.. Your Daily Design Dosis

.htaccess codes to secure your WordPress site


As WordPress is now so popular many people know the structure of a WordPress install and know where to look to discover what plug-ins you may use or any other files that might give away too much information about your site.

Why should you use the .htaccess file to secure your WordPress site? The answer is very simple – .htaccess files are processed first before any other code on your website. In other words, if you can stop hackers injecting malicious scripts before those scripts even have a chance to reach the php coding in WordPress, you’re doing a good job.

Ehr, .. the .htaccess File? WTF?

The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software.

But before I begin, as always, a word of warning ..

Note: it might be a good idea to make a backup of your .htaccess first. If the shit hits the fan, you can always replace the ‘new’ .htaccess with the original one. The .htaccess can lock you out of your domain (including tools like FTP and cPanel) so make sure that you know what you are doing.

First protect the .htaccess file!

First thing you want to do, before spending some time protecting your site, is to lock the .htaccess file itself! The following hack prevents external access to any file starttng with “.hta”

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

Better still, you can rename the .htaccess to any other name you like:

# rename htaccess files
AccessFileName ht.access

In the last example the file “.htaccess” has been renamed to “ht.access”.

Protect wp-config.php

The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc., so you don’t want this file to fall into the wrong hands. In your .htaccess add the following to prevent any access to the wp-config.php file:

<Files wp-config.php>
order allow,deny
deny from all

No directory browsing

Typically a server is setup to prevent directory listing, but sometimes they are not. If your server is not, you will have to become self-sufficient and fix the problem with htaccess:

You can put in a minus sign (in front of ‘Indexes’) to prevent directory listing entirely. This is typical of most server setups and is usually configured elsewhere in the apache server, but can be overridden through the use of htaccess.

# directory browsing
Options All -Indexes

If your server is setup to prevent directory listing and you want your directories to be listed then you could simply put this into the htaccess file (put a plus sign instead of the minus sign):

# directory browsing
Options All +Indexes

What if you wanted the directory contents to be listed, but only the HTML pages and not the images?

# directory browsing
IndexIgnore *.gif *.jpg

This would return a list of all the files except those specified in the above example.

Blocking IP Addresses

In case you are aware of any IP address that is creating problems with your network then you can block the same using the below code:

<Limit GET>
order allow,deny
deny from xxx.xxx.xxx.
deny from yyy.yyy.yyy.yyy
allow from all

This is an example of a .htaccess file that will block access to your site to anyone who is coming from any IP address beginning with xxx.xxx.xxx and from the specific IP address yyy.yyy.yyy.yyy

By specifying only part of an IP address, and ending the partial IP address with a period, all sub-addresses coming from the specified IP address block will be blocked.

htaccess codes WP security

Admin access from your IP only

As mentioned above you can limit who can access your admin folder by IP address. The following snippet denies access to the admin folder for everyone, with the exception of your own IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will be denied access yourself!

order deny,allow
allow from yyy.yyy.yyy.yyy
deny from all

Of course you’ll need to replace yyy.yyy.yyy.yyy with your IP address.

Disable the server signature

Server signatures contain valuable information about installed software and can be read (and exploited) by worms and hackers. Using this code snippet will hide that information.

# BEGIN Disable the server signature
  ServerSignature Off
# END Disable the server signature

Disable Hotlinking of images with a custom warning image

Do you hate it when someone uses your bandwidth to hijack your image URLs to use on their own site? Then this is the solution for you. Add this to your .htaccess file, create a warning image/message ‘get-your-own.jpg’ and upload it to the fist level of your sites root folder.

# BEGIN Disable hotlinking of images with warning message
  RewriteEngine on
  RewriteCond %{HTTP_REFERER} !^$
  RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
  #RewriteRule \.(gif|jpg)$ – [F]
  #RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/get-your-own.jpg [R,L]
# END Disable hotlinking of images with warning message

Note: yourdomain.com must be replaced with your blog’s URL (without www). Also, http://yourdomain.com/get-your-own.jpg is the URL of the image you want to display on the website which is hotlinking to your images.

Stop SPAM comments

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer, one of them is to detect requests with ‘no referrer’ (Spammers use bots to post comments on blogs).

# BEGIN Protect from spam comments
	RewriteEngine On
	RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
	RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# END Protect from spam comments

Don’t forget to rename yourdomain.com with your blog’s URL (without www).

Protect our WordPress blog from scripts injection

Adding the following codes you can protect your blog from script injection and any type of modification of PHP GLOBALS and _REQUEST variables.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

– § –

This list of snippets is by no means exhausted, there are a number of other things you can do to protect your site via .htaccess. If you think I forgot a important .htaccess snippet, I hope you’ll let us know in the comments?


Author: Jan Rajtoral

Jan Rajtoral AKA Gonzo the Great is the Founder of and Designer at gonzodesign, providing design services across the full spectrum of Brand Identity, Graphic Design, Print and Advertising Design & Website Design.


on this article: “.htaccess codes to secure your WordPress site”
  1. Gonna try some of these out. I guess there is no such thing as ‘too secure’ on the www.
    I do wonder, however, with the WP constant efforts to secure the system and keep up with the ‘bad guys’, are these kind of hacks still relevant as much as they used to be?

    • Hi Caparico,

      .. thanks for your comment! A lot of these snippets are meant to secure your WP site if your host doesn’t have built-in security in a apache envoriment (most of all host have this). The problem is that hackers are always smarter tham the WP developers. so using these makes your site extra safe! Have a great weekend, cheers & ciao!