How to secure WordPress without plugins, just using the .htaccess file

There are many tips and tricks on WordPress security. Most of these include the installation of third-party security plug-ins. However, if you do not want to install the plugin, you can try a simple setup with the .htaccess file.

What is the .htaccess file for?

The text file allows the author of web pages to set the selected server properties.  Additionally, it does not need full administrator access and it only affects server behavior for selected directory and subdirectory on the server. WordPress basically uses it to set the behavior of generated URLs to make them search engine friendly.

Where do I find the .htaccess file?

The file is located in the root folder of your web hosting. Just log in to FTP with the help of the selected client and you should see the file.


Sometimes, you can not see the file after logging in to an FTP client.In this case, it is sufficient to force the display of hidden files in the program settings (most commonly Total Commander, WinSCP or FileZilla).

If you still do not see the file, you can manually upload it to the server, or simply click on "Settings"> "Permanent links" in WordPress settings to change the settings to other than basic and save. Now you ahoulf already see the file on the server. Then, you can switch back the settings.

How to edit .htaccess?

To edit a file, you can use any text editor from Notepad to developer PSPad Editor.  Before editing the file, make a backup of the file to your PC to be able to reset settings in case of problems.

htaccess linky

1. Lock the administration to prevent uninvited guests

You can use the .htaccess file to manage your website by IP address. You will be able to connect to the website administration only from specific IP addresses and locations. This method is useful when you regularly connect to a PC or a few PCs with a static IP address.  You can use the following code and copy it to the .htaccess file:

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "WordPress Admin Access Control"

AuthType Basic


order deny,allow

deny from all

# Enabled IP address 1:

allow from

# Enabled IP address 2:

allow from


Remember to replace the allowed IP address with your own.  There can be as many allowed addresses as you want.

2. Protect the administration with another password

If you connect to WordPress from different locations and do not want to be limited by a specific IP address, you can use password security. First generate a .htpasswds file using an online generator and then upload it to a folder that is not publicly accessible. Ideally in style:


Now you can access the .htaccess file itself, to which you copy the following lines of code:

AuthName "Admins Only"

AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd

AuthGroupFile /dev/null

AuthType basic

require user putyourusernamehere

<Files admin-ajax.php>

Order allow,deny

Allow from all

Satisfy any


Be sure to replace the path to the file as "AuthUserFile" for the path that corresponds to your web hosting structure.

3. Disable browsing folders

To prevent the attackers from seeing what files are on your web hosting, you can disable public display of folders. This step is recommended by most security experts.

To activate, just add a single line to the .htaccess file:

Options -Indexes


4. Disable running PHP files in selected WordPress folders

Frequently the attackers attempt to break into the content management system using the so-called backdoor (backgates). Often, this is a file that will lead the attacker to sneak onto your web hosting so he can then execute additional commands and control your website.

One of the preventive solutions is to insert the following code into a new .htaccess file:

<Files *.php>

deny from all


Then upload the file to each of the following folders:

  • /wp-content/uploads/
  • /wp-includes/

5. Secure the wp-config.php configuration file

One of the most important files on your WordPress site is wp-config.php. It includes access to the database, including passwords.

To secure the wp.config.php file, paste the following code into the .htaccess main file:

<files wp-config.php>

order allow,deny

deny from all


6. Disable access to specific IP addresses

Did you notice an unusually high number of requests for your website from specific IP addresses? If you think this behavior is suspicious, you can block access to your website for specific IP addresses.

Add the following lines to the .htaccess file and replace xxx for that IP address:

<Limit GET POST>

order allow,deny

deny from

allow from all


7. Disable scanners in WordPress

The attacker's favorite technique is so-called brute force attack.  Scanning will begin with the attackers detecting the authors' sign-in names to the website. After that, they just need to do a dictionary or brute force attack on their passwords to gain access to your WordPress administration.

The easiest way to do this is to block scanning of authors through the .htaccess file:

# BEGIN block author scans

RewriteEngine On

RewriteBase /

RewriteCond %{QUERY_STRING} (author=\d+) [NC]

RewriteRule .* - [F]

# END block author scans

8. Disable external application access to WordPress

Each WordPress installation hides the xmlrpc.php file.  The file allows third-party services to access WordPress. If you do not use any of these services, security experts recommend that you block access to this file.

There are more ways to do so, but we can do it again by inserting the following line of code into .htaccess:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all



Our hint at the end: Secure the .htaccess itself from unauthorized access

As you could see above, .htaccess can affect many. That's why it's good to secure this file from attackers. Use the following lines of code to do so:

<files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all


Article rating

Average rating: 4.5/5

Votes: 15