A Comprehensive Guide to Editing .htaccess for WordPress Security

A Comprehensive Guide to Editing .htaccess for WordPress Security

The .htaccess file in your WordPress install is a powerful configuration file that you can use to override the settings on your web server to improve your site’s security and performance.

Short for “Hypertext Access,” you can edit the file and with the right commands, you can enable/disable extra functionality and features to protect your site from spammers, hackers and other threats.

Some of these features include basic redirects, locking outside access to particular files, or more advanced functions such as content password protection or preventing image hotlinking.

So let’s take an in-depth look at how you can manipulate your .htaccess file to boost your security.

In this post, we’ll cover the following:

What’s .htaccess Got to Do with It?

The .htaccess file is located in the root of your site (or Multisite network). The period in front of the file name means it’s a hidden file and you won’t be able to see it when browsing your files unless you show all hidden files on your computer.

In WordPress, the file is used for facilitating pretty permalinks and is automatically created when this option is enabled. There’s a lot more you can do with .htaccess, though, such as adding 301 redirects or including rules to block unauthorized visitors.

If you’re already well-versed in the .htaccess file and you’re ready to make some changes, go ahead and skip down to see the list, (don’t forget to backup your site first!)

I Pity the Fool Who Doesn’t Backup

The .htaccess file can be a finicky one to work with because a single syntax error could break your entire site. That being said, if you’re prepared, this kind of worse case scenario doesn’t have to spell a death sentence for your site. In fact, far from it.

Backing up your site before you make any changes can act as a fail safe so you can quickly restore your files and be on your way as if nothing ever happened. Well, close enough to that, anyway.

The absolute least you should do is download a copy of your .htaccess file on your computer so you can replace it if a mistake is made. You can download a copy of your .htaccess file in cPanel by going to Files > File Manager after logging in. If you’re prompted with a pop-up, select the Show Hidden Files checkbox, then click Go.

Alternatively, you can click Settings on the top right of the File Manager and click the Show Hidden Files checkbox, then click the Save button.

The settings pop-up in the file manager.
The .htaccess file is hidden by default.

You should be able to go to the root of your site now and find the .htaccess file. Click on it once on the list, then click the Download button in the navigation. Save it to your computer. If you need to restore it, you can click the Upload button on the top of the page.

Select the Overwrite existing files checkbox, then click the Select File button to search for and open the backup of your .htaccess file.

The file upload page.
You can overwrite existing files in cPanel to restore the .htaccess file.

Once you have opened the file, it should upload and you can click the Go Back link at the bottom of the page to return to your File Manager. Once that’s done, it means your .htaccess file has been  restored.

Note: If you are hosting with WPMU DEV, you can perform the same operation as above by accessing the File Manager feature inside your Hub.

For details on how to create a full backup of your site, check out some of our other posts below:

Going Through Changes

Creating an .htaccess File

Depending on your install, you may not have an .htaccess file so before you can think about editing it, you may need to create one. You can either use your favorite text editor to create one or do it directly in cPanel.

Create and upload a new file and name it .htaccess, or click the File button at the top left of the File Manager in cPanel to create a blank file named .htaccess.

If your server doesn’t allow you to do this, create a file called htaccess.txt instead, then rename the file to .htaccess once it’s uploaded to your site.

Since all WordPress installs have pretty permalinks set by default since version 4.2, it’s best to side on the err of caution and include the code that’s default for .htaccess files in the newer versions of WordPress instead of creating a blank file.

Here’s the default code you should include for single installs of WordPress:

For Multisite networks installed with sub-directories using version 3.5 or higher, use the following code instead:

If your Multisite is installed with sub-domains and the version you’re using is 3.5 or higher, use the code below instead of the options above:

For any other versions of WordPress, check out the WordPress Codex’s .htaccess page for details on the code you should include in your file.

When you’re creating a new .htaccess file, it’s important that you set a file permission of 644 to protect it from potential attacks. For details on how to do this, check out one of our other posts Understanding File Permissions and Using Them to Secure Your Site.

Where to Add Your Changes

When you’re editing your file, it’s important to note that lines beginning with a hashtag are comments and aren’t included in the .htaccess rule. When you’re adding rules, it’s crucial that you include them either above or below the default WordPress rule explained above.

You shouldn’t add or edit anything between the lines # BEGIN WordPress and # END WordPress. For Multisite networks, the same principle applies, although, there aren’t any comments at the beginning and end as there are for single installs.

If you were to make any changes, it’s likely that it would be overwritten so it’s best to just stay out of its way and let WordPress do its thing.

Generally speaking, adding rules below the default WordPress lines keeps things more organized and adds a bit of clarity as to what your edits are as opposed to WordPress’ code. It may also be helpful to add your own comments to any additions you make to further organize your .htaccess file.

At the end of the day, it’s up to you and what would work best for your needs.

There’s also a handy .htaccess to Nginx converter you can use to adjust the tips later on in the article for use with – you guessed it – Nginx.

Editing Your .htaccess File

There are many ways you can choose to edit your .htaccess file and one of them is to do it directly in cPanel. Most people find this to be the easiest method, but I won’t stop you from using the method that’s your favorite.

No matter which method you choose, it may be helpful to note that you refreshing your site after you save an edit to your file will allow you to check whether your edits break your site. If they do, you can immediately restore the file and try again. If everything works as it should, then you’re good to go and you can continue making edits.

Once you’re logged into cPanel, go to Files > File Manager and choose to show hidden files as described earlier. Go to the root of your site and click once on your .htaccess file that’s listed. Click Edit in the navigation at the top of the page to make your changes.

Don’t forget to click Save before exiting so your changes aren’t lost.

You can also choose to edit files using FTP. You can find the details on how to do this by checking out How to Use FTP Properly with WordPress.

You can also choose to use SSH to makes changes as well. You can check out A Quick Guide to the Terminal and Command Line Prompt for WordPress for details on how to use an SSH client.


Manage unlimited WP sites for free

Unlimited sites
No credit card required

SSH commands are not the same for every kind of server so consult your server type’s documentation for the commands you need to use.

.htaccess Security Tips

Now you’re ready to tighten your site’s security with the tips below. Let’s get to it.

1. Protecting Important Files

One of the best edits you can make is to protect your .htaccess file along with your error logs, wp-config.php and php.ini files. Once you make the following change, attempts to access these files are denied.

Be sure to check your files and see if you have one named php.ini because you may not. Instead, you may have one called php5.ini. If this is the case, replace php.ini with php5.ini in the above rule.

2. Restrict Access to the Admin

You can also restrict access to the admin dashboard and login page by adding the rules below if you use a static IP address:

The first two lines redirect unauthorized IP addresses to your 404 error page. This also helps you resolve any redirect loops so your site doesn’t look like it’s down. Just be sure to edit both instances of /path-to-your-site/ to the real path of your site.

Also, replace IP Address One, IP Address Two and IP Address Three with the actual IP addresses you want to have access to these pages. If you only want to add one address, omit lines nine and 10. You can also repeat line 10 as many times as you would like and replace each

You can also repeat line 10 as many times as you would like and replace each IP Address Three with the real IP address you want to whitelist.

If you or any of your other users have dynamic IP addresses, a Multisite network or multiple users in your network that need to log in, you can use the following rule instead:

Don’t forget to switch /path-to-your-site/ in lines one and two to the real path to your site as well as change your-site.com with your actual domain.

Many hackers use bots to try and access the admin dashboard or to log in externally. By adding this to your .htaccess file, you’re only letting people who manually enter your site into their browser’s address bar to have access to these pages.

While it won’t block hackers that try to manually guess your users’ login details, in most cases, it still makes a huge difference and significantly lowers the amount of brute force attacks you receive.

3. Prevent Directory Browsing

It’s possible for visitors to see a list of your site’s directories in the front-end if they enter in your domain and then a directory into their browser’s address bar. Since WordPress has a set file structure, nothing’s currently stopping someone from visiting your-site.com/wp-content-uploads/ and seeing a list of your folder and files.

This is definitely not what you want because it’s that much easier for a hacker to hack into an important file in your site if they can literally see the target file in plain sight and don’t have to guess where the file is located.

It’s the equivalent of hiding a spare key to your place in a super clever and secretive place, but then posting a note right on your door letting everyone who visits know where your spare key is hidden.

Adding this line to your .htaccess file prevents directory browsing so hackers have a more difficult time figuring you out.

4. Restrict Access to PHP Files

Similarly, providing direct access to your PHP files is a big no-no. The harder you make it for hackers to be able to find your important files, the better and since PHP files can be used to inject malicious code to further infect your site, it’s incredibly important that you protect your PHP files.

You can add the following lines from Acunetix to block direct access to your plugin and theme’s PHP files from unauthorized users:

5. Restrict PHP File Execution

While we’re on the subject, you may as well also prevent unauthorized execution of PHP files so in the event that a hack does break into your site, they won’t be able to upload their own PHP file with malicious code and have it actually work.

This means you can prevent backdoor exploits from actually working. While you would still have to find and remove the file, the more obstacles you make for a hacker, the less likely it is that your site can be infected beyond repair.

Since most hackers upload backdoors to your /wp-content/uploads/ folder, blocking the execution of any PHP files there can be a huge help.

Add the code below to restrict the execution of PHP files added to the uploads folder:

6. Protect Your Site Against Script Injections

You’re on a serious roll now so why not also prevent injections of malicious code into your PHP files? WP Recipes posted a way to prevent script injections.

Many hackers try to change the WordPress GLOBALS and _REQUEST variables in an attempt to inject malicious code. You can add the following to your .htaccess file to prevent this change from being accepted:

7.  Securing the wp-includes Directory

Your wp-includes directory is home to so many of your important files. By blocking all unauthorized access to it, you can protect those all important files from being tampered with by hackers.

WP Explorer has a great addition to include to prevent hackers from accessing your wp-includes folder:

8. Prevent Username Enumeration

When a visitor enters your-site.com/?author=1 into their address bar, they’re directed to the author’s page that has a user ID of one. The author’s page includes the actual username associated with the user ID.

The visitor would easily be able to get all the usernames of all the users of your site if they have any posts associated with their account. This process is called username enumeration.

If a hacker is able to easily get a hold of your username, it’s one less thing they need to guess. In fact, the only other detail they need to guess is your password.

While knowing the username associated with an account isn’t going to add much value for a hacker if the user uses a strong password, it can still be beneficial to prevent username enumeration since the more obstacles you an make for a hacker, the less likely it is that they can actually infiltrate your site.

Here’s how you can prevent username enumeration by adding the following to your .htaccess file:

9. Require SSL

Use the code below to force the use of an SSL certificate unless the exact Fully Qualified Domain Name (FQDN) listed in line three is entered:

Just don’t forget to replace www.your-site.com on lines three and four with your actual domain name.

It’s also worth noting that you can check out our post How to Use SSL and HTTPS with WordPress for more details on how you can force the use of SSL for your site.

10.  Prevent Image Hot Linking

When a visitor grabs the URL of one of your images and loads it into their site instead of uploading the image to their server, they’re stealing your bandwidth. It’s also called hot linking.

To prevent this from happening, add this to your .htaccess file:

Don’t forget to replace your-site.com with your actual domain in line two and replace http://www.your-site.com/hotlink.gif in line three with the actual URL of the image you want to protect.

Wrapping Up

With these tips and rules you can help secure your WordPress site or network and block hackers every chance you get. Don’t forget, though, that these changes are just one step towards bolstering security on your site – there’s always more you can and should do.

Installing a security plugin such as Defender can vastly improve the security of your site. Plus, Defender is included in a WPMU DEV membership and you can even try Defender for free.

Have you edited your .htaccess file to increase your security? What are your favorite changes to your .htaccess file that you have made? What other tools do you prefer using to boost your site or network's security? Share your experience in the comments below.

Jenni McKinnon

Jenni McKinnon Jenni has spent over 15 years developing websites and almost as long for WordPress as a copywriter, copy editor, web developer, and course instructor. A self-described WordPress nerd, she enjoys watching The Simpsons and names her test sites after references from the show.