Protect wordpress site with .htaccess

WordPress is the world’s most popular CMS with million users. This is how to secure your WordPress site with .htaccess.

Configuring the .htaccess file

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Protect wp-config.php

<Files wp-config.php>
order allow,deny
deny from all

Admin access from your IP only

order deny,allow
allow from (replace with your IP address)
deny from all

Banning bad users

<Limit GET POST>
order allow,deny
deny from
allow from all

No directory browsing

Options All -Indexes

Prevent Access To wp-content

The wp-content folder contains images, themes and plug-ins. It’s a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.

This requires it’s very own .htaccess file. This file must be added to the wp-content folde. It allows users to see images, CSS etc … but protects the important PHP files:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all

Protect .htaccess

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Leave a Reply

Your email address will not be published. Required fields are marked *