Posted in:

How to Secure WordPress Sites With .htaccess

secure WordPress with .htaccessWordPress world is fantastic and also risky as a large number of security issues happened every day. It’s essential to take some measures to secure your WordPress site and prevent it to be the next site on the hackers’ list. In this article, we introduce the easy way by configuring .htaccess file to protect your website and yourself.

There are thousands of WordPress attack types, such as directory traversal, SQL injection, executable file upload, field truncation, etc. And in general, updating your installations of WordPress core and plugins when updates available is one of the easiest and most effective methods because the newest version installations can ensure all of the latest patches and fixes are applied to your site. In addition, you can also combine .htaccess file configuration with regular updates to enhance your site security and boost the protection level.

A .htaccess file a directory-level configuration file which allows for decentralized management of the web server configuration. It is used to control the per-directory access and protect your website from domain prevention.


To ensure you don’t break any original WordPress functions, anything o secure your WordPress should be added after this. Besides, we suggest you back it up and keep the backup stored in a safe place before doing any changes.

Restrict Admin Access from Your IP Only

Just as the basic function of .htaccess file, you can decide who can access to your admin folder by IP address. You need to go to to log into WordPress, from where you can access to any admin pages. So, to secure your WordPress, it’s important to protect your /wp-admin directory.

With .htaccess file, you can restrict the admin access from your IP address only, with which can stop brute force hackers as their IP address will get blocked by the server. The process is simple, and you can just copy the below codes and paste them into .htaccess file.


This snippet denies all accesses to the admin folder, with the exception of your IP address. However, if you have a dynamic IP, you might have to alter this file regularly otherwise you will be denied.

Limit Directory Browsing

As WordPress is now widely used by millions of users, and many developers know the structure of a WordPress installation. They can easily know where to discover what plugins you have used and find other information through your files. To combat this action, you can use .htaccess to prevent directory browsing.


Prevent Access to wp-content

The wp-content file includes all themes, plugins and images so that it is important to the WordPress installation. You can allow everyone to see images, CSS, etc, but limit access to the important PHP files.


Individual File Protection

Sometimes you may want to protect individual file instead of the whole folder. Adding the following snippet into .htaccess file, you can also easily make it.


The above code just takes the .htaccess file as an example. It throws a 403 error if anyone try to access to the .htaccess file. You can just replace the file name if you want to protect other files.

Protect .htaccess

As the above mentioned, we have done many things to protect plugins, themes, files, etc. However, the .htaccess is still opened. Actually, we can even use .htaccess file to protect itself. With the below snippet, you can stop anyone scan the files which begin with “hta”.


These methods can simply help you protect your website from bad users, brute force attack, and other issues. Of course, there are plenty of other things you can do to protect WordPress websites, such as installing the best security plugin, choosing a reliable WordPress hosting solution, learning some top tips, and so on.

Leave a Reply

Your email address will not be published. Required fields are marked *