WordPress Security

How to Harden WordPress Security via .htaccess

Posted by : enrich212
Posted on : August 13, 2025

WordPress .htaccess security plays a key role in protecting your site from unauthorized access and malicious attacks. By editing your .htaccess file you can block common threats and lock down sensitive areas. In this tutorial you will learn to secure wp-admin and protect your wp-config.php file. You will also disable risky features, enforce HTTPS, and monitor changes. We include code snippets that you can add directly to your .htaccess file.

1. Backup .htaccess File

Always back up your .htaccess file before making changes. A backup lets you restore the original rules if something goes wrong.

Access your server via FTP or a file manager.
Download the .htaccess file to your local system.
Rename it to .htaccess.bak or add a date stamp.

cp /path/to/wordpress/.htaccess /path/to/wordpress/.htaccess.bak

2. Disable Directory Browsing

Disabling directory browsing prevents outsiders from seeing file listings. Add a simple directive to block this feature.

# Disable directory browsing
Options -Indexes

Place this directive near the top of your .htaccess file.

3. Restrict Access to wp-admin

Restrciting access to the wp-admin area helps prevent unauthorized logins. You can restrict access by IP address or require a password.

Apache 2.4 Example

# Allow only your IP to access wp-login.php
<Files wp-login.php>
    Require ip 123.123.123.123
</Files>

# Restrict wp-admin directory
<Directory /path/to/wordpress/wp-admin/>
    Require ip 123.123.123.123
</Directory>

Apache 2.2 Example

<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from 123.123.123.123
</Files>

Replace 123.123.123.123 with your public IP address.
Use the older Order, Allow, Deny directives on legacy servers.

4. Protect wp-config.php File

Your wp-config.php file holds database credentials and security keys. Deny web access to secure wp-config.php and keep these values safe.

<IfModule mod_authz_core.c>
    <Files "wp-config.php">
        Require all denied
    </Files>
</IfModule>
<IfModule !mod_authz_core.c>
    <Files "wp-config.php">
        Order allow,deny
        Deny from all
    </Files>
</IfModule>

Place this block at the very top of your .htaccess file.

5. Disable PHP Execution

Uploading PHP files can invite unwanted scripts to run. You can disable PHP execution in specific directories.

# Disable PHP execution in uploads
<Directory /path/to/wordpress/wp-content/uploads/>
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>
</Directory>

Copy this snippet into a blank .htaccess file in the uploads directory.
Repeat in /wp-includes if your theme loads PHP there.

6. Disable XML-RPC Requests

The XML-RPC interface often faces DDoS or brute force attacks. Blocking xmlrpc.php can stop these threats.

<Files xmlrpc.php>
    Require all denied
</Files>

Add this rule near the top of .htaccess to block all xmlrpc.php requests.

7. Enforce SSL Connections

Forcing HTTPS ensures encrypted traffic and boosts user trust. About 93.2% of Chrome browsing now uses SSL.

# Redirect all traffic to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Ensure mod_rewrite is enabled in Apache.

8. Implement Security Headers

Security headers help protect against clickjacking and cross-site scripting. Add these rules to guide the browser.

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
</IfModule>

You can add more headers like Referrer-Policy or Content-Security-Policy.

9. Monitor File Changes

Monitoring .htaccess modifications alerts you to unauthorized edits. Shield Security PRO’s File Locker can notify you immediately when the file changes.

Enable File Locker in the Shield Security dashboard.
Set up email alerts for .htaccess changes.
Review each alert and rollback if necessary.

Review Key Takeaways

Always back up your .htaccess file before editing it.
Disable directory browsing to hide file listings.
Restrict access to wp-admin and secure wp-config.php.
Disable PHP execution, block XML-RPC, and enforce SSL.
Add security headers and monitor .htaccess changes.

Test each change to confirm your site remains accessible. For more ways to harden your site see our WordPress Security Checklist.

Have questions or tips? Let us know in the comments below.