How to Secure WordPress Website Security

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.


Best .htaccess Snippets to Improve WordPress Security

What is the .htaccess file?

An htaccess file is an optional configuration file for the Apache web server to interpret, for each directory. You can store various settings in that file such as: password protect a directory, block IPs, block a file or folder from public access, etc. Traditionally, the .htaccess file is present in the base WordPress installation directory. It stores the permalink structure by default.


1. Block Bad Bots

One of the best uses of the .htaccess file is its ability to deny multiple IP addresses from accessing your site. This is useful when blocking known spammers and other origins of suspicious or malicious access. The code is:


# Block one or more IP address.

# Replace IP_ADDRESS_* with the IP you want to block

<Limit GET POST>

order allow,deny

deny from IP_ADDRESS_1

deny from IP_ADDRESS_2

allow from all



2. Disable Directory Browsing

# Disable directory browsing

Options All -Indexes


3. Allow Only Selected Files from wp-content

# Disable access to all file types except the following

Order deny,allow

Deny from all

<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">

Allow from all



4. Restrict All Access to wp-includes

# Block wp-includes folder and files

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]



5. Allow only Selected IP Addresses to Access wp-admin

# Limit logins and admin by IP


order deny,allow

deny from all

allow from 302.143.54.102

allow from IP_ADDRESS_2



6. Protect wp-config.php and .htaccess from everyone

# Deny access to wp-config.php file

<files wp-config.php>

order allow,deny

deny from all



# Deny access to all .htaccess files

<files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all



7. Deny Image Hotlinking

# Prevent image hotlinking script. Replace last URL with any image link you want.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ [NC,R,L]


More .htaccess Code:

  • security, wp security, wordpress, wordpress security, Secure WordPress
  • 6 Users Found This Useful
Was this answer helpful?

Powered by WHMCompleteSolution