech Blogs » Information Technology » Blogs » WordPress htaccess security

WordPress htaccess security

Did your WordPress install get hacked? It’s becoming more common and methods of hacking are changing daily. WordPress is the world’s most popular CMS with over 70 million users, but very targeted by hackers due to it’s large userbase, unsecured themes and plugins. One of the important measures a site owner can and should take is to secure WordPress directories with .htaccess.

Before we get into securing WordPress with .htaccess, here are some other measures one can take to secure their WordPress install.

  1. Update your WordPress with the latest version
  2. Update your plugins and keep the updated with an automatic updating program
  3. Defend your WordPress install with security plugins, like Login Lockdown, WP Security Scan, Wordfence, etc.
  4. Maintain secure passwords
  5. Guard from brute force attacks; use a plugin like Wordfence or SecureLive to block bad logins that attempt to authenticate through your admin url
  6. Monitor for malware; use a plugin or scanner like Wordfence to check for malware and scan for files that have been edited by malware
  7. Maintain backups
  8. Choose a good webhost
  9. Delete unused or old plugins
  10. Control sensitive information

Here are some useful videos on best WordPress security practices:



The typical WordPress .htaccess file looks similar to this:

 # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

Any additions to the .htaccess file are suggested to be added after # END WordPress.

Here are some measures you can take to configure and add to your .htaccess file.

  1. Protect wp-config.php
    wp-config.php is the file in your root directory that stores information about your site like database name, user name, and password; this file in particular we would not want to fall into the wrong hands.In your .htaccess add the following to prevent any access to the wp-config.php file:

    <Files wp-config.php>
        order allow,deny
        deny from all
    Similarly, you can protect other files this way:
     # Protect filename.php
        <files filename.php="">
        order allow,deny
        deny from all
  2. Protect wp-admin with access from your IP only
    You can limit who can access your admin folder by IP address; to do this you would need to create a new .htaccess fileand upload to your wp-admin folder.The following snippet denies access to the admin folder for everyone, with the exception of your IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will also be denied access!

        order deny,allow
        allow from (replace with your IP address)
        deny from all
  3. Ban countries or bad IPs that you do not need visiting your site.  Get lists here for some countries that commonly hack WordPress sites: http://www.ip2location.com/blockvisitorsbycountry.aspxYou can ban using .htaccess with this simple snippet.
        <Limit GET POST>
        order allow,deny
        deny from
        allow from all
  4. No directory browsing
    Many people know the structure of a WordPress install and know where to look to discover what plug-ins you may be usnig or any other files that might give away too much information about your site.  One way to deter this is to prevent directory browsing.  You can ban directory browsing with this simple snippet.

        # directory browsing
        Options All -Indexes
  5. Protect .htaccess
    This snippet basically stops anyone viewing any file on your site that begins with “hta”, this will protect it and make it somewhat safer.

        <Files ~ "^.*\.([Hh][Tt][Aa])">
        order allow,deny
        deny from all
        satisfy all
  6. Disable xmlrpc.php
    It was recently reported about a WordPress Pingback Vulnerability, whereby an attacker has four potential ways to cause harm via xmlrpc.php, which is the file included in WordPress for XML-RPC Support (e.g., “pingbacks”).Note: this technique is only recommended if you aren’t using XML-RPC for anything (e.g., pingbacks, Blogger, MovableType, etc.).This snippet disables xmlrpc.php

        <Files xmlrpc.php>
        Order Deny,Allow
        Deny from all


Originally posted 2015-01-08 00:18:11. Republished by Blog Post Promoter

Check Also

Best IT Blogs

We are getting ready for 2018!  What are the Best IT Blogs and IT information …

Information Technology Blog

Accessibility Tools