How to Protect the WP-CONTENT Folder of Your WordPress Website

Protect the wp-content folder

For a WordPress website, the whole content is present in the wp-content folder. It’s possible that hackers can upload new files. It’s important to protect the wp-content folder for better security.

The security has always been a concern to many. Most of the WordPress users don’t really pay attention to this which turns out to be a fatal for them.

Just like this folder, it’s also recommended to protect the .htaccess file and the wp-config.php file. These are two most important files for your website.

In this tutorial, you will learn the way to protect the wp-content folder add using the .htaccess file.

What Should You Protect This Folder

Before you jump directly into the coding stuff, you should know the reasons.

As you all know, whenever you upload any plugin, the theme, it gets stored in the wp-content folder of your WordPress directory.

Hackers can upload the similar files to this folder and run the malicious code. It can be spread to your whole website.

There are some particular types of files which should be run by a WordPress website. Apart from those, no extra file should be executed.

All the images, cached data is stored in this folder. It’s like the most necessary file of your WordPress website which is responsible for storing most of the data.

Create a New “.htaccess” File and Add the Code

You may be confusing with the main .htaccess file of your WordPress website. It’s not the same file where you add many codes to protect different files and folders.

Well, to protect the wp-content folder, you have to create a new .htaccess file and upload it in this folder.

It’s just a text file, nothing complicated. Create a text file with the name “.htaccess“. It’s because this file is a hidden file which should be named with a dot.

Add the code in this file.

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all

Save the file and now you have to upload it the wp-content folder of your WordPress website directory.

It can be done using the cPanel. Just open the file manager and in the public_html directory, you can easily find the wp-content folder.

Use the upload button showing in the main navigation menu. It will open a new tab from where you can choose the text file you have created. Upload it and you’re done.

You have successfully protected your website data folder.

What does that code mean? Have you even thought about it?

Well, this code is allowing the upload of only the XML, CSS, JPG, JPEG, PNG, GIF, and JavaScript files. No other type of file can be uploaded.

As hackers create some unknown files with different extensions. So you’re safe from all those files.

It can be challenging for many because website security can be overwhelming. There are many vulnerabilities which are required to get covered.

There is a manual method to protect each file of your WordPress website. But if don’t want to do any coding stuff then you can use a security plugin which has all the features.

Isn’t that easy to Protect the WP-CONTENT Folder

From all those security threats, you should always be ready. There are many website security tips which can help you.

You can also take a few steps for the security of your WordPress admin panel. You can password protect the admin directory.

You can also add a security question to WordPress login page of your website. There are many other things which can be done.

I hope you liked the article and can easily protect the wp-content folder. If you face any problem, feel free to drop a comment.

You can also connect with us on Twitter, LinkedIn, and Facebook.

by Ravi Chahar

A WordPress Professional and the LinkedIn Influencer. A coder by passion and a blogger by choice. WordPress theme development is his forte. He is your WordPress guy who will teach you how to solve WordPress errors, WordPress security issues, design issues and what not.

Get Free Updates Into Your Inbox

Learn Everything Just Like I Did



  1. Hi Ravi,

    I actually was looking for an easy way to do this and now I’ve found it. I love reading your tutorials because they are so easy to follow along with and use.

    Now I am going to look and see how you suggest I should protect my WordPress admin directory.

    Most bloggers don’t pay enough attention to these things until it’s too late. I always try to take these types of precautionary measures to help me protect my blog.

    While I know that it’s always possible to be vulnerable to hackers. This is one of the reasons that I started using BlogVault to backup my site.

    This way, I’ll always have a fresh backup in case anything happens. Thanks for sharing these tips with us, I truly appreciate it.

    Have a great day 🙂


    1. Hey Susan,

      Keeping the backup is the first thing you should do. You may protect your website but sometimes an advanced hacker can pass all the security barrier and inject malicious codes to your website.

      You can protect the wp-content folder so that no extra files can be added. It’s a plus point.
      I am glad you could find the helpful guides here.

      Keep reading.

Leave a Reply

Your email address will not be published. Required fields are marked *