February 6, 2019 Last updated February 23rd, 2019 2,253 Reads share

Useful .Htaccess Tips and Tricks for WordPress

Image Credit: Stockunlimited

The .htaccess file is a configuration file that helps you to control files and folders in the current directory and all other sub-directories. The filename .htaccess stands for hypertext access and is supported by most servers.

Many WordPress users make use of .htaccess file when they customize their website’s permalink settings. However, you can do so much more. The .htaccess file is a powerful configuration file that allows you to enhance your site’s security and performance. In this article, we will show you 9 most powerful .htaccess tricks for WordPress that you can try on your site right away.

Before you start making any change, you need to backup your current .htaccess file) in a cloud storage service like Dropbox or Connect to your website using an FTP client and simply download the .htaccess file to your computer. So that, if something goes wrong, then you can upload the backup file.

If you are not able to access the .htaccess file, then make sure your FTP client is set to show hidden files. If you do not have a .htaccess file in your website’s root folder, then you have to create one. Simply create a blank text file and save it as .htaccess. Make sure to name the file as .htaccess and not htaccess. Lastly, you need to upload the file to your website’s root folder.

1.     Secure Your WordPress Admin Area

The wp-admin folder contains the files required to run the WordPress dashboard. In most cases, your users don’t need access to the WordPress dashboard, unless they want to register an account. A powerful security measure is to enable only a few selected IP addresses to access the wp-admin folder. You can use .htaccess to secure your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste the following code into your .htaccess file:

# Limit logins and admin by IP


order deny, allow

deny from all

allow from x.xx.xx.xx

allow from IP_ADDRESS_2


Replace x.xx.xx.xx with your own IP addresses. If you are using more than one IP address to access the internet, then make sure you add them as well.

2.     Protect Your WordPress Configuration wp-config.php File from everyone

Probably the most sensitive file in your WordPress website’s root directory is a wp-config.php file, which contains the database name and access credentials and various other critical data and how to connect to it. And of course, you want to disable public access to the source of all this security – the .htaccess file itself. To protect your wp-config.php file from unauthorized access, simply add this code to your .htaccess file:

# Deny access to the wp-config.php file

<files wp-config.php>

order allow, deny

deny from all


3.     Deny Image Hotlinking in WordPress Using .htaccess

When someone uses your site’s image, they can steal your bandwidth by hotlinking images from your website and most of the time, you’re not even credited for it. Normally, this doesn’t concern form most users. But, if you run a popular site with a lot of images and photos, then hotlinking can become a major issue. You can stop image hotlinking by adding the following code to your .htaccess file:

#disable hotlinking of images in WordPress

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?website.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?otherwebsite.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ [NC,R,L]

4.     Disable Directory Browsing in WordPress

By default, the Apache web server enables directory browsing. That means all files and folders inside the root of the web server are enlist able and accessible by a visitor. With directory browsing enabled, hackers can get into your site’s directory and file structure to find a vulnerable file.

To disable directory browsing in WordPress using .htaccess all you need to do is add this single line in your .htaccess file:

# Disable directory browsing in WordPress

Options All –Indexes

5.     Allow Only Selected Files from wp-content

As you know the wp-content folder contains the all your themes, plugins and media upload. You defiantly don’t want people to access it without restrictions. In addition to denying directory browsing, you can also disable access of all file types, save a few. On the basis of this, you can selectively unblock files like JPG, DOCX, PDF, CSS, JS, etc. and deny from the rest. To do this, paste following code in your .htaccess file:

# Disable access to all file types except the following

  Order deny, allow

  Deny from all

  <Files ~ “.(xml|css|js|jpe?g|png|pdf|gif|docx|rtf|odf|zip|rar)$”>

  Allow from all


6.     Disable PHP Execution in Some WordPress Directories

Hacked WordPress sites usually have backdoor files sometimes. These backdoor files are often disguised as core WordPress files and are present in /wp-includes/ or /wp-content/uploads/ folders. A simple way to increase your WordPress security is by denying PHP execution for some WordPress directories. To do this, paste following code in a blank .htaccess file:

# Deny PHP Execution to all file

deny from all


7.     Protect .htaccess From Unauthorized Access

As you have seen that there are a lot of things that can be done using a .htaccess file. Due to the power and control, it has on your web server, it is necessary that you also protect it from unauthorized access by hackers. To do this, paste following code in a blank .htaccess file:

# Protect .htaccess From Unauthorized Access

<files ~ “^.*\.([Hh][Tt][Aa])”>

order allow, deny

deny from all

satisfy all


You can, still edit the file yourself using FTP and through file manager of your hosting control panel.

Final Words:

Today we’ve learned some of the coolest .htaccess hacks to secure your WordPress site. We would suggest you try out each module one by one while creating a backup of the .htaccess file before and after checking each module. This is because the .htaccess file is very sensible. A missing ‘#’ character and misplaced ‘</IfModule>’ could destroy your site’s integrity.

We hope this article helped you learn some of the most powerful .htaccess tricks for WordPress. As you can see, it is a versatile configuration file that can be used for a lot of things.

Ethernet cable connections

Emma Watson

Emma Watson

Read Full Bio