How to Protect Your WordPress Files Using .htaccess?


The .htaccess file is a server configuration file that is provided by many web servers, including the most common applications for the Apache web server. This apparently unassuming file is driven by all sorts of plugins and features that can very easily describe the way your web server handles requests if used correctly. Learn how to limit site access to WordPress with this file.

It is also very helpful to shield the WordPress files from unwanted access by hackers, aside from specifying the way the web server processes requests. In this post, we discuss the various ways you can use .htaccess to encrypt the different files on your site.

How to protect your WordPress files using .htaccess?

Let’s start protecting the .htaccess file first before we go on protecting other files. However, as we always say, always backup your site before making any improvements (no matter how large or minor they might be) and save a couple of copies of your .htaccess file on your local machine in this situation. This is to include any harm that could result from the file being unintentionally messed with.

Protecting the file with .htaccess

You can conveniently find the .htaccess file in the public html web root folder. Using an FTP like FileZilla or using your WordPress hosting account’s File Manager, there are two ways to access this file. We are using the File Manager in this article to view the file and teach you how you can protect it.

Step 1: Using your username and password, log into your web hosting account. Refer to our guidance if you are confused about your web hosting account credentials.


Step 2: Click on File Manager.


Step 3: Next, click on the public_html folder.


Step 4: Inside you will see the .htaccess file. Right-click on it. And choose the option to edit.

Once you access the file, place the following snippet of code in it.

# Deny access to .htaccess

<Files .htaccess>

Order allow,deny

Deny from all


This will prevent users from accessing the file with .htaccess. Simple, aren’t they?

Now that the .htaccess file has been locked, it is time that we move on to the others. So let’s start with the wp-admin folder to protect it.

Control access to the wp-admin folder

There are files in the wp-admin folder that together control the admin tools. Under this folder, an admin.php file executes the following functions:

  • Requires the database to be connected to
  • WordPress Dashboard Shows
  • Power the site’s login screen

The wp-admin directory is a very critical one, as you can see, and precautions must be taken to protect it against unauthorised entry. That’s because accessing the admin panel would encourage the hacker on your website to create havoc. To do this, limit the user’s access to the WordPress admin folder. Enable access to your preferred individual IP addresses. You will need to create a new .htaccess file with a particular code (the one below in the blue box) and upload it to your wp-admin folder to do this.

Simply open a new tab in your regular text editor to create a new .htaccess file and call it .htaccess. Not .htaccess.txt or .htaccess.doc or other other extensions to data. Simply.htaccess. If that’s done, paste the following code into it.

# Limit logins and admin by IP


order deny,allow

deny from all

allow from


To upload the newly created .htaccess file to the wp-admin folder, log into your web host account and open file manager as shown below.


Once you click on File Manager, you can see all the files and folders in your site as shown below. Then click on the public_html folder.


Click on the wp-admin folder.


Then click on the upload button as shown before.


Select the .htaccess you just created on your local system and upload it in the window that opens.


You are finished after you have uploaded the latest .htaccess file! This new security measures would prevent users from accessing your admin screen, other than those to which you have expressly given permission.

Notice that this would limit access to wp-admin only and will not block access to the WordPress platform entirely. Registered users can also use wp-admin, although it can still be restricted by user positions. User authorization can be filtered so that not every authorised user can access the folder.

How to Encrypt File wp-config

The wp-config file manages the WordPress base configurations and includes confidential information, such as MySQL parameters, hidden keys, WordPress database link specifics, etc., about your WordPress installation. Given the sensitive value of the knowledge it holds, it is important to take the utmost precaution to protect it from prying eyes.

To encrypt this very critical file that is accessed by a web user, the .htaccess file can come in handy. All you need to do to do this is copy the code given below into your .htaccess file.

Open the .htaccess file from the File Manager as explained under ‘Protecting the .htaccess file’ and add the following code to it.

<files wp-config.php>

order allow,deny

deny from all


Your wp-config file will be safe from being accessed by unauthorised users until you have applied the code provided above.

In unique directories, disable PHP execution

Many hackers leave the loophole to access information on the site so that they can obtain easier access to the site in the future, even though the hack is detected and dealt with. These backdoor files in the wp-includes or wp-content/uploads/ folders are also disguised as WordPress files. Most sometimes, these are .php scripts. You need to uninstall certain kinds of files from running in order to help protect your WordPress files and directories. This can help limit access to your WordPress, and this can be achieved by disabling PHP execution in these files.

When you obey our clear guidance to the T, disabling PHP execution using .htaccess is a really fast method.

First of all, in your text editor, create a new .htaccess file and apply the following code to it.

<Files *.php>

deny from all


As a next step, log into your web hosting account and open your File Manager. In here, you get access to content and upload folder. Look for wp-content/upload/ folder.


Click on the Upload button and upload the newly created .htaccess file.


On clicking the Upload button, a new window will open that will allow you to select the .htaccess file from your local system.


You must add it to the wp-includes folder after you have imported the .htaccess file into the wp-content/upload/ folder.

Similar to attaching it to the wp-content/upload/ folder, open the wp-includes folder in your site’s home directory by accessing the file manager.


Click on the wp-includes folder and then click on the upload button.


Once you click on the upload button, you will be able to select a file from your local system. Select the .htaccess file that you just created and upload it.


You have successfully blocked any PHP execution in these folders until you have added the .htaccess file to both of these very important folders.

Disable directory browsing

Directory browsing is a feature where, when you want to navigate a website, you see a list of files and directories, instead of a web page. For example, you have a directory on your website named private (as an example), say, If directory browsing in this specific directory is not disabled, then if anyone wanted to type they would see all of the files and directories in the private directory.

This can be catastrophic for your web and it can give the scheming hacker a wealth of knowledge. Who will then plan an assault on your site armed with knowledge of the hierarchy of your server file? You will be restricting the amount of access to your website by disabling directory browsing.

Create a .htaccess file in your text editor to disable directory searching for a particular directory and save it as .htaccess (without any additional file extensions). Then apply the code below to it and limit access to your WordPress files.

# disable directory browsing

Options All -Indexes

Upload this newly developed .htaccess file into the directory for which you want to uninstall this function after you have added the code. For eg, if you wish to disable the wp-includes folder directory browsing, then upload this .htaccess file to the wp-includes folder, as previously done through File Manager.

Blocking specific IP addresses from accessing site

You may have found that spamming, launching hack attempts or merely attempting to obtain unauthorised user access to your WordPress site has been replicated by certain users from certain IP addresses. Through banning his IP address from ever accessing your site using the .htaccess format, you will totally thwart unauthorised WordPress user access. Copy the code given below into your .htaccess file to do that.

<Limit GET POST>

order allow,deny

deny from 123.456.78.9

allow from all


The IP address that is in the code above is just a dummy. You can substitute these values with the IP address that you wish to block. If instead of one, you have multiple ones, simply add each one separately in a line that looks like this:

deny from 213.546.87.9

If instead of a full IP address, you want to deny access to a block of IP addresses, simply omit the last of the octet as shown below.

deny from 213.546.87.9

This would block all IP addresses from 213.546.87.0 to 213.546.87.255.

Blocking specific domains from accessing your site

It might not always be possible for you to know the unique IP addresses that spam you. You should realise, though, that these attacks come from connections that are shared on those malicious domains. .htaccess helps you to block a connection from those damaging sites from any user who has visited your site.

To block a domain name, add your .htaccess file to the following code.

SetEnvIfNoCase Referer "" bad_referer

Order Allow,Deny

Allow from ALL

Deny from env=bad_referer

In the code above, substitute ‘badsite’ with the domain you want to block. In doing so, whenever a user tries to access your site from the domain you have blocked, he will get an error message and won’t be able to access your site.

The Preferred Option

While all of the strategies above are successful in limiting access to your WordPress archives, it cannot be ignored that your website is at considerable risk. About why? Oh, since there is a very crucial setup file you are fiddling with. Even a misplaced dot will disturb your site’s functionality! Frightening, right?

Hence, if you are not an expert, it is better to use a WordPress website protection plugin as it can help to harden your website. A plugin for WordPress named MalCare will take care of the security aspects of your site. MalCare does it all, whether it blacklists unique IP addresses, introduces website hardening measures in place, defends the login screen, scans for ransomware, or several other essential security measures!