Coding starts here
Home / Blog

HTACCESS – For WordPress only

A collection of useful .htaccess codes.
To work all of these, add the following line at the beginning to your .htaccess file.

Options +FollowSymlinks 
RewriteEngine on
RewriteBase /
  • Deny access to wp-config.php, readme.html, license.txt

    <FilesMatch "^(wp-config.php|readme.html|license.txt)">  
        Order allow,deny
        Deny from all
        Satisfy All
  • Allow Only Selected Files from wp-content

    # Disable access to all file types except the following
    Order deny,allow
    Deny from all
    <Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
    Allow from all

    You must create a new .htaccess file with the code and paste it in the wp-content folder. Don’t place this in the base installation directory – else it won’t work.

  • Restrict All Access to wp-includes

    # Block wp-includes folder and files
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress – one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to content of the wp-include folder.

  • Allow only Selected IP Addresses to Access wp-admin

    # Limit logins and admin by IP
    <Limit GET POST PUT>
    order deny,allow
    deny from all
    allow from 302.143.54.102
    allow from IP_ADDRESS_2
  • Password Protect WordPress Admin Folder

    You can easily create one by using this online generator.

    Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:


    Now you need to create a new .htaccess file and add this code:

    AuthName "Admins Only"
    AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
    AuthGroupFile /dev/null
    AuthType basic
    require user putyourusernamehere
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any 

    Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username

    Upload this .htaccess file to your wp-admin folder. That’s all, your WordPress admin folder is now password protected and only you or the users you allow will be able to access it.

  • Protect .htaccess file

    <Files ~ “^.*\.([Hh][Tt][Aa])”>
    	order allow,deny
    	deny from all
    	satisfy all

This page wouldn’t have such a long without

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x