Hardening WordPress with htaccess: Strong Blog Protection

In WordPress by Fathi Arfaoui0 CommentsLast Updated: September 29th, 2017

To secure your WordPress blog, you don’t have to search thousands of things. All you have to do is to ask yourself how people can get access to your blog from an external source. There, you will find the easiest ways to access your blog from the “uploads” file and the PHP folders and files.

In this post, I’ll show you how to harden WordPress with htaccess. You will stop external access to your directories and files, in general.

As I said, the “uploads” file can cause problems and easily allow people to browse and see your plugins and files. That way, they get your “protection secrets”, if someone knows what plugins you’re using, then, it’s easy for him to build a simple strategy to bypass all the protection.

Your goal is to disable and restricts all access to the directories. These directories include PHP executable files that you should protect.

Make WordPress site secure using htaccess

Hardening WordPress with htaccess

To stop access to all the PHP files, you have to create a blank file named ”.htaccess” in the text editor and paste the below code inside it.

<Files *.php>
deny from all
</Files>

The file will include only the above code lines and be like this:  htaccess blank file The next step is to upload that file to your ”uploads” folder located at “wp-content” and upload it again in ”wp-includes” folder. You don’t have to worry where to upload the file exactly, just upload it in the folder anywhere you want. Protect wordpress files     upload htaccess file in wordpress includes

You can also create the .htaccess directly in the folder itself using the file manager. Just click ”New File” and paste the code inside it, then, save for both ”wp-includes” and ”wp-content/uploads” folders.

Related Content:  Unable to Locate WordPress Content Directory (wp-content) Problem Fix

hardening wordpress with htaccess

Now, with this easy htaccess WordPress security, your PHP files are protected from not allowed access and executions. But, keep in mind that this is just a protection and can’t guarantee at 100% that your blog won’t be hacked.

As any other technology in the world, things are limited. And, even, the most powerful security company in the world can’t guarantee the protection. However, this simple protection will stronger the security level of your blog.

Protect the wp-config file

The WordPress configuration file is one of the most important PHP files to protect. wp-config.php you will protect your blog from many expected dangerous and executions. You should first make access to that file as hard as possible, to do that, you need to add the below code in the wp-config.php file:


order allow,deny
deny from all

protect the wp config file

The above methods will protect the PHP files and the directories, in general, but if your blog files are open to the public for browsing. Anyone can see your files exactly as they are when he browse the web. The last thing that you want for your blog or website is the next screenshot: Disable Directory Browsing in WordPress

As you can see, all your files and plugins can be opened with a few clicks. So, you need to disable directory browsing and no one can see your files from web browsers. All you have to do is to add this next line of code in the parent .htaccess file located in the root directory.

Options -Indexes

You have two options to do that, the first one is downloading the ”.htaccess” to your desktop, paste the line of code at the bottom. Then, upload the file.

Related Content:  Can't Access WordPress Admin After Changing URL? Here is the Fix

The second way, which is easier is adding the code directly in the file. Just use the file manager in your cPanel.

Now, you’ve all the things for hardening WordPress with htaccess and you know how to protect your directory files from people who try to browse them. These methods will protect your blog if you take care of it and secure the WordPress login page with a strong password. Make sure also, to change the default WordPress username and the most important thing is to never share your login details.

About Fathi Arfaoui

Fathi Arfaoui: Blogger, and the founder and owner of Trustiko.com. He shares Business, Blogging, WordPress, Web Safety, and Blogging tips to build better websites and blogs. Also, he shares online marketing strategies and recommendations.

Leave a Comment