Contact and Social

Editing the .htaccess file to Improve WordPress Security

Secure WordPress Hosting

Picking the right host is vital to keeping your site secure. Changes to your .htaccess file won’t mean anything if your host doesn’t implement the right security protocols and practices.

Click here to learn more about our secure, fast and powerful web hosting.


What is the .htaccess file?

The .htaccess file is a configuration file found on at the root of many WordPress installations and other websites running on Apache servers. Inside the file, snippets of code can be added which instruct the Apache server on how to handle various matters such as redirections, site access and IP blocking.

By adding a few snippets of code into the .htaccess file, you can lock down parts of your WordPress website or restrict access to increase security and reduce the chances of your site being successfully attacked by hackers or malware.


Prevent Directory Listing in .htaccessPrevent .htaccess directory browsing

By default, Apache allows directory listing and browsing. This means that anyone can view a list of files stored on your server. But why is this dangerous?

Directory browsing gives read access to everything stored on your website’s server. If someone is to navigate to, they will be able to browse through every folder and see all of the different themes and plugins installed on your site.

Furthermore, they will be able to see content which is uploaded to your server but not published on a specific webpage yet. This can result in the release of upcoming content, events and other information that you do not want to be made public yet.

By entering the following code into your .htaccess file, you can disable directory browsing site-wide, not just for directories that have an index.php file.

# Disable directory listing site-wide
Options -Indexes

Deny access to wp-config file

The wp-config.php file is one of the most important files in any WordPress installation. It contains the credentials used to connect your WordPress installation to its database as well as other important information that affects how your website works.

It is important that nobody has access to this file except you. This is because it contains the information necessary to access and make changes to your website’s MySQL database. If a hacker gains access to this file, they can create new users, edit posts and create havoc on your site without you even knowing.

Below is the code to block access to wp-config.php

# Block access to wp-config file
order allow,deny
deny from all

Block access to wp-includes folder

The wp-includes folder contains the files necessary to run WordPress. Your website’s visitors do not need to have access to this information and allowing access only creates a security risk.

You can block access to wp-includes by entering the following code into your .htaccess file.

# Deny access to wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]