Secure WordPress Admin with .htaccess


With 70 Million WordPress sites and counting and so many hackers looking to get into your site it is worth while to look at a few options to secure WordPress admin files on your website. After scouring the web for months I came across many different ways that you can block WordPress hackers with htaccess. This is not the safest way for new programmers or users that use WordPress plugin quite often, but if you are confident enough to try or you have a good developer. You will likely like the option listed her for protecting your WordPress website from any malicious attempts to access your files and directories. And as usual I have cut out the fluff and given you the quick and dirty steps that can be taken to secure WordPress admin files. Make note that all of these steps could be taken, but this is more of a pick and choose what suits your particular set up best.

Let’s start with what a typical WordPress .htaccess file looks like and go from there.


Typical WordPress .htaccess file

 BEGIN WordPress
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress

First of all let me suggest that any additions to the .htaccess file to be added after # END WordPress. Also, let’s also make sure that if you are going to make changes to your .htaccess file you better save and copy the file first as well as keep it in a safe place.

Wp-config.php Protection

<Files wp-config.php>
 order allow,deny
 deny from all

This will prevent any access to the wp-config file.

Control IP access

order deny,allow
 allow from (replace with your IP address)
 deny from all

Allow access for selected users only. This snippet of code will deny access to anyone that is not on your IP address

Stop directory Browsing

# directory browsing
 Options All -Indexes

Too many programmers know WordPress and can find access into your site through plugins or other content. Block their access to your directories with this code.

Deny access to Wp-content

Order deny,allow
 Deny from all
 <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
 Allow from all

This code requires it’s own .htaccess file which must be added to the wp-content folder, it allows users to see images and possibly CSS, … but protects PHP files.

Protect Files

# Protect the .htaccess
 <files .htaccess="">
 order allow,deny
 deny from all

Use this to protect a file rather than a folder section of your site.

.htaccess Protection

<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all

This piece of code blocks users from accessing anything that starts with hta

Ban Bad Users

order allow,deny
 deny from
 deny from
 allow from all

If you have noticed bad users abusing your site, identify them by IP and block them.