Secure WordPress with .htaccess

The most important things you can do to keep WordPress secure is:

  • Keep WordPress itself up to date
  • Keep WordPress themes up to date
  • Keep WordPress plugins up to date
  • Ensure the plugins being installed are legitimate and recently updated

Outside of this, there are a couple of steps one can take to secure WordPress even further:

Disable directory listing

Edit the .htaccess in the main WordPress directory and insert the following at the top of the .htaccess file:

Options -Indexes

Block access to the wp-content/uploads directory

Create a .htaccess file in wp-content/uploads and insert the following:

# Disallow PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all
</Files>

# Completely disable access to all the files
<Files ~ ".*..*">
        Order Allow,Deny
        Deny from all
</Files>

# Add file extensions you want to allow access
<FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$">
        Order Deny,Allow
        Allow from all
</FilesMatch>

Disable access to all file types under wp-content except those specified

Create a .htaccess file in the wp-content and insert the following:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
	Allow from all
</Files>

Disable access to the wp-includes folder

Create a .htaccess file in the wp-includes folder and insert the following:

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Disable access to the wp-config.php file

Create a .htaccess file in the main WordPress directory and insert the following:

<files wp-config.php>
	order allow,deny
	deny from all
</files>

Protect all .htaccess files

Add the following in all the .htaccess files mentioned above:

<files ~ "^.*\.([Hh][Tt][Aa])">
	order allow,deny
	deny from all
	satisfy all
</files>