Best .htaccess Snippets to Improve WordPress Security

By WP Saviour •  Updated: 06/22/21 •  9 min read

WordPress safety is likely one of the most undermined elements amongst novice bloggers. In an unsupervised WordPress set up, there are fairly a couple of potential vulnerabilities which can be left unattended. Many of the WordPress set up tutorials clarify a fast and straightforward option to deploy WordPress in minutes. However they miss out a couple of necessary safety elements. For instance, listing looking and utilizing the ‘admin’ username are thought-about severe safety loopholes. At this time we’re going to try 10 .htaccess code snippets which is able to assist enhance your WordPress weblog’s safety. Earlier than we get began, let’s take a fast look into what’s the htaccess file.

What’s the .htaccess file?

An htaccess file is an non-obligatory configuration file for the Apache internet server to interpret, for every listing. You possibly can retailer numerous settings in that file similar to: password defend a listing, block IPs, block a file or folder from public entry, and so on. Historically, the .htaccess file is current within the base WordPress set up listing. It shops the permalink construction by default.

TIP: Earlier than you begin with the tutorial, be certain to backup the present .htaccess file (if current) in a cloud storage service like Dropbox. That is to roll again to the final identified working .htaccess file, if a sure code snippet breaks your website. Let’s start.

1. Block Dangerous Bots


Among the finest makes use of of the .htaccess file is its capability to disclaim a number of IP addresses from accessing your website. That is helpful when blocking identified spammers and different origins of suspicious or malicious entry. The code is:

  order permit,deny deny from IP_ADDRESS_1 deny from IP_ADDRESS_2 permit from all 

The place IP_ADDRESS_1 is the primary IP you wish to forestall from accessing your website. You possibly can add as many IPs you need. It doesn’t matter what consumer brokers (browsers) 0these IP addresses use, they received’t have the ability to entry a single file out of your server. The webserver will routinely deny all entry.

2. Disable Listing Looking


This is likely one of the most undermined safety flaws in a WordPress website. By default, the Apache webserver allows listing looking. Because of this all recordsdata and folders inside the basis listing (typically referred to as the house listing) of the webserver is enlist in a position and accessible by a customer. You do not need that since you don’t need folks looking by way of your media uploads or your theme or plugin recordsdata.

If at random I choose 10 private or enterprise web sites working WordPress, 6-Eight of them received’t have listing looking disabled. This permits anybody to simply sniff across the wp-content/uploads folder or another listing which doesn’t have the default index.php file. In actual fact, the screenshot you see is from considered one of my consumer’s website, earlier than I beneficial the repair. Code snippet to disable listing looking:

Choices All -Indexes

3. Enable Solely Chosen Information from wp-content


As you recognize the wp-content folder incorporates probably the most your themes, plugins and all media uploads. You definitely don’t need folks to entry it with out restrictions. Along with disabling listing looking, you may as well deny entry of all file sorts, save a couple of. In essence, you’ll be able to selectively unblock recordsdata like JPG, PDF, DOCX, CSS, JS, and so on. and deny from the remainder. To do that, paste this code snippet in your .htaccess file:

Order deny,permit Deny from all  Enable from all 

You have to create a brand new .htaccess file with the code and paste it within the wp-content folder. Don’t place this within the base set up listing – else it received’t work. You may also add any file kind to the checklist by appending a ‘|’ after ‘rar’. The above checklist incorporates the required recordsdata – XML, CSS and JavaScript, frequent picture and doc codecs and eventually the most-used archive codecs.

4. Limit All Entry to wp-includes


The wp-includes folder incorporates solely the recordsdata which can be strictly essential to run the core model of WordPress – one with none plugins or themes. Bear in mind, the default theme nonetheless resides within the wp-content/theme listing. Thus, no customer (together with you) ought to require entry to content material of the wp-include folder. You possibly can disable entry utilizing this following code snippet:

 RewriteEngine On RewriteBase / RewriteRule ^wp-admin/consists of/ - [F,L] RewriteRule !^wp-consists of/ - [S=3] RewriteRule ^wp-consists of/[^/]+.php$ - [F,L] RewriteRule ^wp-consists of/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-consists of/theme-compat/ - [F,L] 

5. Enable solely Chosen IP Addresses to Entry wp-admin


The wp-admin folder incorporates the recordsdata required to run the WordPress dashboard. Usually, your guests don’t want entry to the WordPress dashboard, except they wish to register an account. safety measure is to allow just a few chosen IP addresses to entry the wp-admin folder. You possibly can permit the IPs of the individuals who want entry to the WordPress dashboard – editors, contributors and different admins. This code snippet permits solely fastened IPs to entry the wp-admin folder and denies entry to the remainder of the world.

 order deny,permit deny from all permit from 302.143.54.102 permit from IP_ADDRESS_2 

Just be sure you create a brand new .htaccess file and paste it within the wp-admin folder and never the bottom set up listing. If it’s the latter, nobody besides it is possible for you to to browse you website – not even engines like google! You definitely don’t need that. A few downfalls of this measure is as follows:

Fortunately, all these disadvantages (save the primary one), may be rectified by utilizing a VPN. In case you set your VPN to attach utilizing solely a single IP tackle, then you’ll be able to simply add it to your htaccess file, and all of your issues will likely be solved.

6. Shield wp-config.php and .htaccess from everybody


The wp-config.php file incorporates probably the most delicate entry credentials of your WordPress website. It incorporates the database title and entry credentials and numerous different important knowledge, amongst different settings. By no means would you like different folks wanting into this file. And naturally, you wish to disable public entry to the supply of all this safety – the .htaccess file itself. You possibly can disable entry to wp-config.php with this following code:

 order permit,deny deny from all 

To disclaim entry to all htaccess recordsdata (keep in mind some might reside within the wp-admin and different folders), use this code snippet:

 order permit,deny deny from all fulfill all 

7. Deny Picture Hotlinking


One of many coolest .htaccess file hacks, this one sends content material scrapers working with their tail between their legs. When somebody makes use of your website’s picture, your bandwidth is being consumed and more often than not, you’re not even credited for it. This code snippet eliminates that downside and sends this picture when a hotlink is detected.

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)? [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)? [NC] RewriteRule .(jpg|jpeg|png|gif)$ [NC,R,L]

8. Allow Browser Caching


Often known as client-side caching, this .htaccess hack with allow the beneficial browser caching choices to your WordPress website. You would additionally use it in different initiatives – HTML websites, and so on.

 ExpiresActive On ExpiresByType picture/jpg "entry 1 yr" ExpiresByType picture/jpeg "entry 1 yr" ExpiresByType picture/gif "entry 1 yr" ExpiresByType picture/png "entry 1 yr" ExpiresByType textual content/css "entry 1 month" ExpiresByType utility/pdf "entry 1 month" ExpiresByType textual content/x-javascript "entry 1 month" ExpiresByType utility/x-shockwave-flash "entry 1 month" ExpiresByType picture/x-icon "entry 1 yr" ExpiresDefault "entry 2 days" 

9. Redirect to a Upkeep web page


Whenever you’re migrating webhosts or performing some upkeep job, it’s at all times beneficial to create a static “down for upkeep” HTML file to tell your guests that the web site is present process an improve or upkeep operation. Merely create a upkeep.html file (or another filename) and add it to the bottom WordPress set up listing. Paste the next snippet in your .htaccess file. As soon as the operation is over, be certain to delete or remark out these traces to return to total operation. You possibly can remark out by appending a ‘#’ in the beginning of every line.

RewriteEngine on RewriteCond %{REQUEST_URI} !/upkeep.html$ RewriteCond %{REMOTE_ADDR} !^ RewriteRule $ /upkeep.html [R=302,L] 

10. Customized Error Pages


You may also the .htaccess file to configure user-friendly customized error pages for errors similar to 403, 404 and 500. After you have ready your error web page – let’s say error.html, add it to your base WordPress set up listing. Then add the next code snippet to your .htaccess file to allow the customized error web page:

ErrorDocument 404 /error.html ErrorDocument 403 /error.html ErrorDocument 500 /error.html


At this time we’ve learnt among the coolest htaccess hacks to strengthen your WordPress website. I might counsel you to check out every module one after the other whereas taking a backup of the .htaccess file earlier than and after testing every module. It is because the .htaccess file could be very important. A lacking ‘#’ character or misplaced ‘’ might destroy your website’s integrity. In case you entry your WordPress dashboard often on-the-go, it’s beneficial to not allow selective IPs to your wp-admin folder.

gp-5521538 as-3016333

WP Saviour

I am a WordPress specialist. My mission is to help you create beautiful websites with ease!