Your Dedicated Partner for All Things WordPress

WordPress Security via .htaccess file

Table of Contents

One of the important files in WordPress is the .htaccess file. This will allow the users to access the website as per the rules. This guide will tell you everything you need to know about the WordPress Security .htaccess file.

Here, we will see why you can use it to your advantage. We will begin with what it .htaccess for the people who have no idea about it and then we will see all the other things that matter. This will include a couple of tricks by which you can improve the security of the website.

Urgent WordPress Assistance

Facing a critical WordPress issue? Don’t panic. Our Emergency Service is here to swiftly resolve any urgent website problems.

Let’s begin with the guide.

What is WordPress Security .htaccess file?

At first, we will see what is .htaccess file. It’s a system file that comes on all the websites. It doesn’t matter which website CMS you are using, whether it’s WordPress or any other, you will have a .htaccess file where all the things are stored.

There are some of the rules stated in the file. These rules will tell you how the users will see the website. If the .htaccess won’t allow the visitor to access the file, no one will be able to access the file. Usually, there are rules which will prevent people from accessing the main admin pages of the website.

However, it only includes basic security. You can surely improve the security by adding more rules to that.

We will be seeing the same rules here. When you follow all these and implement these rules, you will get better security here – WordPress Security .htaccess file.

How to change/add .htaccess file?

We will see how to change/add the .htaccess file. If you open file manager, you won’t see any file called .htaccess. The simple reason for this is because it’s a system file.

The system files are usually hidden from all the other files. Therefore, you won’t see the file. To see the file, you will have to follow certain procedures.

To do that, you can simply open the file manager and then click on the settings icon which can be seen on the top bar. When you click on the settings button, you will get the option to show all the hidden files.

You can simply click on show hidden files and it will show you the complete list of hidden files. These are the files that have (.) ahead of its name. For example, you won’t see the htaccess file. Instead, it’s .htaccess file.

Once you see the file, you can download it. The reason why we are asking you to download the file is for backup purposes. What if something goes wrong and you end up deleting important things? There are good chances that your website might crash if something goes wrong. If you already have a backup, you can quickly restore it within a minute.

Therefore, you can download the file and that’s it. Keep it safe somewhere on your computer.

Modifying the File – WordPress Security .htaccess file

Now, let’s talk about modifying the file. You can easily modify it by right-clicking on the file and then you will have to click on the “Code edit” button. When you do that you will see the file opened in another tab. This is where you can make the changes.

All you have to do is add the code wherever we tell you to. We suggest you add everything at the end of the file. In this way, you will know what are the changes you have made.

Instant WordPress Support

Get immediate assistance for your WordPress website with our on-demand support services.

You can also download the file and open it in the code editor to edit the file. Even notepad++ will do the work. If you are downloading the file and then editing it, you also have to upload the file once it’s edited. Also, make sure that you have another copy of the original file for backup. You can save it in a different folder. In this way, the two files won’t mix up. If the files are mixed up, it will confuse you and you won’t get things done. Therefore, you will have to ensure that you have added them in the right place.

Limit The Access

You can surely limit access by IP address. By default, everyone is allowed to access the admin page. There is a way you can limit this. It’s simply adding a new IP address code on the .htaccess file. When you do this, only your IP address will be whitelisted and all the others will be blacklisted.

Therefore, only you will be able to access the page and no one else. There is a huge risk that comes with this. When you block all the IP addresses, you are also blocking all the access to the page. In case, your IP address gets changed, you will be in trouble. Also, if you leave the place and go somewhere else to work, your IP address might change depending on the network.

If the person is using mobile data, the IP address won’t change. In the same way, if the person is using Wifi to access the website, the IP address will change.

uthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from
# whitelist David's IP address
allow from

Deny Access to Wp-config

Now, this is yet another interesting thing that you can do. Wp-config is the file where you are storing all the things. It’s the database file where you can configure the file. Things like your website’s database passwords are saved here.

If someone gets access here, you will be in the trouble. They might easily get access to the database as well as they can change many things on the website.

Therefore, we will see how you can secure that file. Here, you don’t need to worry as the file is always secure. If the file is secure, no one will get access here. However, you can always be extra secure by adding some level of security here.

When you add an extra layer of security, you can be sure that your website is secure and no one has access to any of these things – WordPress Security .htaccess file.

Luckily, there is a small code that you can add to your .htaccess file. When you add the small code in the file, you can secure your website. The code will tell the server to deny all the connections to that file. In this way, you will not have to face any issues.

Here is the code that you can add to the .htaccess file. If you add this code, your website will be more secure. Like we have mentioned before, always add the code after the other lines. In this way, you can remove it whenever needed.

<files wp-config.php>
order allow,deny
deny from all

Stop other websites Stealing your Bandwidth

This might require a bit more context before we get started with the code. We will first see what is the main issue here and then see how you can fix it.

Let’s assume that you are running a website where you are posting a lot of content on regular basis. If you also post images, many people will be stealing images from you. Most people don’t mind if they steal one or two images. However, the problem begins when they copy the file.

If someone will just hit the copy button by right-clicking on the image and then place it on their website, you will have to suffer. Now, if someone visits their website, the image will be loaded from your server and not from their server. Do you know how this is an issue for you?

They are using your resources and displaying your image. If you have limited bandwidth or you are having limited resources on your server, you might exhaust it soon. Even if you don’t have it, you need to stop this.

If the server loads increases, your website might go down. For the people who are using cloud hosting you might have to pay extra costs.

Therefore, it’s always better to stop people from using your resource and use a couple of strategies to stop them.

Luckily, the .htaccess security can help you and prevent other websites from using your resources here. The deal is pretty simple and anyone can do it.

You can simply add the code to your website and you are done. Yes, it is as simple as that. All you need to do is add the code in your htaccess file.

Here is the code that you need to add.

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?
RewriteRule .(jpg|jpeg|png|gif)$ –

Don’t forget to replace with your website. When you do this, you can be sure that your website will work nicely without any issues.

Stop all the Author Scans

You might surely be knowing this. The username of any website is the same as the author URL. Let’s see an example here. If you have an author named as an “Editor”, the URL for that auto will be Here, the last phrase is the username of the person.

One can easily run a scan where they can know all the authors. When they come to know the details of all the authors, it will be quite easier to hack the website.

If someone is planning to run a brute force attack, they can easily be using the same thing here. Now, brute force is where he will have to run various combinations in the username as well as in the password. This entire thing goes into the next level when they already know what is the username.

What if they have a couple of usernames where they can try the password. It might be easier for them to scan and run the brute force attack. Also, it might be a type of privacy breach. Therefore, you can always make sure that you are using the right settings for WordPress Security .htaccess file.

Here is the extra code you can add to stop all the author scans.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=d+)
RewriteRule .* -
# END block author scans

Directory Access

Directory access is where you will get access to the directory. You might have seen a couple of Google dorks lists where you can see that some people can also access the directory of the website directly.

You might see that the “Parent directory” will be accessible directly to the user. If the parent directory is accessible directly to the user, they can download almost all the things on the website. All the files will be directly accessible to the person who has access to the file.

Therefore, you can surely disable the directory access from the file. By this, one will be able to access the directory of the website directly – WordPress Security .htaccess file.

PHP Execution is a Big Risk

Imagine, if someone can execute the PHP code on your website without accessing the website. There are a lot of things that they can do here, right?

In technical terms, it’s called creating a backdoor. Backdoor is the way by which the hacker can enter the website without entering the login page. It works just like the name. Now, there might be certain plugins that might allow the server-side execution directly from the website. Therefore, you will have to ensure that you are secure your website from this.

The simple way to stop this is by adding a small code that will prevent PHP execution. You will have to enter this code on the .htaccess file.

Here is the code that you will have to add, you can add these lines and your website will be secure – WordPress Security .htaccess file.

<Files *.php>
deny from all

Final Words about WordPress Security .htaccess file

To summarize, these are all the things that you can do to secure your website via htaccess file. Now, make sure that you have a backup of 2 files. One of them is the previous file which is the original htaccess file. Along with this, you will need to save the new htaccess file too. In this way, your website will be secure. If something goes wrong, you can quickly restore it. You can also take a complete backup of your website and then run the following thing. In this way, you can be sure about all these things.

Tailored WordPress Solutions

Elevate your online presence with our custom WordPress development services.

How to get started?

Learn more

WordPress Maintenance

Save 33% with our Annual pricing plan.

Get Started

Coupon Code Applied!

Take your time and continue browsing our services.

Alexey Seryapin
Founder of WPServices