How to Tighten WordPress Blog Security using .htaccess

WordPress is the best platform for bloggers. It is very easy to install and modify using multiple plugins that are available in the WordPress plugins directory. There are various short tutorials available on how to install WordPress but none of them covers the topic to secure WordPress blog.

The Internet is the best place to explore, as we know there are lots of good people available on the internet, but what about the bad ones? Bad people are those we termed as hackers. Having blog automatically invites hackers to break your blog and harm your blog. So to keep your blog safe you have to secure your WordPress blog. There are multiple solutions available to secure your blog, one of them is using .htaccess file.

What is .htaccess?

A .htaccess file allows you to add additional configuration to your apache server. You can lock multiple directories block IPs to secure WordPress blog.

Generally, .htaccess file is available in your WordPress root directory which is useful for the permalinks.

Things you should do before editing .htaccess

  • Take a backup of your existing .htaccess file. If anything goes wrong you can upload a backup file.
  • You must have working FTP account. Don’t edit .htaccess file directly from the WordPress dashboard. If you broke with the blog you will see Error 500 and you will not able to edit it from the dashboard.

After login with the FTP client, you will see a file named as .htaccess in the root directory. Download it and save it on your computer.

If you can’t find any file named as .htaccess, make sure your FTP client is configured for showing hidden files.

Still not find the file?

Create one text file and name it “.htaccess“. Make sure to add . (dot) at the beginning and upload it to the root directory.

Let’s add some code to your .htaccess to secure WordPress blog.

Disable Directory Browsing in WordPress

By default, you can access your all root directories from the browser. It’s like a passive attack by hackers on your blog. It allows the user to see all the folders and files on your server.  This is bad for the blog security. One can easily get access to your upload directory, themes, and plugins. So  you can disable directory browsing by adding following code in your .htaccess file.

# Disable directory browsing
Options All -Indexes

Disable PHP Execution in Some WordPress Directories

Most of the people use nulled themes or plugins on their blog. Using nulled stuff is not safe. We use the nulled file as we get premium stuff without paying a single penny. But, remember no one has time to work free for you. Many time they use the backdoor to hack your blog, especially in core files. So you must disable PHP execution in some directories for example /wp-content/uploads/ and /wp-includes/ directories to secure WordPress blog.

To disable PHP Execution create blank .htaccess file and paste the following code in it and upload it to above-mentioned directories.

<Files *.php>
deny from all

Note: Don’t add this code in your root .htaccess 

Protect Your WordPress Configuration wp-config.php File

It is the most important file in your WordPress directory. It’s located in the WordPress root directory. It contains all the important information like database name and passwords. So you should protect this file to secure WordPress blog. To do so, just add the following code in your root .htaccess file (at the top).

<files wp-config.php>
order allow,deny
deny from all

Ban Suspicious IP Addresses

If you seeing unusual requests from an IP address, you can block an IP address using .htaccess.
To block, simply add the bellow code in your root .htaccess directory

<Limit GET POST>
order allow,deny
deny from
allow from all

Don’t forget to replace with the IP address you want to block.
This will block added IP address from accessing your website.

Protect .htaccess from everyone

To deny access to all .htaccess files (remember some may reside in the wp-admin and other folders), add the following code.

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Setting up 301 Redirects

If you have moved any content to new URL. 301 redirection is the most SEO friendly way to tell users a content has moved to a new location. Just put the following code in your .htaccess to redirect the user to new URL.

Redirect 301 /oldurl/
Redirect 301 /category/tutorials/

Disable Image Hotlinking

If you running a website having more images, you need to prevent the hotlinking images from your blog.
When someone uses images from your blog by copying links, it is known as image hotlinking. Hotlinking may slow down your server. So you need to disable it by adding following code in the root .htaccess.

#Disable image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Note: Replace with your domain name and infophilic with feedburner ID.

So this is how you can secure WordPress blog with .htaccess file. Need further need to edit .htaccess file? Read about 3 Correct ways to edit .htaccess file.

Amit Malewar
Amit Malewar has been the tutorial writer since 2013. His passion for helping people in all aspects of technology flow through in the expert coverage he provides. In addition to writing for InfoPhilic, Amit loves to read and try new things.


Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.


Please enter your comment!
Please enter your name here