Securing The .htaccess File

Before I begin with anything, I need to tell you that the .htaccess file in WordPress is the equivalent of the Ring in the Lord Of The Rings Trilogy Movies.

The .htaccess file has the power to create or destroy everything. You must secure it

In Order to Access the .htaccess file you will need an FTP client to FTP or SFTP into your hosting provider to access the server files.

Please Note, once you FTP or SFTP into your hosting providers server. There are several .htaccess files. The one we need to secure will be the first .htaccess file displayed as show in the image below. Since my domain is you will not have the same folder. In your case it will be inside the folder that contains your domain name. For example if your Domain name is you will find a folder. On

Once you access the .htaccess file, it will look like what us is shown in the image below. For todays exercise in securing the .htaccess file.

You Will add the new code after the line that states # END WORDPRESS

1. Disabling Directory Browsing

This is one of the most frequently exploited security vulnerabilities in a WordPress site. The Apache web server by default permits directory browsing. This means that all files and folders included within the web server’s root directory (sometimes referred to as the home directory) are searchable and available to visitors. That is something you do not want because you do not want anybody accessing your media uploads or theme or plugin files.

To disable directory browsing insert the below code into the .htaccess file.

# directory browsing

Options All -Indexes

2. Individual File Protection

Certain files may require individual protection rather than blocking a whole folder or selection. The example snippet demonstrates how to restrict unauthorized access to the .htaccess file by throwing a error if it is accessed. The filename can be adjusted to match the name of the file that you desire to protect. So for example if you want to protect a file name called “Private” you would change the second line to be <files .Private=””>

To protect the .htaccess file insert the following code in the .htaccess file.

# Protect the .htaccess

<files .htaccess=””>

 order allow,deny

 deny from all


3. Protect .htaccess

To disable access to all htaccess files (keep in mind that some may be located in the wp-admin and other folders).

In your .htaccess file, add the following code to Protect the .htaccess file

# Deny access to all .htaccess files

<files ~ “^.*.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all



4.Protect wp-config.php file

The wp-config.php file holds your WordPress site’s most critical access credentials. It includes the database’s name and access credentials, as well as a variety of other crucial data and settings. Under no circumstances do you wish for others to examine this file.

In your .htaccess file add the following code to prevent any access to the wp-config.php file:

# Deny access to wp-config.php file

<files wp-config.php>

order allow,deny

deny from all


5. Allow Only Selected Files from wp-content

The wp-content folder houses the majority of your themes, plugins, and media uploads. You certainly do not want it to be freely accessible. Along with prohibiting directory browsing, you can also deny access to all file kinds, with the exception of a few. In essence, you can unblock files such as JPG, PDF, DOCX, CSS, and JS while denying access to the rest.

 To Protect the wp-content folder, you must create a new.htaccess file and paste the code into the wp-content directory. This should not be placed in the base installation directory – or else, it will not work.

Additionally, you can add any file type to the list by inserting a ‘|’ to the end of ‘rar’. The above list includes the necessary files – XML, CSS, and JavaScript – as well as the most often used image and document types.

To accomplish this, create a new .htaccess file and enter the code below in it. You will then place this new .htaccess file in the wp-content folder.

# Disable access to all file types except the following

Order deny,allow

Deny from all

<Files ~ “.(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar|webp)$”>

Allow from all