This guide provides a modern, Apache 2.4–compatible, and SEO-friendly approach to securing WordPress using .htaccess, following current best practices.

What Is .htaccess and Why Is It Important?

.htaccess (hypertext access) is a directory-level configuration file used by Apache web servers. It allows website owners to control behavior such as:

• Access restrictions
• Directory permissions
• URL rewriting
• Basic security hardening

Because WordPress relies heavily on Apache rewrite rules, any mistake in .htaccess can impact site availability or performance, making it essential to use tested and modern configurations.

Before You Begin: Important Precautions

Before editing .htaccess:

• Always take a backup of the existing file
• Ensure your server runs Apache 2.4 or newer (most modern hosts do)
• Avoid copying random rules from outdated blogs or forums

1. Protect the .htaccess File Itself

Your .htaccess file should never be accessible publicly.

Recommended (Apache 2.4):

This ensures attackers cannot read or manipulate your server rules.

2. Secure wp-config.php

The wp-config.php file contains database credentials and security keys. It must be protected.

This is one of the most important WordPress hardening steps.

3. Disable Directory Listing

Directory browsing can expose file structures and sensitive assets.

This prevents attackers from listing files in directories that lack an index file.

4. Prevent PHP Execution in Uploads Directory

Most WordPress malware attacks attempt to execute malicious PHP files from the uploads directory.

Create a .htaccess file inside:

Add the following:

This allows images and media files while blocking PHP execution.

5. Restrict Access to the WordPress Admin Area (Optional)

If you use a static IP address, you can restrict access to /wp-admin/.

Inside /wp-admin/.htaccess:

Warning: Do not use this method if your IP changes frequently, or you may lock yourself out.

6. Disable XML-RPC If Not Needed

XML-RPC is a common target for brute-force and DDoS attacks.

If you don’t use mobile apps or external publishing tools, disable it:

7. Do NOT Rely on .htaccess for SQL Injection Protection

Older blogs often claim .htaccess can prevent SQL injection using rewrite rules. This is no longer true.

.htaccess cannot:

• Detect modern SQL injection patterns
• Stop plugin-based vulnerabilities
• Replace application-level security

Instead, you should:

• Keep WordPress core, themes, and plugins updated
• Use a Web Application Firewall (WAF)
• Install a trusted security plugin

Additional WordPress Security Best Practices

.htaccess hardening should be part of a layered security strategy, including:

• Strong passwords and unique admin usernames
• Two-factor authentication (2FA)
• Regular malware scans
• Automated backups
• Limited user roles and permissions

Common Mistakes to Avoid

• Using Apache 2.2 syntax on modern servers
• Blocking entire directories like wp-content
• Copying unverified code snippets
• Forgetting to back up .htaccess
• Assuming .htaccess alone can secure WordPress

Final Thoughts

When configured correctly, .htaccess is a powerful tool for improving WordPress security. However, modern threats require modern solutions. Use .htaccess for access control and hardening but rely on updates, monitoring, and professional security practices for complete protection. Also learn more about downgrading your WordPress version safely.

If you need help securing your WordPress site, cleaning malware, or implementing server-level security best practices, SupportPRO’s WordPress and server security experts are available 24/7 to assist.

Secure smart. Secure modern. Secure with SupportPRO.

If you require help, contact SupportPRO Server Admin