Secure WordPress with .htaccess


In WordPress, .htaccess is a configuration file used to control how the Apache web server handles requests. It is located in the root directory of the WordPress installation and is responsible for URL rewriting (“permalinks” and more), browser caching, and security.

When you first visit the Settings - Permalinks, WordPress generates a basic .htaccess file that contains just some basic entries. This allows WordPress to use “pretty” permalinks that make the URLs of your site’s pages and posts more human-readable and search engine-friendly.

However, you can also use the .htaccess file to add custom rules and directives to control other aspects of your website, such as security settings and caching. For example, you can use the file to restrict access to certain directories or files, block specific IP addresses or user agents, or set rules for browser caching.

It’s important to be careful when making changes to your .htaccess file, as even small mistakes can cause your website to become inaccessible or cause other issues. It’s always a good idea to make a backup of your .htaccess file before making any changes, and to test your website thoroughly after making any modifications.

Below are several things you can do with your .htaccess file to improve the security of your website.

They might look complicated and recommended for people who know systems administration.

WooCommerce shop administrators should consider using the Admin Tools extension, which provides some very useful .htaccess editing features in a clean user interface.

Block access to sensitive files:

You can prevent direct access to sensitive files such as configuration files, databases, and other important files by adding the following lines to your .htaccess file:

<FilesMatch "(^\.htaccess|\.php)$">
Order Deny,Allow
Deny from all

Restrict access by IP address:

You can restrict access to your website by allowing only certain IP addresses or IP ranges. This can help prevent unauthorized access to your website. You can use the following code to allow access only to specific IP addresses:

order deny,allow
deny from all
allow from 123.456.789.0
allow from 123.456.789.1

Disable directory browsing:

You should prevent directory browsing on your website by adding the following line to your .htaccess file:

Options -Indexes

Normally, your hosting provider should have that option set at the system level, for all sites.

Force HTTPS:

You can redirect all traffic to HTTPS to ensure that your website is accessed over a secure connection. You can use the following code to force HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Again, that is usually done by your hosting provider. Also, HTTPS requires obtaining a security certificate, so do not just put that line to the .htaccess . Better, talk to your hosting provider or webmaster.

Password protect directories:

You can password-protect directories on your website by adding the following code to your .htaccess file:

AuthType Basic
AuthName "Members-only Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Note: This is an “old-ish” method of protection. These days it’s mostly used on the development and stating versions of your site where you want to give access to some people only. You will need to create a .htpasswd file with usernames and passwords for each user who needs access to the protected area.

These are just a few examples of things you can do to secure your website using .htaccess. It’s important to regularly review your website’s security measures and make any necessary updates to ensure that your website is protected against common threats.