InfoPhilic How to How to Tighten WordPress Blog Security using .htaccess

How to Tighten WordPress Blog Security using .htaccess

WordPress is the best platform for bloggers. It is very easy to install and modify using multiple plugins that are available in the WordPress plugins directory. There are various short tutorials available on how to install WordPress but none of them covers the topic to secure WordPress blog.

The Internet is the best place to explore, as we know there are lots of good people available on the internet, but what about the bad ones? Bad people are those we termed as hackers. Having blog automatically invites hackers to break your blog and harm your blog. So to keep your blog safe you have to secure your WordPress blog. There are multiple solutions available to secure your blog, one of them is using .htaccess file.

What is .htaccess?

A .htaccess file allows you to add additional configuration to your apache server. You can lock multiple directories block IPs to secure WordPress blog.

Generally, .htaccess file is available in your WordPress root directory which is useful for the permalinks.

Things you should do before editing .htaccess

  • Take a backup of your existing .htaccess file. If anything goes wrong you can upload a backup file.
  • You must have working FTP account. Don’t edit .htaccess file directly from the WordPress dashboard. If you broke with the blog you will see Error 500 and you will not able to edit it from the dashboard.

After login with the FTP client, you will see a file named as .htaccess in the root directory. Download it and save it on your computer.


If you can’t find any file named as .htaccess, make sure your FTP client is configured for showing hidden files.

Still not find the file?

Create one text file and name it “.htaccess“. Make sure to add . (dot) at the beginning and upload it to the root directory.

Let’s add some code to your .htaccess to secure WordPress blog.

Disable Directory Browsing in WordPress

By default, you can access your all root directories from the browser. It’s like a passive attack by hackers on your blog. It allows the user to see all the folders and files on your server.  This is bad for the blog security. One can easily get access to your upload directory, themes, and plugins. So you can disable directory browsing by adding the following code in your .htaccess file.

# Disable directory browsing
Options All -Indexes

Disable PHP Execution in Some WordPress Directories

Most of the people use nulled themes or plugins on their blog. Using nulled stuff is not safe. We use the nulled file as we get premium stuff without paying a single penny. But, remember no one has time to work free for you. Many times they use the backdoor to hack your blog, especially in core files. So you must disable PHP execution in some directories for example /wp-content/uploads/ and /wp-includes/ directories to secure WordPress blog.

To disable PHP Execution create blank .htaccess file and paste the following code in it and upload it to the above-mentioned directories.

<Files *.php>
    deny from all

Note: Don’t add this code in your root .htaccess

Protect Your WordPress Configuration wp-config.php File

It is the most important file in your WordPress directory. It’s located in the WordPress root directory. It contains all the important information like database names and passwords. So you should protect this file to secure WordPress blog. To do so, just add the following code in your root .htaccess file (at the top).

<files wp-config.php>
    order allow,deny
    deny from all

Ban Suspicious IP Addresses

If you seeing unusual requests from an IP address, you can block an IP address using .htaccess.
To block, simply add the below code in your root .htaccess directory

<Limit GET POST>
    order allow,deny
    deny from
    allow from all

Don’t forget to replace with the IP address you want to block.
This will block added IP addresses from accessing your website.

Protect .htaccess from everyone

To deny access to all .htaccess files (remember some may reside in the wp-admin and other folders), add the following code.

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all

Setting up 301 Redirects

If you have moved any content to a new URL. 301 redirection is the most SEO friendly way to tell users that content has moved to a new location. Just put the following code in your .htaccess to redirect the user to a new URL.

Redirect 301 /oldurl/
Redirect 301 /category/tutorials/

Disable Image Hotlinking

If you running a website having more images, you need to prevent the hotlinking images from your blog.
When someone uses images from your blog by copying links, it is known as image hotlinking. Hotlinking may slow down your server. So you need to disable it by adding the following code in the root .htaccess.

#Disable image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Note: Replace with your domain name and infophilic with feedburner ID.

So this is how you can secure WordPress blog with .htaccess file. Need further need to edit .htaccess file? Read about 3 Correct ways to edit .htaccess file.

Amit Malewar
Amit Malewar has been the tutorial writer since 2013. His passion for helping people in all aspects of technology flow through the expert coverage he provides. In addition to writing for InfoPhilic, Amit loves to read and try new things.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.


Please enter your comment!
Please enter your name here



Get almost 100% PageSpeed on Newspaper theme

The newspaper theme is the most popular premium theme for a self-hosted WordPress blog. The theme is developed by team tagDiv. You can buy...

How to Remove jQuery Migrate in WordPress?

Learn how to remove jQuery Migrate from your WordPress site.

How to Delete Multiple Images in WordPress Media Gallery

Hey, guys, today, one of my friends asked me a question, How can I delete Multiple Images in WordPress? I replied, "It's very simple." Yeah,...

How to setup CloudFlare CDN for WordPress blog

In today's world website speed is a crucial element to getting good ranks on the web. Website speed also aids in indexing your site...

How to Properly Delete a WordPress Post or Page?

You sometimes want to delete a page from your site for many reasons. When you taking a step forward, you are going to remove...



SEOPressor plugin gives you maximum SEO clarity on your WordPress sites with features designed for controlling WordPress SEO with ease.