How to Tighten WordPress Blog Security using .htaccess

Join InfoPhilic Community!

Let's build a community to help & encourage each other to grow!

WordPress is the best platform for bloggers. It is very easy to install and modify using multiple plugins that are available in the WordPress plugins directory. There are various short tutorials available on how to install WordPress but none of them covers the topic to secure WordPress blog.

The Internet is the best place to explore, as we know there are lots of good people available on the internet, but what about the bad ones? Bad people are those we termed as hackers. Having blog automatically invites hackers to break your blog and harm your blog. So to keep your blog safe you have to secure your WordPress blog. There are multiple solutions available to secure your blog, one of them is using .htaccess file.

What is .htaccess?

A .htaccess file allows you to add additional configuration to your apache server. You can lock multiple directories block IPs to secure WordPress blog.

Generally, .htaccess file is available in your WordPress root directory which is useful for the permalinks.

Things you should do before editing .htaccess

  • Take a backup of your existing .htaccess file. If anything goes wrong you can upload a backup file.
  • You must have working FTP account. Don’t edit .htaccess file directly from the WordPress dashboard. If you broke with the blog you will see Error 500 and you will not able to edit it from the dashboard.

After login with the FTP client, you will see a file named as .htaccess in the root directory. Download it and save it on your computer.

If you can’t find any file named as .htaccess, make sure your FTP client is configured for showing hidden files.

Still not find the file?

Create one text file and name it “.htaccess“. Make sure to add . (dot) at the beginning and upload it to the root directory.

Let’s add some code to your .htaccess to secure WordPress blog.

Disable Directory Browsing in WordPress

By default, you can access your all root directories from the browser. It’s like a passive attack by hackers on your blog. It allows the user to see all the folders and files on your server.  This is bad for the blog security. One can easily get access to your upload directory, themes, and plugins. So  you can disable directory browsing by adding following code in your .htaccess file.

# Disable directory browsing
Options All -Indexes

Disable PHP Execution in Some WordPress Directories

Most of the people use nulled themes or plugins on their blog. Using nulled stuff is not safe. We use the nulled file as we get premium stuff without paying a single penny. But, remember no one has time to work free for you. Many time they use the backdoor to hack your blog, especially in core files. So you must disable PHP execution in some directories for example /wp-content/uploads/ and /wp-includes/ directories to secure WordPress blog.

To disable PHP Execution create blank .htaccess file and paste the following code in it and upload it to above-mentioned directories.

<Files *.php>
deny from all

Note: Don’t add this code in your root .htaccess 

Protect Your WordPress Configuration wp-config.php File

It is the most important file in your WordPress directory. It’s located in the WordPress root directory. It contains all the important information like database name and passwords. So you should protect this file to secure WordPress blog. To do so, just add the following code in your root .htaccess file (at the top).

<files wp-config.php>
order allow,deny
deny from all

Ban Suspicious IP Addresses

If you seeing unusual requests from an IP address, you can block an IP address using .htaccess.
To block, simply add the bellow code in your root .htaccess directory

<Limit GET POST>
order allow,deny
deny from
allow from all

Don’t forget to replace with the IP address you want to block.
This will block added IP address from accessing your website.

Protect .htaccess from everyone

To deny access to all .htaccess files (remember some may reside in the wp-admin and other folders), add the following code.

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Setting up 301 Redirects

If you have moved any content to new URL. 301 redirection is the most SEO friendly way to tell users a content has moved to a new location. Just put the following code in your .htaccess to redirect the user to new URL.

Redirect 301 /oldurl/
Redirect 301 /category/tutorials/

Disable Image Hotlinking

If you running a website having more images, you need to prevent the hotlinking images from your blog.
When someone uses images from your blog by copying links, it is known as image hotlinking. Hotlinking may slow down your server. So you need to disable it by adding following code in the root .htaccess.

#Disable image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Note: Replace with your domain name and infophilic with feedburner ID.

So this is how you can secure WordPress blog with .htaccess file. Need further need to edit .htaccess file? Read about 3 Correct ways to edit .htaccess file.

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.


Please enter your comment!
Please enter your name here


Start WordPress Blog: Ultimate Guide For Beginners

Here is our step by step guide for beginners to start a WordPress blog.

Top 6 Best WordPress Theme Frameworks

There are many websites themes which are created by using a framework. Likewise, WordPress Theme frameworks also becoming so popular. The framework allows you...

The Most Essential WordPress Plugins

Here, I have listed some excellent plugins which will surely add more features and new functionality to your WordPress blog.

Tips to Speed Up WordPress Performance

Here, I am sharing some tips to speed up WordPress performance. All you need to modify .htaccess file on your server and add some plugins.

The Ultimate Guide to Harden WordPress Security

Learn how to improve WordPress security. Here are some basic security concepts that will help you to harden WordPress security.

How to Setup CloudFlare Free SSL for WordPress Blog

Google has announced that they will count HTTPS as a ranking factor which means if you using HTTPS you will get a higher position...



MyThemeShop builds the fastest WordPress themes on the market!


Get almost 100% PageSpeed on Newspaper theme

The newspaper theme is the most popular premium theme for a self-hosted WordPress blog. The theme is developed by team tagDiv. You...

How to Remove jQuery Migrate in WordPress?

jQuery Migrate greatly simplifies the process of moving older jQuery code to a higher jQuery version by identifying deprecated features. It then restores deprecated...

How to Delete Multiple Images in WordPress Media Gallery

Hey, guys today one of my friends asked me a question, How can I delete Multiple Images in WordPress? I replied, "It's very simple." Yeah,...

WP Super Cache Plugin: Best Settings & Configuration Guide

A cache plugin serves static contents to the visitor which improves page load speed. There are so many cache plugins available in the...

How to Auto-Improve Server Response Time

Obtaining good user experience also includes fast page speed, less server response time and much more. People have different expectations of response times. For...

How To Target Country-Specific for Website Traffic

Website traffic is an essential thing to get good rank for your website. Increasing traffic amount optimizes visitor’s amount and increase your visibility. But,...