8 Useful .htaccess Snippets For Hardening Your WordPress Security And Prevent Hacking

Updated: May 10, 2017 / Home » Web Hosting and Wordpress » Wordpress Themes and Plugin

For those with a hacked WordPress site, you will know that hackers tend to modify the .htaccess files and will redirect all traffic from Google to another url. Usually a php located in your wp-content/uploads folder. If you are using a VPS, if possible, disable .htaccess in Apache config and use the “Additional Apache directives” feature. Location of this feature varies from hosting panels.

See Also ➤ 7 Best WordPress Firewall Preventing Hacks, SQL Injection And Brute Force

8 Useful .htaccess Snippets For Hardening Your WordPress Security And Prevent Hacking

Hayden James wrote an interesting topic on this issue – Apache Performance: Disable .htaccess. By disabling .htaccess, you improve the overall security and performance of your Apache server. If you are on a shared hosting, you do not have the ability to disable it, with that, you’ll have to harden your wordpress security by using a few codes. A quick summary.

  • Disable .htaccess via “AllowOverride None” improves security and server performance
  • Always Backup your .htaccess before making any dramatic changes.
  • .htaccess is not the only weak point when it comes to WordPress Security, always keep your WordPress updated and only use trust-able plugins/themes.
  • A good hosting also means better security features, more often than none, a shared hosting uses outdated software and comes with basic firewall, or none at all.

↓ 01 – Disable PHP Execution In “uploads” Folder

Hackers loves to insert a backdoor files, usually the favorite location is the wp-content/uploads directory. There is no reason to have a .php files in that folder. Create a .htaccess file in /wp-content/uploads/ and copy paste the code. This will disable PHP execution within the folder.

# Kill PHP Execution
<Files *.php>
deny from all
</Files>

↓ 02 – Protect WordPress wp-config.php File

To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file.

<files wp-config.php>
order allow,deny
deny from all
</files>

↓ 03 – Protect .htaccess From Unauthorized Access

To protect it from unauthorized access by hackers, you can stop them from accessing the file via this code.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

↓ 04 – Disable Directory Browsing In WordPress

There is no reason enabling directory browsing, not only it allows hackers to look into your site’s directory and file structure to find a vulnerable file, it is also bad for Google SEO as Google will index all of these files and folders. Many WordPress security experts recommend disabling directory browsing.

Options -Indexes

↓ 05 – Block cross-site scripting (XSS)

The following code snippet protects your site against some common XSS attacks, namely script injections and attempts to modify global and request variables. Unless you use XSS, it is always a good idea to disable it.

# Blocks some XSS attacks
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>

↓ 06 – Restrict All Access To WP Includes

The /wp-includes/ folder contains the core WordPress files. There are no good reason for anyone to have access, including the owner and administrator. So to harden security it’s best to restrict all access to it.

# Blocks all wp-includes folders and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

↓ 07 – Restrict Direct Access To Plugin & Theme PHP files

As mentioned earlier, there is no reason for anyone else beside you to have access to the plugin and theme file, disabling directly calls is a good security policy.

# Restricts access to PHP files from plugin and theme directories
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

↓ 08 – Access Only By IP

If you only access your WordPress admin area from the same location, you may want to limit access to your IP address only. To do this you’ll need to add a small snippet of code to the .htaccess file in the “wp-admin” directory. This method is not recommended if you do not have a static IP Address, meaning to say your ISP will assign you a new IP Address every time you restart your router.

order deny,allow
allow from [insert your IP address]
deny from all


Leave a Reply

Your email address will not be published. Required fields are marked *