How to Edit .htaccess for WordPress Security?


Short for “Hypertext Access”, the .htaccess file in your WordPress install can be used to facilitate good-looking permalinks, add 301 redirects, and include rules to block unauthorized visitors. Importantly, it is a very powerful functionality that can be helpful in protecting your site from hackers, spammers, and other threats.

In this article, we will guide you through the process of manipulating your .htaccess file to boost your WordPress security.

Create an .htaccess File

Based on your WordPress install, you may need to create an .htaccess file before you can do any changes to it. Good thing is that you can easily create a custom one in your Plesk control panel within a minute. Just:

Log into your Plesk > File Manager, and create a file called .htaccess!

Backup the .htaccess File

It is advisable that you download a copy of your .htaccess file on your local computer before you make any changes to it. To have a copy of your .htaccess file, you can go to Websites & Domains > File Manager after logging into your Plesk control panel.

Select the .htaccess file in your root directory, open up the dropdown list like below image shows and click on Download. That’s it!

Now, Start Editing Your .htaccess File

The easiest and quickest way to edit your .htaccess file is using your Plesk control panel. Importantly, after you save an edit to your file and refresh your WordPress site, you are able to know whether the edits break your site or not. You can continue making edits if you find everything running smoothly as they should. Otherwise, you can still restore the file immediately and try it again.

1.    Protect Important Files

The most recommended edit you can do to your .htaccess file to improve your site security is using the error logs, php.ini and wp-config.php files to protect important files from being accessed by unauthorized users.

When you make the above change and fail to find the php.ini file, it may come in the name of php5.ini instead. You should replace them in the above rule.

2.    Restrict Access to the Admin

Some hackers like attacking a WordPress site by accessing the log in page or the admin dashboard externally. To stop that, you should manually give access to people to the pages. If you’re using a static IP address, add the following rules to restrict access to the login page as well as the admin dashboard.

Make sure that you have replaced /path-to-your-site/ instances in the first two lines with the real path of your WordPress site. Then the unauthorized IP addresses then will be redirected to your 404 error page. Besides, the redirect loops are resolved and your site won’t look like it’s down.

Secondly, enter your actual IP addresses instead of leaving the IP Address One, IP Address Two, and IP Address Threee there. If you just need to add one address, delete the nine and ten lines.

If you running a multisite network and you or your users have a dynamic IP address, you can use below rules to restrict access to log in your network:

As well, remember switching /path-to-your-site/ to real path to your WordPress site and replacing with your actual domain name.

3.    Prevent Directory Browsing

Because of the set file structure of WordPress, it is possible for visitors to see the directories of your site, by entering in your domain and a directory into their browser’s address bar. It makes it easier for backers to hack into some important files in your WordPress site when they are allowed to see a list of your folder and files.

So, to prevent directory browsing, you’d better edit your .htaccess file in this way:

4.    Restrict Access to PHP Files

It can be a big mistake to provide direct access to your PHP files since hackers can use the files to inject malicious code to get your WordPress site infected. To raise the security level of your PHP files, you can make use of the following rules to stop unauthorized users directly accessing to the PHP files of your plugins and theme.

5.    Restrict PHP File Execution

Preventing unauthorized execution of PHP files is helpful, especially when a hacker breaks into your site. This can stop them uploading their own PHP files that include malicious code and having it actually work. In other words, you’re preventing backdoor exploits from actually working.

Since most hackers tend to upload backdoors to the /wp-content/uploads/ folder, what you should do in this part is adding the below code to the uploads folder:

6.    Protect Your Site Against Script Injections

It is also possible that hackers inject malicious code by changing the variables of WordPress GLOBALS as well as _REQUEST. To protect your WordPress site from scripts injection and unwanted modification of GLOBALS and/or _REQUEST, you can simply paste the following lines into your .htaccess file:

7.    Restrict Access to wp-includes Directory

Many of your important files are saved under the wp-includes directory. If you want to protect all these important files from attacked by hackers, the most effective way is blocking all unauthorized access to your wp-includes directory:

8.    Prevent Username Enumeration

A visitor can get access to the author’s page by entering his/her address bar. It is risky because the author’s page includes a user ID of one as well as the user’s actual username. In other words, if the hackers have a post associated with its account, they can easily get all the usernames of all the users of your WordPress site. Then they just need to guess your password.

In order to prevent username enumeration, you can add the following lines to your .htaccess file:

If you and your users are using strong password, the hackers are less likely to actually infiltrate your WordPress site.

9.    Use an SSL Certificate

Take advantage of the below code to force the use of an SSL certificate:

Remember replacing on three and four lines with your actual domain name.

It’s also worth noting that you can check out our post How to Secure Your Website Using an SSL Certificate for more details on how you can force the use of SSL for your WordPress site.

10.  Keep from Image Hot Linking

Hot linking refers to the situation in which your visitor steals your bandwidth by grab the URL of your image and directly loads it to their WordPress site. However, they should have uploaded the image to their server.

If you don’t want it happen, you can add this to your .htaccess file:

As mentioned above, don’t forget using your actual domain in the place of, and use the actual URL of the image in the place of


We have learnt some useful tips and rules to strengthen your WordPress site or network. If you strictly follow the mentioned edits to your .htaccess file, hackers won’t have any chance to break your site. However, these changes are just one of the many steps towards strengthening security on your site, you can do many more than that.

For example, you can install a security plugin or migrate to a secure WordPress hosting plan to vastly improve the security of your WordPress site. More details are available in How to Secure Your WordPress Site?