Tutorials

WordPress htaccess Security Rules Explained: Complete Guide

Master WordPress htaccess security rules. Learn how to protect directories, block attacks, and secure your site with these essential Apache/LiteSpeed configurations.

D
David Kim
7 min read
1,715 views
WordPress htaccess security rules explained

The .htaccess file is a powerful tool for WordPress security. Understanding how to use it effectively allows you to block attacks, protect sensitive files, and harden your site at the server level.

What is .htaccess?

.htaccess (hypertext access) is a configuration file for Apache and LiteSpeed web servers. It allows per-directory configuration without modifying the main server config.

Key Capabilities

  • URL rewriting and redirects
  • Access control (allow/deny)
  • File type handling
  • Directory settings
  • Security headers
  • PHP configuration

Essential Security Rules

1. Protect wp-config.php

Your wp-config.php contains database credentials. Block all access:

<Files wp-config.php>
Order allow,deny
Deny from all
</Files>

2. Block PHP in Uploads

Prevent webshell execution in uploads folder:

# Add to wp-content/uploads/.htaccess
<FilesMatch ".(php|phtml|php3|php4|php5|php7|php8|phar)$">
Order Deny,Allow
Deny from all
</FilesMatch>

3. Protect .htaccess Itself

Prevent viewing or tampering with .htaccess:

<Files ~ "^.ht">
Order allow,deny
Deny from all
Satisfy all
</Files>

4. Block Sensitive Files

# Block access to sensitive files
<FilesMatch "(^#.*#|.bak|.config|.dist|.fla|.inc|.ini|.log|.sh|.sql|.sw[op]|~)$">
Order allow,deny
Deny from all
Satisfy all
</FilesMatch>

5. Disable Directory Browsing

Options -Indexes

6. Block wp-includes Direct Access

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

7. Security Headers

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

8. Block Suspicious Query Strings

<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule .* - [F,L]
</IfModule>

9. Block Bad Bots

<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} (masscan|nikto|sqlmap) [NC]
RewriteRule .* - [F,L]
</IfModule>

10. Limit POST Request Size

LimitRequestBody 10485760

Complete Security .htaccess Template

# BEGIN WordPress Security Rules by WP Folder Shield

# Protect wp-config.php
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>

# Protect htaccess
<Files ~ "^.ht">
Order allow,deny
Deny from all
</Files>

# Disable directory browsing
Options -Indexes

# Security headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

# Block sensitive files
<FilesMatch "(.bak|.config|.sql|.fla|.ini|.log|.sh)$">
Order allow,deny
Deny from all
</FilesMatch>

# Block PHP in sensitive areas
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
</IfModule>

# Block suspicious requests
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule .* - [F,L]
</IfModule>

# END WordPress Security Rules

Common Mistakes to Avoid

Breaking WordPress Functionality

Overly restrictive rules can break WordPress. Test thoroughly after any changes.

Order of Rules

.htaccess rules are processed in order. Place deny rules before allow rules for security.

Syntax Errors

A single syntax error can take your site offline. Always keep a backup before editing.

Server Support

nginx doesn't use .htaccess. These rules only work on Apache and LiteSpeed.

WP Folder Shield: Automated .htaccess Security

Manually managing .htaccess is error-prone. WP Folder Shield automates these rules:

  • One-click protection: Enable rules without editing files
  • Syntax validation: Prevents errors that break your site
  • Automatic restoration: Replaces rules if they're removed
  • Server detection: Applies appropriate rules for Apache/LiteSpeed/nginx
  • Compatibility checking: Warns about potential conflicts

Get WP Folder Shield to implement comprehensive .htaccess security without the complexity.

Share:
D
Written by David Kim

WP Folder Shield Team

Related Articles

The Ultimate Guide to WordPress Security in 2026
The Ultimate Guide to WordPress Security in 2026

Learn how to protect your WordPress website from hackers, malware, and security threats with this...

January 15, 2026
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content
How to Scan Your WordPress Site for SEO Spam and Hidden Malicious Content

Learn effective methods to scan your WordPress site for hidden SEO spam, malicious links, and...

January 13, 2026
How to Protect Your WordPress Uploads Folder from Malware
How to Protect Your WordPress Uploads Folder from Malware

The wp-content/uploads folder is one of the most vulnerable directories in WordPress. Learn how to...

January 13, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started