Skip to content

Secure a WordPress Website Using the .htaccess File

Securing a WordPress website is crucial to protect your data, maintain the integrity of your content, and ensure a smooth user experience. One powerful tool for enhancing the security of your WordPress site is the .htaccess  file. This server configuration file can be used to control access to your site, enhance performance, and bolster security. Here are ten ways to use the  .htaccess  file to secure your WordPress website.

Definition of a .htaccess File

A .htaccess  (Hypertext Access) file is a configuration file used by web servers running the Apache Web Server software. It provides a way to make configuration changes on a per-directory basis. This file can control various aspects of server behaviour, such as URL redirection, access control, authentication, and custom error pages.

Importance of .htaccess for WordPress

  1. Permalinks: WordPress uses .htaccess to manage permalink structures. Custom permalinks improve the SEO and user-friendliness of the website.
  2. Security: It can be used to enhance security by restricting access to certain files or directories, enabling IP address blocking, and preventing directory browsing.
  3. Redirects: Helps in setting up 301 redirects which are essential for maintaining SEO when URLs are changed.
  4. Compression and Caching: Improves site performance by enabling Gzip compression and setting browser caching rules.
  5. Error Handling: Customizes error pages (e.g., 404 Not Found).

Steps to Edit the .htaccess File

The following will provide you with a guide to editing the .htaccess file.

Backup Your .htaccess File

  • Before making any changes, it’s crucial to create a backup of your existing  .htaccess  file to restore it if anything goes wrong.

Access Your .htaccess File

Via cPanel:

  1. Log in to your cPanel account.
  2. Go to the ‘File Manager’.
  3. Navigate to the root directory of your WordPress installation (usually public_html ).
  4. Look for the .htacess file. If it’s not visible, ensure that ‘Show Hidden Files’ is enabled.


  1. Connect to your website using an FTP client (like FileZilla) or an SFTP client.
  2. Navigate to the root directory of your WordPress installation.
  3. Download the  .htacess file to your local machine for editing.

Editing  The .htaccess File

  1. Use a plain text editor (like Notepad++ or Sublime Text) to open and edit the  .htacess file.
  2. Make the necessary changes. For example, to set up pretty permalinks, WordPress adds the following default code:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

For security, you might add:

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all

Htaccess Code & Examples To Secure & Protect Your WordPress Website

The following example code can be included in your .htaccess file to protect and secure your WordPress website from hackers.

Disable Directory Browsing

Directory browsing allows visitors to see the contents of your directories if there is no index file present. This can expose sensitive files and information. To disable directory browsing, add the following line to your .htacess file:

Options -Indexes

With this directive in place, anyone trying to access your directories will be met with a 403 Forbidden error instead of a list of files.

Restrict Access to the wp-admin Directory

The wp-admin directory is the administrative core of your WordPress site. Restricting access to this directory can prevent unauthorized users from attempting to log in. You can limit access by IP address by adding the following code to your

.htacess file:

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xx.xx.xx

Replace xx.xx.xx.xx with your own IP address. This will restrict access to the login page to only those IP addresses you specify.

Protect the .htaccess File Itself

Ensuring the .htacess file itself is secure is essential. You can prevent unauthorized users from viewing or modifying it by adding this code:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

This directive will deny access to any file that starts with .ht and is a good way to protect not only your .htaccess file but any other sensitive .ht files as well.

Disable PHP Execution in Uploads Directory

The uploads directory is often a target for malicious scripts. Disabling PHP execution in this directory can help prevent the execution of harmful scripts. Add the following code to your  .htaccess file located in the /wp-content/uploads directory

<Files *.php>
deny from all

This directive will prevent the execution of any PHP files in the uploads directory, mitigating a common attack vector.

Limit Access to XML-RPC

The XML-RPC feature in WordPress allows for remote publishing, which can be useful but also poses security risks. If you do not need this feature, you can disable it entirely by adding the following code to your  .htaccess file:

<files xmlrpc.php>
order deny,allow
deny from all

Disabling XML-RPC will prevent attackers from using it to perform brute force attacks or other malicious activities.

Set Up 301 Redirects for SEO and Security

Properly setting up redirects can improve your site’s SEO and also enhance security by ensuring users and bots are directed to the correct locations. Add the following to your  .htaccess file to set up a simple 301 redirect:

Redirect 301 /old-page.html

This will permanently redirect old-page.html to new-page.html, ensuring any outdated links still point to relevant content.

Block Access to Sensitive Files

Certain files within your WordPress installation are more sensitive than others and should be protected. Adding the following to your  .htaccess file can help block access to these files:

<FilesMatch "(\.htaccess|\.htpasswd|readme.html|license.txt)">
Order allow,deny
Deny from all

This directive will prevent access to the .htaccess, .htpasswd, readme.html, and license.txt files, which can contain information useful to attackers.

Enable HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) helps to protect your site against man-in-the-middle attacks by ensuring browsers only communicate with your site over HTTPS. Add the following code to your .htaccess file to enable HSTS:

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

This directive tells browsers to only access your site using HTTPS for the next year, enhancing your site’s security.

Block Bad Bots and Referrers

Blocking malicious bots and bad referrers can reduce the load on your server and prevent potential attacks. Add the following code to your .htaccess file to block specific bots and referrers:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(badbot|anotherbadbot).* [NC]
RewriteRule .* - [F,L]
RewriteCond %{HTTP_REFERER} ^http://.*badreferrer\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*anotherbadreferrer\.com [NC]
RewriteRule .* - [F,L]

Replace badbot and anotherbadbot with the names of bots you want to block, and and with the domains you want to block.


Securing your WordPress website is a multi-faceted task that requires attention to many details. The .htaccess file is a powerful tool in your security arsenal, allowing you to control access, protect sensitive files, and prevent malicious activity. By implementing these ten methods, you can significantly enhance the security of your WordPress site and protect it from a wide range of threats. Remember, security is an ongoing process, and staying informed about the latest threats and best practices is crucial to maintaining a secure website.