The .htaccess file is short for Hypertext Access file, and is a configuration file which let you control the behavior of your site and how your visitors interact with your website.

To Get Started:

Create a simple blank text file and save it as .htaccess (no name and give it an “.htaccess” extension)  and upload the file to your website’s root folder. To upload any file in root folder you need FTP client . Connect to your website using an FTP client and open your root folder and upload .htaccess file.

If you already have a .htaccess file in your website root folder then simply download the existing one to your computer for backup.


1. Block Spammers:

The .htaccess file lets you deny multiple IP addresses from accessing your site. This prevents your website from spammers and suspevious access. Add the following code in your .htaccess file to block spammers:

<Limit GET POST>

order allow,deny

#First IP you want to prevent from accessing your site

deny from IP_ADDRESS_1

#Second IP you want to prevent from accessing your site

deny from IP_ADDRESS_2

allow from all


2. Disable Directory Browsing:

By default webserver enables directory browsing. This means that all files and folders inside the root directory of the webserver is accessible by a visitor.
Disabling directory browsing is the recommended move to secure your website from unauthorized access. Add the below code at the bottom in your .htacess file.

Options All –Indexes

3. Protect wp-config.php:

The wp-config.php file is the most important file in your website root folder.It contains your database information, access credentials and various other critical data, amongst other settings. You can disable access to wp-config.php by inserting the below code in your .htaccess file.

<files wp-config.php>order allow,deny

deny from all


4. Disable Any Hotlinking:

Some non-ethical site curators will try to use your images and videos and put a strain on your servers. This wastes your bandwidth and disk space. To prevent hotlinking add the following code:

RewriteEngine onRewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

5. Limit Logins And Admins By IP:

You can limit the access of your admin area to selected IP addresses only. Insert following code:

<Limit GET POST PUT>order deny,allow

deny from all

#First IP you want to allow

allow from IP_ADDRESS_1

#Second IP you want to allow

allow from IP_ADDRESS_2


6. Protect /wp-content Directory:

Wp-content directory contains all your media files , sensitive php files, cache information and this is where themes and plugins resides. To protect wp-content directory simply create a separate new blank .htaccess file and upload it in your wp-content Directory.
Insert the following code snippet in this new .htaccess file:

order deny,allowdeny from all

<files ~ “.(xml|css|jpe?g|png|gif|js)$”>

allow from all


7. Protect .htaccess Itself:

he .htaccess file itself is still open to attacks. Add the follwing code snippet to your .htaccess file:

<files ~ “^.*\.([Hh][Tt][Aa])”>order allow,deny

deny from all

satisfy all


This code prevent anyone from accessing any file that starts with “hta“.


If you have successfully implemented all these 7 tricks then rest assured you have hardened your WordPress security.


Leave a Reply