The Best Use of the .htaccess File For Your WordPress Website Security

htaccess file for your wordpress website security

For a WordPress user, it’s important to know the importance of the .htaccess file. It’s one of the most important files present in the WordPress directory. Do you know the best use of the .htaccess file for your WordPress website security?

No doubt that people are so scared when it comes to the security of their websites. Most of the WordPress users don’t have any technical knowledge.

That’s the reason hackers easily hack their websites. In this tutorial, you will learn to harden the security of your blog with the .htaccess file.

This file is not used only for the security purpose, there are many other concepts which can be applied. You will learn about those too.

Start Protecting Your WordPress Website With the .htaccess file

Before I start explaining all the steps, I just want to make it clear as if you know about the location of this file.

Do you know how to edit the .htaccess file?

You can access it from the cPanel of your web hosting account. Just navigate to Files>>file manager>>public_html and you can search for the .htaccess file.

It’s not a big deal, you can easily find it somewhere between all the other WordPress files and folders.

There are a few things you can do with this file.

#1. Disable Directory Browsing

If you don’t know then let me tell you that if you haven’t disabled the directory browsing of your website, anyone can sneak into those directories.

To stop this, you have to add a code in the .htaccess file so that whenever someone tries to access any WordPress directory, he/she gets a 403 forbidden error.

#Disable Directory Browsing

Options All -Indexes

Add this code and save the file. This code will disable directory browsing.

#2. Protect the WordPress Admin Area

Your admin area is where you handle your WordPress website. I am sure, you wouldn’t like if someone exploits this area to hack your whole website.

The good news is that you can protect your WordPress admin folder using the .htaccess file. It can be done by blocking all the IP addresses expect yours.

#Limit Login Only For One IP
order deny,allow
deny from all
allow from

I have mentioned an example of an IP address in the code. You have to replace that with the IP address of your internet connection.

You can also whitelist multiple IP addresses by adding another line below the IP mentioned.

#3. Protect the WP-CONTENT Folder

As you know, all the plugins, themes and website data is present in the wp-content folder. It’s very important to secure this folder.

You can protect the wp-content folder by mentioning only the specific files to run on your WordPress website.

No unidentified file format will work after adding the code in the .htaccess file.

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all

NOTE: You have to create a new .htaccess file and save it in the wp-content folder only. Don’t get it confused with the main .htaccess file.

#4. Block Bad Bots

You may have noticed the same IP address dropping spam commenting or trying to login. It can be found out using the security plugin you use.

For the spam comments, you can easily find it manually.

To block bad bots from your WordPress website, you have to block those IP addresses. This is one of the best uses of the .htaccess file for your WordPress website security.

Save the file and the IP user mentioned in the code will not able to access your website.

#5. Protect the WP-INCLUDES Folder

You should know that there are some specific scripts present in the wp-includes folder which shouldn’t be accessed by anyone.

If hackers inject any script to run on your website, your website will go down. To stop this, you should block the users to inject any extra script in this folder.

To protect the wp-includes folder, you have top add a code snippet in the .htaccess file.

#Block the include-only files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

Save the file and you’re all set.

#6. Disable PHP Execution

You all know that WordPress core, its themes, and plugins are developed of the PHP coding. It means anyone can exploit those by injecting a malicious PHP code.

The best solution is to disable PHP execution so that hackers can’t able to access any PHP code of your website.

<Files * .php>

deny from all


Add this code in the .htaccess file and save it.

#7. Protect the wp-config.php File

This file is the reason your WordPress website is communicating with the database. It’s very important to add a security layer.

If you’re running a muli-author website then it’s an essential step to take. You have to block the access to this file.

You can protect WordPress configuration wp-config.php file easily just like all the others. Just add the code shown below.

#Protect wp-config.php File<Files wp-config.php>

order allow,deny

deny from all


Save the file and it’s done.

#8. Create Custom Error Pages

On a WordPress, you can see the different type of errors like 404 error, 500 error, 403 error etc. Do you know that you can create a custom error page for all these errors?

It can be done by designing an HTML file and upload it to the WordPress directory. Then adding the code in the .htaccess file would do all the work.

Afterward, whenever you readers get an error, they wouldn’t see the default error page. A new and creative page would appear to them.

#9. Prevent Image Hotlinking

This is one of the worst things anyone can do to your website. People steal the images and the bandwidth of your web hosting.

They will copy the original link of the images and whenever someone visits their website, the images get loaded from your server.

This is called image hotlinking. You can prevent image hotlinking by adding a code in the .htaccess file so that only you can show those images.

No one else would able to use your images. There will appear a 403 forbidden error message instead of the images.

# Disable image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Place the URL of your website instead of

Google will index your images but this code will block other users to use your images.

#10. Enable Browser Caching

You can use the .htaccess file for your WordPress website security in many ways but when it comes to the user experience, you should enable browser caching.

You may have seen this option in the caching plugin you use. It’s the client-side caching. The browser caches the static file and images of the website they visit.

If you enable it for your website, your readers will have a better experience because when they visit your website after visiting once, their browser caches your website data which will be used the next time they visit.

It depends on you whether you want to cache that data for a year or for a month. Depending on the type of files you can choose.

Add the code in the .htaccess file.

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg “access 1 year”
ExpiresByType image/jpeg “access 1 year”
ExpiresByType image/gif “access 1 year”
ExpiresByType image/png “access 1 year”
ExpiresByType text/css “access 1 month”
ExpiresByType text/html “access 1 month”
ExpiresByType application/pdf “access 1 month”
ExpiresByType text/x-javascript “access 1 month”
ExpiresByType application/x-shockwave-flash “access 1 month”
ExpiresByType image/x-icon “access 1 year”
ExpiresDefault “access 1 month”

Save it and it’s all set.

#11. Protect the .htaccess File

No doubt that hackers can inject the malicious code in the .htaccess file too. Which means, all the codes added in this will wouldn’t work.

So it’s kind of sensitive issue here. You should protect the .htaccess file from unauthorized access.

Add the code in the file.

<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

Save it and no one would able to access this file. Your website is secure now. I Hope You Can Use the .htaccess File for Your WordPress Website Security

I Hope You Can Use the .htaccess File for Your WordPress Website Security

The above-mentioned steps can be taken to secure your WordPress website in no time. In the past few years, I have realized the power of the .htaccess file.

People are really ignorant towards their website’s security. They should know that a plugin can’t do all the things. Preventing image hotlinking is a concept only a few people know.

You can also read the WordPress security guide.

I am sure you can use the .htaccess file for your WordPress website security at its best. If you have any doubt, feel free to drop a comment.

You can also connect with us on Twitter, LinkedIn, and Facebook.

by Ravi Chahar

A WordPress Professional and the LinkedIn Influencer. A coder by passion and a blogger by choice. WordPress theme development is his forte. He is your WordPress guy who will teach you how to solve WordPress errors, WordPress security issues, design issues and what not.

Get Free Updates Into Your Inbox

Learn Everything Just Like I Did



  1. Hello Ravi! How have you been?

    Bunch of WP security is listing over here.

    Actually, I’m currently using Wordfence plugin and it allowed me to setup the firewall and blocking feature. I found that it has blocked some badbots and save lots of bandwidth.

    I found that I cannot video some blogs’ image is that hotlink protect?

    1. Hey Kimsea,

      I am great. Hope you have had a great time.

      Having a security plugin is always recommended but there a few things which can’t be done with a plugin.

      If the images are protected then you can’t use their URL to copy and paste to any other blog. It protects the image and the bandwidth theft. There shouldn’t be any problem while making a video, but if you’re trying to copy then it surely would.


  2. Hello, Ravi!

    You made the complexities of the .htaccess file too simple to solve! 🙂

    I am always very cautious dealing with the .htaccess file because of you know the horrors!

    Will sneak peak through my file to see what I am missing.

    So, thank you so much for the awesome advice! 🙂

    ~ Adeel

    1. Hey Adeel,

      This is something everyone should have an insight about. People should know what this simple is capable of. I have tested many things using the .htaccess file.
      I am sure, you’re gonna love it.
      Thanks for stopping by.

  3. Hi Ravi.

    I did a lot of work a while back in my .htaccess file to speed up my website, mostly with turning on the caching and gzip capabilities. I also use it to block bad bots. I used to have a lot of difficulty with them.

    I just want to add one caution with #2, protecting your WP admin area. I don’t know what it’s like in your area, but here most ISPs use DHCP so your IP address can change every time you access the Internet. I could easily have hundreds of different IP addresses over the course of a year. I haven’t looked into it but I’m guessing that the .htaccess file accepts a range of IP addresses to allow, then you just have to find out the range of IP addresses that your ISP can assign to you.

Leave a Reply

Your email address will not be published. Required fields are marked *