How to restrict access to WordPress files using htaccess

Oct 20, 2014

How to restrict access to WordPress files using htaccess

Oct 20, 2014


In our earlier article How to ban users based on IP address, we learnt how to keep suspicious users out of our site. But that was only possible if you get to know their IP addresses. We don’t need to always wait for an attacker to knock on our doors to bump up our security. The htaccess file also allows you to protect sensitive data by restricting access to certain files and directories. Restricting access to files with .htaccess is ideal for files which still need to be accessed under the hood by your WordPress but never accessed directly by your website visitors, such as the WordPress configuration file wp-config.php found in the root of your WordPress. This article explains how to restrict access to such files.

If you want to restrict access to your WordPress configuration file, wp-config.php, you need to add the following files to your htaccess file.

<files wp-config.php>
order allow,deny
deny from all

On trying to access wp-config.php directly through the browser, a 403 error page will be displayed.


Always remember to upload the htaccess file in the same directory as that of the file that you want to protect. In this case, it would the WordPress root directory. If you want to restrict access to another file within the same directory, just change the filename in the above snippet i.e. wp-config.php.

If your site allow users to upload images, this could be a potential backdoor for hackers. The uploads folder has been exploited many times to upload malicious scripts and execute them remotely. This can be effectively prevented using the htaccess file. To disable php execution in the uploads folder, simply create a htaccess file in it with the following lines –

<filesmatch “\.php$”>
order allow,deny
deny from all

If you create a new directory (or folder) on your website, and do not put an index.html file in it, your visitors can view a directory listing of all the files in that folder. For example, if you create a folder called important, you can see everything in that directory simply by typing in your browser. No password or anything is needed. This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general. You can use htaccess to easily disable directory listing on your site. All you’ve got to do is add the following line in your htaccess file within that folder –

Options All –Indexes

A 500 error page will be displayed whenever a user tried to list the contents of any directory on your site.

Remember to take a backup of your htaccess before making any changes to it. Do test every new line added before making further changes to the file. Even a small typo can end up breaking your site.

Would love your thoughts, please comment.x
Share via
Copy link
Powered by Social Snap