Responsive website design, Norwich

Increasing Wordpress security with .htaccess

by Mike Amis

Increasing Wordpress security with .htaccess

The huge popularity of the Wordpress platform has many benefits however, one drawback is that its own success makes it an attractive target for hackers because the directory structure and codebase is widely known.

Due to the large number of Wordpress websites, hackers can exploit these same security vulnerabilities over and over again. Given the fact that many Wordpress sites are set up and maintained by people with little or no web development knowledge, these vulnerabilities are often left exposed. Fortunately by harnessing the power of Apache's .htaccess file, it is possible to greatly improve the security of your website and protect yourself from many forms of attack.

What is a .htaccess file?

The .htaccess file, also know as distributed configuration files, are hidden files which allow you to make configuration changes to your server settings on a per-directory basis. They are simple text files that allow you to execute commands commonly used for security and website performance purposes. Using a .htaccess file is often a good alternative to the httpd main server config file, reserved for dedicated server customers, for people with websites on shared hosting packages, as it offers some of the same functionality.

When editing .htaccess files extreme caution should be exercised; the slightest error in syntax will almost certainly render your website completely inaccessible to visitors. It is also essential to have an up to date back up of your whole website before you make any edits. There are many plugin that can be used to maintain your .htaccess file but this article will focus on manual creation and editing.

Server error message caused by incorrect .htaccess directive syntax
Server error from .htaccess error

What can you do with .htaccess files

The default .htaccess file is found in the root folder of your website. It will be automatically generated if you enable the pretty permalinks feature in your dashboard and it contains the following directives. If you do not see your .htaccess file you may need to enable view/show hidden files option. If you do not have a .htaccess file you can simply create one in any text editor and save without a filename just the extension .htaccess and then upload to the root of your website using the control panel or FTP.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

When adding new directives to the file it is best to add the after the # END WordPress line to avoid making any unwanted changes to the core functionality of Wordpress. It is also important to note that any line beginning with the # symbol is a comment line and is there for annotation purposes only. These comments are ignored by the server.

Protect your important files

The wp-config.php file contains all of the important information about your website set up including your database connection details. It is good practice to protect this file from prying eyes as, if anybody had control of this file they would effectively have control over your website which could clearly be very damaging. To prevent access to this file add the following directive:

<Files wp-config.php>
order allow,deny
deny from all

This same directive can be used to protect any other individual file you feel is important or contains sensitive information, simply change the file name from wp-config.php to any other file name.

Even though at this stage you are using your .htaccess file for the protection of the website as a whole, the file itself still needs individual protection. Add this directive to prevent access:

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Prevent directory browsing

Due to the popularity or Wordpress lots of people know the exact directory structure of your default website. If directory browsing is not disabled anybody can view a list of your folders and files simply by adding the folder name in the address bar, for example.

This would output something similar to the following image. From here a hacker is free to look in any folder and see all of your file names making the job of attacking your website much easier than if they are forced to guess where important files are located.

Website directory browsing enabled

To prevent directory browsing add this simple directive:

# directory browsing
Options All -Indexes

Prevent access to php files

Your whole Wordpress website is built using PHP, which means they could be a possible way in for a hacker to inject malicious code. You do not want anybody other than authorised users accessing any of them. Use this code to protect your theme and plugin php files.

# Protect php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Potecting your admin login

Protecting your admin login page is an important step to help prevent brute force attacks. Brute force attacks are a trial and error method of trying to gain access by attempting to guess your username and password. If you restrict access to the page it is significantly harder for this type of attack to be successful. There are a number of ways to increase security of this page starting with IP restriction. Use the following directive to allow only your admins' IP addresses to access the login page - replacing 123\.123\.123\.121 with your actual IP addresses.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

If you do not have static IP addresses the the above method is not the best approach as you could be locked out of your own website when your IP address changes. For dynamic IP addresses you can restrict the access to the login page to direct referral only. That is, when one of your admins manually types the URL of the admin page in the address bar. This is not a guarantee of security, but because many attackers will attempt to remotely access your website it will prevent them.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?mywebsite\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

A great way to further reduce the chances of a brute force attack is to change the Wordpress login page URL to anything other than standard, for example:

Now for a brute force attack to succeed the username, password and login URL are needed making it much harder. The easiest way to do this is using one of the many plugins available. Be sure to check feedback and ratings, as well as whether or not the plugin is compatible with your version of Wordpress and has been updated recently. As always, back up your website before making any changes.

Prevent bad users accessing your website

IF you have experienced someone trying to access your website content or maybe even a brute force attack on your admin area, it is possible to block their IP address(es). You can add as many IP addresses to your banned list as you need to using the following directive:

<Limit GET POST>
order allow,deny
deny from
deny from
allow from all


With all of these directives in place your Wordpress website is much more secure than a standard installation, and a much less attractive target for hackers, but that is not to say you have absolute protection. There are many other steps you can, and should, take to further protect yourself including the use of security plugins, more advanced .htaccess directives not covered in this article and using a content delivery network which will improve security as well as improve performance.

Share this post


  • Jessica:

    01 Dec 2016 19:39:27

    I’ve used this method for a while now and lately, somehow, people are able to bypass this and still attempt to login. I’m baffled. Everyone I’ve had test it can’t get to the login page. :/

Leave a comment