{"id":751,"date":"2012-09-09T23:54:38","date_gmt":"2012-09-10T05:54:38","guid":{"rendered":"http:\/\/blog.supportpro.com\/?p=751"},"modified":"2026-03-26T04:30:34","modified_gmt":"2026-03-26T10:30:34","slug":"how-to-prevent-htaccess-hacks-in-a-wordpress-site","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/how-to-prevent-htaccess-hacks-in-a-wordpress-site\/","title":{"rendered":"How to Prevent .htaccess Hacks in a wordpress site?"},"content":{"rendered":"\n
.htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree. .htaccess files are often used for security restrictions on a particular directory. So it is very important to secure .htaccess.<\/div>\n\n\n\n
1. Add the following code into the .htaccess files.<\/div>\n\n\n\n
# STRONG HTACCESS PROTECTION<\/div>\n\n\n\n
order allow,deny<\/div>\n\n\n\n
deny from all<\/div>\n\n\n\n
satisfy all<\/div>\n\n\n\n
2. Secure your config.php by adding the follwoing<\/div>\n\n\n\n
# protect wp-config.php<\/div>\n\n\n\n
Order deny,allow<\/div>\n\n\n\n
Deny from all<\/div>\n\n\n\n
3. Prevent hacker from browsing your directory by adding the code<\/div>\n\n\n\n
# disable directory browsing<\/div>\n\n\n\n
Options All -Indexes<\/div>\n\n\n\n
4. Prevent script injections.<\/div>\n\n\n\n
# protect from sql injection<\/div>\n\n\n\n
Options +FollowSymLinks<\/div>\n\n\n\n
RewriteEngine On<\/div>\n\n\n\n
RewriteCond %{QUERY_STRING} (\\<|%3C).*script.*(\\>|%3E) [NC,OR]<\/div>\n\n\n\n
RewriteCond %{QUERY_STRING} GLOBALS(=|\\[|\\%[0-9A-Z]{0,2}) [OR]<\/div>\n\n\n\n
RewriteCond %{QUERY_STRING} _REQUEST(=|\\[|\\%[0-9A-Z]{0,2})<\/div>\n\n\n\n
RewriteRule ^(.*)$ index.php [F,L]<\/div>\n\n\n\n
5. Limit access to the wp-content directory by creating a .htaccess in the wp-content folder .<\/div>\n\n\n\n
Order deny,allow<\/div>\n\n\n\n
Deny from all<\/div>\n\n\n\n
Allow from all<\/div>\n\n\n\n
6. If you have a static Ip, it is better to create an .htaccess in wp-admin folder.<\/div>\n\n\n\n
# deny access to wp admin<\/div>\n\n\n\n
order deny,allow<\/div>\n\n\n\n
allow from xx.xx.xx.xx<\/div>\n\n\n\n
deny from allThe .htaccess<\/code> file plays a critical role in securing a WordPress website. When configured correctly, it can help prevent unauthorized access, reduce attack surfaces, and add an extra layer of protection at the server level. However, outdated or incorrect rules can break your site or create a false sense of security<\/strong>.<\/div>\n\n\n\n

Securing your WordPress website starts at the server level. One of the most effective ways to improve security on Apache servers is by properly configuring the .htaccess<\/strong> file. This guide explains modern, Apache 2.4\u2013compatible methods to harden WordPress using safe and tested .htaccess rules.<\/p>\n\n\n\n

What Is .htaccess and Why It Matters for WordPress Security<\/h2>\n\n\n\n

The .htaccess<\/strong> file (short for hypertext access) is a configuration file used by Apache web servers. It allows you to control how your website behaves at the directory level.<\/p>\n\n\n\n

With .htaccess, you can:<\/p>\n\n\n\n