Hardening WordPress with .htaccess for Security

Hardening WordPress with .htaccess and other ways for Security

In WordPress Security by Fathi Arfaoui0 CommentsLast Updated: April 12th, 2018

To secure your WordPress blog, you don’t have to search thousands of things. All you have to do is to ask yourself how people can get access to your blog from an external source. There, you will find the easiest ways to access your blog from the “uploads” file and the PHP folders and files.

In this post, I’ll show you the steps for hardening WordPress with .htaccess. You will stop external access to your directories and files, in general.

As I said, the “uploads” file can cause problems and easily allow people to browse and see your plugins and files. That way, they get your “protection secrets”, if someone knows what plugins you’re using, then, it’s easy for him to build a simple strategy to bypass all the protection.

Your goal is to disable and restricts all access to the directories. These directories include PHP executable files that you should protect.

How to make WordPress site secure?

Hardening WordPress with htaccess


To stop access to all the PHP files, you have to create a blank file named .htaccess  in the text editor and paste the below code inside it.

<Files *.php>
deny from all

The file will include only the above code lines and will look like the next screenshot.

creating a new .htaccess blank file

The next step is to upload that file to your ”uploads” folder located at wp-content and upload it again in ”wp-includes” folder. You don’t have to worry where to upload the file exactly, just upload it in the folder anywhere you want.

uploading .htaccess

The same way, you need to upload that same file to the directory wp-includes.

upload .htaccess file in WordPress includes

Protect the .htaccess file itself

You can also create the .htaccess directly in the folder itself using the file manager. Just click ”New File” and paste the code inside it, then, save for both ”wp-includes” and ”wp-content/uploads” folders.

protecting the .htaccess file


Now, with this easy .htaccess WordPress security, your PHP files are protected from not allowed access and executions. But, keep in mind that this is just a protection and can’t guarantee at 100% that your blog won’t be hacked.

Related:  Stopping and Preventing all Types of DDoS Attacks for WordPress and CMS

As any other technology in the world, things are limited. And, even, the most powerful security company in the world can’t guarantee the protection. However, this simple protection will improve the security level of your blog.

Protect the wp-config file

The WordPress configuration file is one of the most important PHP files to protect. wp-config.php you will protect your blog from many expected dangerous and executions. You should first make access to that file as hard as possible, to do that, you need to add the below code in the wp-config.php file:

<files wp-config.php>

order allow,deny

deny from all


protect the wp config file

The above methods will protect the PHP files and the directories, in general, but if your blog files are open to the public for browsing. Anyone can see your files exactly as they are when he browse the web. The last thing that you want for your blog or website is the next screenshot: Disable Directory Browsing in WordPress

As you can see, all your files and plugins can be opened with a few clicks. So, you need to disable directory browsing and no one can see your files from web browsers. All you have to do is to add this next line of code in the parent .htaccess file located in the root directory.

# directory browsing

Options All -Indexes

You have two options to do that, the first one is downloading the .htaccess to your desktop, paste the line of code at the bottom. Then, upload the file.

The second way, which is easier is adding the code directly in the file. Just use the file manager in your cPanel.

Other WordPress Hardening recommendations

You can also extend the above solution with other methods for hardening the WordPress code and directories to the maximum level. To do that, you can apply the following tricks I tested and recommend for all Blogs and sites no matter what size they have.

Related:  Best Plugins to Integrate Google AMP Into WordPress

1. Disabling file editing in WordPress

This is an easy, yet powerful WordPress security trick that will save your site from known threats. In fact, hackers can edit your files easily if they know how t do that. However, no matter what way they use, you can always close that “door”  and completely disable the file editing option from the WordPress dashboard. To do that, copy and paste the following code into the wp-config.php file.

## Disable Editing in Dashboard
 define('DISALLOW_FILE_EDIT', true);

2. Disable PHP execution in wp-content/uploads

Having a good website with lots of traffic is great for you, but if you don’t care about PHP execution, that can be a nightmare for you. In fact, one of the easiest ways to get in any WordPress website is to use a PHP code and inject it in any way there. Next, it will control the site and modify it. Luckily for you, you can prevent PHP execution in WordPress Uploads directory by creating an .htaccess file in the root of your site files. Next, paste the following lines of code into that file and save it.

# Kill PHP Execution

<Files ~ "\.ph(?:p[345]?|t|tml)$">

   deny from all


Now, you’ve all the things for hardening a WordPress with htaccess, and you know how to protect your directory files from people who try to browse them. These methods will protect your blog if you take care of it and secure the WordPress login page with a strong password. Make sure also, to change the default WordPress username and the most important thing is to never share your login details.

What’s your best way to protect your WordPress site through .htaccess? If you used any other method or even tool, make sure to add it in your comment. That will be a good addition to this guide especially for WordPress beginners who know nothing about online security, website protection, and safety.

Leave a Comment