How to secure WordPress with .htaccess file

.htaccess file is a very powerful file used for a number of feature implementation on Apache and Litespeed Web Servers. Most of the settings here can be implemented using plugins such as Bullet Proof Security or Wordfence.

1. Protect against external attacks

As the .htaccess file is a pwerful file, it should be protected from external attacks. To do so, add the code below to your .htaccess file

#PROTECT HTACCESS
<Files .htaccess>
Order Allow, Deny
Deny from all
</Files><files .htaccess=""></files>

2. Disable directory browsing

When your site does not have an index.html or index.php file, the files in your document root will all be listed when your domain is accessed. To protect against this, add the following in your .htaccess file

# DISABLE DIRECTORY LISTING
Options All –Indexes

3. Protect wp-config .php file

This file contains a lot of sensitive data about your wordpress site. Thus, it needs to be protected. The first thing you can do is place minimal permissions for it, such as 0400. Then add the directives below to your .htaccess file

# PROTECT WP-CONFIG FILE

<files wp-config.php="">
<files wp-config.php>
order allow,deny
deny from all
</files>
</files>

4. Limit access to wp-content directory

This folder contains a lot of data and users should only be allowed to access specific data. To do this, create a new .htaccess file inside wp-content folder(not document root) then add the code below

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

5. Secure wp-admin folder

The wp-admin folder should only be accessed by users who make posts or edit the admin folder. If you use a static network IP address (one that does not keep changing), you can secure the folder by adding the code below

# RESTRICT WP-ADMIN ACCESS
order deny,allow
allow from 12.34.56.78 # This is your static IP
deny from all

6. Prevent script injection

Script injection is one of the most popular ways to launch attacks on wordpress sites. Toprotect against this, add the following to your .htaccess file

#PROTECT AGAINST SQL INJECTION
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Dan

05:34 06 Aug 23

Great support team

Mercy Solomon

16:02 03 Aug 23

Eccapda E Store

06:57 03 Aug 23

One of the worst company i have ever found. They show you cheap hosting services. but no customer service after that. even they do not refund money. They are scammers, dont just go for them by seeing low prices. after that you will have to face lots of mental harrasment.

Maxwell Okumu

15:37 02 Aug 23

I haven't encountered any significant service disruptions from Truehost. I especially like that their support team is easily accessible and resolves issues speedily

The Support Center

How to secure WordPress with .htaccess file

1. Protect against external attacks

2. Disable directory browsing

3. Protect wp-config .php file

4. Limit access to wp-content directory

5. Secure wp-admin folder

6. Prevent script injection

Was this article helpful?

Leave A Comment? Cancel Reply

The Support Center

1. Protect against external attacks

2. Disable directory browsing

3. Protect wp-config .php file

4. Limit access to wp-content directory

5. Secure wp-admin folder

6. Prevent script injection

Was this article helpful?

Related Articles

Leave A Comment? Cancel Reply