Securing your WordPress website starts at the server level. One of the most effective ways to improve security on Apache servers is by properly configuring the .htaccess file. This guide explains modern, Apache 2.4–compatible methods to harden WordPress using safe and tested .htaccess rules.

What Is .htaccess and Why It Matters for WordPress Security

The .htaccess file (short for hypertext access) is a configuration file used by Apache web servers. It allows you to control how your website behaves at the directory level.

With .htaccess, you can:

• Restrict access to sensitive files

• Disable directory browsing

• Protect configuration files

• Improve basic server-level security

• Manage URL rewriting

  
  

Since WordPress relies heavily on Apache rewrite rules, incorrect changes to .htaccess can break your website. Always use updated and verified rules.

Before You Begin: Important Precautions

Before making changes:

• Take a full backup of the existing .htaccess file

• Confirm your server runs Apache 2.4 or newer

• Avoid copying outdated security rules from old blogs

1. Protect the .htaccess File

Your .htaccess file should not be publicly accessible.

Recommended (Apache 2.4):

This blocks direct access to the file and ensures attackers cannot read or manipulate your server rules.

2. Secure wp-config.php

The wp-config.php file contains your database credentials and security keys. It must be protected.

Add:

This is one of the most important WordPress hardening steps.

3. Disable Directory Listing

Directory browsing can expose internal file structures.

Add:

This prevents attackers from listing files in directories that lack an index file.

4. Block PHP Execution in the Uploads Folder

Many WordPress attacks attempt to execute malicious PHP files inside the uploads directory.

Create a separate .htaccess file inside:

Add:

This allows images and media files but blocks PHP execution.

5. Restrict Access to wp-admin (Optional)

If you use a static IP address, you can restrict access to the WordPress admin area.

Inside /wp-admin/.htaccess:

Replace the IP with your own.

Do not use this method if your IP address changes frequently.

6. Disable XML-RPC If Not Needed

The xmlrpc.php file is often targeted in brute-force attacks.

If you do not use remote publishing or mobile apps, disable it:

Important: .htaccess Cannot Stop SQL Injection

Some older tutorials claim that .htaccess rules can block SQL injection. This is outdated information.

.htaccess cannot:

• Detect modern SQL injection attacks

• Fix plugin vulnerabilities

• Replace application-level security

Instead, you should:

• Keep WordPress core, themes, and plugins updated

• Use a Web Application Firewall (WAF)

• Install a trusted security plugin

Additional WordPress Security Best Practices

.htaccess hardening should be part of a layered security approach:

• Use strong passwords

• Enable two-factor authentication (2FA)

• Perform regular malware scans

• Keep automated backups

• Limit user roles and permissions

Common Mistakes to Avoid

• Using Apache 2.2 syntax on Apache 2.4 servers

• Blocking entire critical directories

• Copying unverified code snippets

• Editing .htaccess without backup

• Relying only on .htaccess for full security

  
  

Final Thoughts

Partner with SupportPRO for 24/7 proactive cloud support that keeps your business secure, scalable, and ahead of the curve.