Hardening WordPress with htaccess for a Blog Protection

To secure your WordPress blog, you don’t have to search for thousands of things. All you have to do is to ask yourself how people can get access to your blog from an external source.

There, you will find the easiest ways to access your blog from the “uploads” file and the PHP folders and files.

In this post, I’ll show you how to harden WordPress with htaccess. You will stop external access to your directories and files, in general.

As I said, the “uploads” file can cause problems and easily allow people to browse and see your plugins and files. That way, they get your “protection secrets”, if someone knows what plugins you’re using, then, it’s easy for him to build a simple strategy to bypass all the protection.

Your goal is to disable and restricts all access to the directories. These directories include PHP executable files that you should protect.

Make WordPress site secure using htaccess


To stop access to all the PHP files, you have to create a blank file named ”.htaccess” in the text editor and paste the below code inside it.

<Files *.php>
deny from all

The file will include only the above code lines and be like this:  htaccess blank file The next step is to upload that file to your ”uploads” folder located at “wp-content” and upload it again in the ”wp-includes” folder. You don’t have to worry about where to upload the file exactly, just upload it in the folder anywhere you want. Protect wordpress files     upload htaccess file in wordpress includes

You can also create the .htaccess directly in the folder itself using the file manager. Just click ”New File” and paste the code inside it, then, save for both ”wp-includes” and ”wp-content/uploads” folders.

hardening wordpress with htaccess

Now, with this easy htaccess WordPress security, your PHP files are protected from not allowed access and executions. But, keep in mind that this is just a protection and can’t guarantee at 100% that your blog won’t be hacked.

As with any other technology in the world, things are limited. And, even, the most powerful security company in the world can’t guarantee the protection. However, this simple protection will stronger the security level of your blog.

Protect the wp-config file

The WordPress configuration file is one of the most important PHP files to protect. wp-config.php you will protect your blog from many expected dangers and executions.

Related:  Leverage Browser Caching of Static Assets in WordPress Using Htaccess

You should first make access to that file as hard as possible, to do that, you need to add the below code in the wp-config.php file:

order allow,deny
deny from all

protect the wp config file

The above methods will protect the PHP files and the directories, in general, but if your blog files are open to the public for browsing.

Anyone can see your files exactly as they are when he browse the web. The last thing that you want for your blog or website is the next screenshot: Disable Directory Browsing in WordPress

As you can see, all your files and plugins can be opened with a few clicks. So, you need to disable directory browsing and no one can see your files from web browsers. All you have to do is to add this next line of code in the parent .htaccess file located in the root directory.

Options -Indexes

You have two options to do that, the first one is downloading the ”.htaccess” to your desktop, paste the line of code at the bottom. Then, upload the file.

The second way, which is easier is adding the code directly to the file. Just use the file manager in your cPanel.

Now, you’ve all the things for hardening WordPress with htaccess and you know how to protect your directory files from people who try to browse them.

These methods will protect your blog if you take care of it and secure the WordPress login page with a strong password. Make sure also, to change the default WordPress username and the most important thing is to never share your login details.

Avatar for Fathi Arfaoui
About Fathi Arfaoui

Fathi Arfaoui is a Physicist, Blogger and the founder of Trustiko.com. He shares Business, WordPress and Blogging tips to build a better blog and succeed online.

Disclosure: The recommendations on this page are my own based on my tests and analysis. We may earn a small commission from web hosts and other partners if you use my referral link to make a purchase. That’s what helps us to maintain the site and add fresh content, Thanks for your support.

Leave a Comment