15 Useful .htaccess Snippets for Your WordPress Site

Having a well-configured .htaccess file is crucial if you want to increase security and reduce vulnerabilities on your WordPress site. Usually, the main goal of creating a custom .htaccess file is to prevent your site from being hacked but it’s also an excellent way to handle redirects and manage cache-related tasks.

.htaccess is a configuration file used on Apache web servers. Most WordPress sites run on an Apache server, although a small portion is powered by Nginx. In this article, you can find a collection of .htaccess code snippets, most of which you can use to secure your website while the rest implements other useful features.

Don’t forget to back up the .htaccess file before you edit it so that you can always return to the previous version if something goes wrong.

And, if you’re someone who rather not touch configuration files I recommend you the BulletProof Security plugin which is the most reliable (and probably the oldest) free .htaccess security plugin on the market.

Create the default WP .htaccess

.htaccess works on a per-directory basis which means that each directory can have its own .htaccess file. It can easily happen that your WordPress site doesn’t have a .htaccess file yet. If you don’t find a .htaccess file in your root directory create an empty text file and name it to .htaccess.

Below, you can find the default .htaccess WordPress uses. Whenever you need this code you can quickly look it up in the WordPress Codex. Note that there is a different .htaccess for WP Multisite.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

The lines beginning with # are comments. Don’t edit anything between the lines # BEGIN WordPress and # END WordPress. Add your custom .htaccess rules below these default rules.

All code snippets you can find in this article go to the core .htaccess file found in your root directory.

1. Deny access to all .htaccess files

The code below denies access to all .htaccess files you have installed in your WordPress. This way you can prevent people from seeing your web server configurations.

# Denies access to all .htaccess files
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order Allow,Deny
Deny from all
Satisfy all

2. Protect your WP configuration

The wp-config.php file contains all your WP configurations, including your database login and password. You can either deny it from everyone or give permission to admins to access it.

If you choose the latter comment out the # Allow from xx.xx.xx.xxx line (remove # from the beginning of the line) and insert the admin’s IP address in place of xx.xx.xx.xxx.

# Protects wp-config
<Files wp-config.php>
Order Allow,Deny
# Allow from xx.xx.xx.xxx
# Allow from yy.yy.yy.yyy
Deny from all

3. Prevent XML-RPC DDoS attack

WordPress supports XML-RPC by default, which is an interface that makes remote publishing possible. However, while it’s a great feature, it’s also one of WP’s biggest security vulnerability as hackers may exploit it for DDoS attacks.

If you don’t want to use this feature it’s better to just disable it. Just like before, you can add exceptions by commenting out the # Allow from xx.xx.xx.xxx line and adding the IPs of your admin(s).

# Protects XML-RPC, prevents DDoS attack
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Allow from xx.xx.xx.xxx
# Allow from yy.yy.yy.yyy
Deny from all

4. Protect your admin area

It’s also a good idea to protect the admin area by giving access only to administrators. Here, don’t forget to add at least one “Allow” exception otherwise you won’t be able to access your admin at all.

# Protects admin area by IP
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xxx
Allow from yy.yy.yy.yyy

5. Prevent directory listing

Most WordPress sites don’t disable directory listing, which means anyone can browse their folders and files, including media uploads and plugin files. It’s needless to say that this is a huge security vulnerability.

Below, you can see how a typical WordPress directory listing looks like.

Luckily, you just need one line of code to block this feature. This code snippet will return a 403 error message to anyone who wants to access your directories.

# Prevents directory listing
Options -Indexes

6. Prevent username enumeration

If WP permalinks are enabled, it’s quite easy to enumerate usernames using the author archives. The revealed usernames (including the admin’s username) then can be used in brute force attacks.

Insert the code below into your .htaccess file to prevent username enumeration.

# Prevents username  enumeration
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]



Leave a Reply

Your email address will not be published. Required fields are marked *