WordPress is, unquestionably, the best Content Management System (CMS). A large number of websites are powered by it and it is the only platform for both technical and non-technical individuals to build different genres of websites. WordPress supports eCommerce, blogging, portfolio and various other varieties of websites.

Most WordPress website-owners are from the non-technical background. Thus, these are the common target of hackers. There is a magic file, named .htacces, which helps users secure their WordPress sites from the clutch of unauthorized users. However, apart from providing security, .htaccess offers a number of benefits as well.

.htaccess file is an optional setting or configuration file, which helps the Apache web server to interpret each directory separately. As a user, you can store different server settings here. By default, it resides in the base WordPress installation root directory. Through this configuration file, you can override your server’s global settings.

Accessing .htaccess file: Go to Settings > “Show Hidden Files” > Save

This will display the hidden files in the CPanel.

Displaying the hidden files in the CPanel

However, before you start, make a backup of the current .htaccess in your system. This will help you roll back to the previous state in case of any disaster.

Now, as you edit .htaccess, the following code will be generated by WordPress on almost every occasion.

Common WordPress code in every .htaccess file

Now, let’s start editing the file.

Protect the .htaccess file first: Just copy and paste the following snippet into your .htaccess file and protect it from being accessed by unauthorized users.

Restricting access to .htaccess file


Cut off hotlinking with /.htaccess/

Your images and other resources may be used by other bloggers and websites, along with displaying your URLs. This means the resources are called from your server. When a user loads these images on his site, it eats up your bandwidth and the condition is called hotlinking.

To avoid this unwanted circumstance, you should enable hotlink protection by using the .htaccess file. Just add the following content in your .htaccess file.

Cut off hotlinking


/.htaccess/ also protects your /wp-config.php file/

The wp-config.php file contains sensitive information about your database. In short, the information stored in this file is used to store and retrieve data from the database.

Protecting config.php with .htaccess


Prevent the browsing of your directory listing

If you enable this, your visitors will not be able to see your directory listing. Just insert the following code.


Restricting access to the /wp-admin directory/ and the admin area

The admin area is a confidential zone in your website. It provides you with the full access to all administrative functions. Prevent public access to this sensitive zone by setting wp-admin access to a particular IP address only. All you need to do is invoking the following code to your .htaccess file.

Restricting access to the wp-admin directory


Stopping spammers from using your /.htaccess file/

Just like those other site owners, spammers too, use up your site’s bandwidth and resources. There are many plugins readily available to settle this problem. Use the following code to stop spammers from affecting your site’s performance.

The code to restrict spammers


Disabling PHP execution for few WordPress directories

One of the best ways to boost your WordPress site’s security is by disabling PHP execution for a selected few WordPress directories. Create a blank .htaccess file on your local machine and then paste the following code in the directory.

To disable PHP execution

Setting up 301 Redirects

301 Redirect means, you’ve moved any resource or change the URL. It tells visitors that a content has been shifted to a new location. Just paste the code given below to set up 301 Redirect through your .htaccess file.

Setting up 301 Redirects


Blocking malicious bots and restricting suspicious IP addresses

The .htaccess file can help you block the suspicious IP addresses as well as the bad bots from visiting your site. It can also deny your site’s access to multiple IP addresses at a time. The code for making .htaccess do the task is as follows:

Blocking malicious bots and IP addresses


Increase your WordPress file upload size

There are several ways to increase the maximum limit of file upload size for your WordPress site. Use the following code, it is helpful even for websites that run on shared hosting.

Increasing the WordPress file upload size

Remember, the above code just tells your web server to use the mentioned values to increase the file upload size along with the maximum execution time in WordPress.


Providing protection to the /wp-content/

wp-content is the folder that saves all your plugins, themes, media and even cached files. So, it is the natural target for the hackers, as well as spammers. Create a separate .htaccess, then copy and paste the snippet given below. Now, save the file in the wp-content directory.

Protecting the wp-content file

The given code will allow only the mentioned file types (XML, CSS, JPG, JPEG, PNG, Gif, and Javascript), denying any other file extension.


Disable access to /XML-RPC file/

The xmlrpc.php file allows third-party apps to connect to a WordPress site. If your site is not using any third-party app, then better you deactivate the feature. Just add the following code to your .htaccess for the purpose.

Disabling access to the XML-RPC file


Protecting the /wp-include file/

The following snippet will block the entire area of your WordPress site, which contains the sensitive files like wp-include and wp-admin, from being accessed by other users.

Protecting the wp-include file


Protection against script injections

Hackers are known to inject malicious codes into your PHP files. In fact, many wrongdoers attempt to an owner’s WordPress REQUEST and GLOBAL variables by injecting malicious codes. To prevent this, just use the snippet given below.

Protecting sites against script injections

To make your WordPress site faster, you can enable browser caching by using the following code. It is also known as client-site caching or browser caching.

Code to leverage browser caching


Handling custom error pages

The .htaccess file helps you redirect the custom error pages for the following errors, 404, 403 and 500. Just insert the following snippet to accomplish the task.

Handling custom-error pages

Hope these points will helps you, to protect WordPress sites from hackers as well as spammers. For any explanation or help, do not hesitate to get in touch with us anytime.

Leave a Reply


Your email address will not be published. Required fields are marked *

Reload Image

Find us on Facebook

Subscribe to our Newsletter