Facebook Pixel
Contact Us

Simple htaccess tweaks to improve WordPress Security.

By Shijith, Posted on February 23rd, 2015

In WordPress


Hi Folks, I hope you all are familiar with the WordPress and its features. As of now, WordPress CMS powers more than 23.3% of the top 10 million websites. From this you can understand the popularity of WordPress. Just like a coin having two faces, the other face of becoming popular is increasing the threats. Since there are more number of WordPress websites, attackers are now focusing on breaking WordPress security. I would like to discuss some simple tweaks to improve the WordPress security. Initially WordPress was having lot of security flaws and vulnerabilities. But recently WordPress team has introduced some cool features like automatic updates and other security tweaks.

Together with the WordPress inbuilt security features, we can do some tweaks from our end to improve the WordPress security. While updating the htaccess file, please make sure that you are adding the code snippets outside # BEGIN WordPress and # END WordPress. WordPress can overwrite anything between these tags.

This time we are going to be entirely technical and if you have any issues, let us know more through your comments.

1.Restricting wp-admin (Dashboard) based on IP address:

If you are not having a membership website, you can restrict the WordPress admin login page access to a particular IP address (yours) so that the attackers from other IP address won’t be able to access your dashboard.This will be done by tweaking htaccess.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

If you prefer to allow access to multiple IP addresses, use the following snippet:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.121$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.122$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

2.Dynamic IP address access, limit by referrer:

If your IP address changes, you can protect your WordPress site by  allowing login requests, coming directly from your domain name. Simply replace example\.com with your own domain name.Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.This method is suitable if the site is having membership features.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

3. Securing wp-includes:

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.

# Block the include-only files.
 <IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress

4. Securing wp-config.php:

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Use the following code snippet to deny access to anyone surfing for wp-config.php.

<files wp-config.php>
order allow,deny
deny from all

5.Prevent Directory Browsing:

Protecting your directories from being listed is important for website security. That is, it’s hiding your stuff from view, preventing meddling visitors from browsing through your directories.

To disable browsing of your directories, add this to your .htaccess file:

Options All -Indexes

6.Prevent Image Hot Linking:

Hotlinking, or bandwidth stealing, happens with people link to files and images on a different server, and the bandwidth is at another person’s expense.

Adding this snippet to your .htaccess file will stop hotlinking to your site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
RewriteRule .(gif|jpg)$ http://www.yoursite.com/hotlink.gif [R,L]

Summing Up

Make use of the above code snippets to improve your WordPress web security. Always be careful while modifying htaccess file.

I would like you guys to take a backup of the htaccess file. If you have any issues, please let me know.


Having more than 7 years of experience in WordPress Web Development I am working as Senior Web Developer. Apart from being a tech enthusiast, I am always fascinated and greedy to learn the new progressions in web especially in WordPress. I am a lover of strategy games.

Leave a Comment

Please confirm that you’re happy for us to store your data in line with our Privacy Policy.

Do you want to get the latest happenings in the digital world straight into your inbox? If yes, take a step forward and sign up for our monthly Newsletter

Sweans Technologies Ltd, Registered in England with registered office at 82b High Street, Sawston, Cambridge, CB22 3HJ Company No 09082858 and VAT No GB275104027