Secure WordPress with .htaccess file

Securing WordPress involves many many techniques, tricks. I don’t want to go too far on this topic, here let me share with you some useful code snippets that you can throw into .htaccess file without thinking. These code snippets will greatly enhance the security level of your WordPress blog/website, keeping 90% hackers outside of your site!

This tutorial applies to Apache, Lightspeed servers only.

Before we start , make sure you have this tiny, yet powerful file name .htaccess on your site root folder.

Note: if your WordPress installation is not on site root folder, don’t take .htaccess file with WordPress, this file must be kept on website root folder, it could, theoretically, be reached with this url :   (due to security reasons, it could be reached using this way, but it’s there, right under the root folder ! )

htacess file

Let begin. Open the file with Text Editor, like Notepad++. DO NOT use Windows Notepad, it’s stupid, will cause many problems.  Insert the following snippets into .htaccess file.

1. Disable directory browsing

# Disable directory browsing
 Options All -Indexes

2. Hide Server Signature

#Hide Server Signature
 ServerSignature Off

3. (Advanced, Optional) Restrict wp-login.php access by IP addresses

#Restrict wp-login.php access
<Files wp-login.php>
    Order Deny,Allow
    Deny from All

    #IP Whitelist, one per line
    allow from IP1
    allow from IP2
    allow from IP3

Note: IP could be full or partial, you can restrict access by a fix IP address like , only the very computer with this IP could login your site now, yeah, you might have notices, it’s Google public DNS address.

If you want computers within that area to have access to your login file,   use  8.8.8.    or even 8.8.   Thus, a lot more people within the IP range could reach wp-login.php file, this is useful when you want all your company staff to have access to your wp-login.php file.  As we know, a company usually has lots of computers within same IP range.

4. (Advanced) Forbid Access to important files

Try going to  you will see  your WordPress installation version, lol,hackers will know that, and find security holes of that version.  So you need to delete it manually, each time you upgrade WordPress ,that file will reappear,  stupid to do it manually.

Don’t bother yourself doing repetitive work, use the following code snippet, it will block access to readme.html file, and many more similar important files, like:  error_log, change log, license, htaccess file.

#Forbid Access to the following files
<FilesMatch "(error_log|[rR]eadme|[cC]hangelog|[lL]icense|config|\.[hH][tT][aApP].*)">
   Order allow,deny
   Deny from all
   Satisfy All

—– This is why the following url returns 403:

403 Access to this resource on the server is denied

Above are necessary techniques you need to know, without causing chaos.

If you want more exciting, yet potentially risky techiniques, go to  Use at your own risk 🙂

This entry was posted in WordPress. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *