Many people never care about htaccess file when using WordPress.

This is one of the pretty important files, capable of doing many things you could not imagine.

From improving security, to redirecting a certain path, or increasing time out… ..

Lots of useful things, if you make the most of it.

In this article, I will show you some tips on how to use .htaccess files.

Note: The .htaccess file is only available on the Apache web server.


Where is the htaccess file?

Before you begin, it's a good reminder.

Please backup the original .htaccess file on the website, in case something goes wrong and back up right away.

If you do not see it, please read this article again (detailed instructions).

It's right on par with directories like / wp-content, wp-admin, wp-upload


1. Protect the Admin area on WordPress

You can use the .htaccess file to protect the WordPress admin area.

By only the selected IP addresses are allowed to log in to the Admin.

Copy the following code into htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic

order deny,allow
deny from all
# whitelist User1 IP address
allow from
# whitelist User2 IP address
allow from
# whitelist User3 address
allow from
# whitelist User4 IP address
allow from
# whitelist User5 address
allow from

Replace with your IP address.

READ  Tilføjelse udløber Header til htaccess | WP strande

If you frequently access different IP addresses, add them all.

In addition, you can also refer to some other ways such as:

2. Password protect WordPress admin directory

If you find that limiting IP addresses is a bit confusing, because you are constantly moving.

Then I will give you another solution. That is to create a password for Folder / wp-admin /

Many readers will come here to wonder.

I have to login to access admin.

It's correct ! But one more layer of security is also a measure is not it

First, create a .htpasswd file. Access to this link to create offline.

Then upload it outside the / public_html / directory (not inside)

Next create 1 file .htaccess then

AuthName "Admins Only"
AuthUserFile /home/dieuhau/.htpasswds/
AuthGroupFile /dev/null
AuthType basic
require valid-user

Important : Don't forget to replace the AuthUserFile path with the path to your .htpasswds file and dieuhau is your hosting account username.

3. Disable Directory Browsing

It is best that I recommend turning off directory access via browser (directory browsing).

Through this way hackers can access your directories to find vulnerabilities.


Simply add the line of code to the .htaccess file.

Options -Indexes

Read this detailed guide on how to turn off the File access function from the browser.

4. Disable PHP Excecution in some directories

Hackers can attack your website by installing a backdoor.

These files are often disguised as main files and placed in / wp-includes / or / wp-content / uploads /.

For added security, disable PHP execution in some WordPress directories.

Insert the following code into the htaccess file. (create a new file)

deny from all

Now download the file to the / wp-includes / or / wp-content / uploads / directory.

Read immediately this detailed tutorial Disable PHP collection in some WordPress directories

5. Protect wp-config.php file

The wp-config.php file is one of the most important WordPress files

READ  Delete unused photos in Wordpress quickly

It includes information about WordPress database and how to connect to the site.

To protect wp-config.php file from outside snoopers.

Please insert the following code:

order allow,deny
deny from all

6. Set up 301 redirects via .htaccess file

If you have to redirect to a URL without affecting SEO, 301 redirects are for you.

Also, if you only want to redirect users from one url to another.

All you need to do is add the following code to the .htaccess file.

Redirect 301 /oldurl/
Redirect 301 /category/television/

Or use Yoast SEO Premium for convenience, without having to touch the code.

Take a look at how to create Redirect in WordPress.

7. Block suspicious IP addresses

You see unusual requests from a certain IP address?

Want to block that IP address from connecting to your website?

Add the following code to the .htaccess file

order allow,deny
deny from
allow from all

Replace xxx with the IP address you want to block.

8. Disable hotlinking images

It is normal for both photos and images to be stolen on a website.

Sometimes their friends also get images directly from your website, wasting bandwidth.

And may slow down your website too.

If you own a website with lots of images, then hotlinking can become a serious problem.

However, you can prevent this problem by adding the following code:

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)? (NC)
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)? (NC)
RewriteRule .(jpg|jpeg|png|gif)$ – (NC,F,L) 

Do not forget to replace with your domain name.

9. Protect the .htaccess file from unauthenticated connections

As you can see, you can do a lot of things with .htaccess files.

So you need to protect it from suspicious connections by hackers.

READ  Instructions to install Wordpress on Vultr are super secure and well loaded

Add this code to your .htaccess file:

order allow,deny
deny from all
satisfy all

10. Increase the upload file size limit on WordPress

One of the ways to increase the file upload limit is with the .htaccess file.

Insert the following code into the .htaccess file:

php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300

11. Disable access to XML-RPC files

Every successful installation of WordPress will have a default file of xmlrpc.php.

This file allows third party applications to access the WordPress site.

Turn it off if you really don't need it.

Use the following code:

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all

Read this article How to disable XML-RPC in WordPress to be clearer on this issue.

12. Block Author scanning on WordPress

One of the brute force attack techniques is running an author scan on a WordPress site.

Then try to crack the password with that username.

Please block author scanning with the following code:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=d+) (NC)
RewriteRule .* - (F)
# END block author scans

Learn more with How to prevent Brute Force by locking Author Scan

With all the above guidelines I just want to tell you that the htaccess file is very important.

Please apply the tips with the .htaccess file to secure your WordPress site.

If you have any questions, please comment below.

Read more :

Leave a Reply

Your email address will not be published. Required fields are marked *