Tip: Start typing to get instant search results.
.htaccess (Hypertext Access) files are configuration files used to give instructions to the web server about how it should operate.
On all our dedicated servers we choose to use the NGINX web server. However, on managed hosting plans that include a hosting panel, such as shared hosting and semi-dedicated hosting, Apache web server runs alongside NGINX with the LiteSpeed PHP API module, which makes the use of .htaccess files possible for your convenience.
Below we focus on strengthening security and present important rules you can add to your .htaccess file specifically to enhance the security of your WordPress website.
Protecting Critical Files
Certain files in WordPress contain critical information and should not be publicly accessible over the internet.
The wp-config.php File
One such file is wp-config.php, which contains, for example, the database connection credentials. By adding the following block to the .htaccess file, we can restrict public access to wp-config.php.
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>Hidden Files
Hidden files are also files that should not be publicly accessible over the internet, such as .htaccess itself, .git, .user.ini, and others. By adding the following block to the .htaccess file, we can restrict public access to all hidden files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (^|/)\. - [F]
</IfModule>Other Sensitive Files
We can also block access to a set of sensitive files with the following block.
<FilesMatch "^(readme\.html|license\.txt|wp-config\.php|wp-config-sample\.php|xmlrpc\.php|\.env|composer\.json|composer\.lock|package\.json|package-lock\.json)$">
Order allow,deny
Deny from all
</FilesMatch>Protecting the wp-includes Folder
The wp-includes folder contains core WordPress files such as libraries, functions, and classes used internally by the system. We can protect access to this specific folder. One way to do this is as follows:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>Note: These rules do not affect the operation of WordPress, as the system itself loads the files in the wp-includes folder internally and not via direct HTTP requests.
Restricting Access to the WordPress Backend
If you have a static IP address, you can apply an effective WordPress security rule by restricting access to the backend login page exclusively to your own IP address.
This way, an attacker will not be able to reach the wp-login.php form, as the server will return a direct 403 Forbidden response, since they will be attempting to connect from an IP address other than the allowed one.
<Files wp-login.php>
Order deny,allow
Deny from all
Allow from 1.2.3.4
</Files>Protection Against SQL Injection & XSS
SQL Injection and XSS (Cross-Site Scripting) attacks are among the most common attack methods targeting web applications. By inserting the following block into the .htaccess file, the query string of each request is checked for suspicious content, and if a characteristic attack pattern is detected, the request is blocked.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ - [F,L]
</IfModule>Important: This rule serves as an additional layer of defense and does not replace proper coding and data sanitization at the WordPress level. We recommend combining it with security plugins (e.g., Wordfence).
Disabling XML-RPC
XML-RPC is a communication protocol that allows external applications to interact with WordPress. While it was useful in the past, it has largely been replaced by the REST API and is not necessary for most websites. It often remains enabled by default and is one of the most frequently exploited attack vectors in WordPress.
By adding the following block, we restrict access to the file.
<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>Caution: Before disabling XML-RPC, make sure that no installed plugin or service is using it.
Restricting HTTP Methods
A WordPress website only needs three HTTP methods: GET for retrieving pages, POST for submitting forms, and HEAD for technical checks by bots and browsers.
We recommend blocking methods such as PUT, DELETE, TRACE, and CONNECT to prevent them from being exploited in an attack against your website, as follows:
<LimitExcept GET POST HEAD>
Order allow,deny
Deny from all
</LimitExcept>For more information on ways to use the .htaccess file, you can read our article.