Elegant Themes Blog

Stay up to date with our most recent news and updates

WordPress Htaccess Tips And Tricks

Posted on April 9 by in Tips & Tricks | 96 comments

WordPress Htaccess Tips And Tricks

The .htaccess file is a configuration file that allows you to control files and folders in the current directory, and all sub-directories. The filename is a shortened name for hypertext access and is supported by most servers.

For many WordPress users, their first meeting with the .htaccess file is when they customize their website’s permalink settings. To get those pretty permalinks that we all know and love (e.g. http://www.elegantthemes.com/sample-post/ instead of http://www.elegantthemes.com/?p=123), we need to add something like this to the .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If no .htaccess file exists, you can create one yourself and upload it. All you have to do is create a blank text file, save it as .htaccess and upload it to the root of your WordPress installation. Be sure to include the period at the start of the filename (i.e. save the file as .htaccess and not htaccess).

You also need to ensure your .htaccess file is writeable so that WordPress can add the appropriate permalink code to your .htaccess file. WordPress.org advises file permissions of 644 for the .htaccess file.

Htaccess File is Hidden

The .htaccess file is a hidden file. You therefore need to ensure your FTP client or file manager is configured to display the file in your directory.

The .htaccess file is not only used for permalinks. The file is better known for its ability to strengthen the security of a website. Millions of WordPress users use the .htaccess file to protect their websites from spammers, hackers, and other known threats.

In this article, I would like to share with you several snippets for .htaccess that will make your website secure. I have also included a few additional snippets that I believe you will find useful.

You may have noticed in my permalink example above that the code begins with # BEGIN WordPress and ends with # END WordPress. WordPress can update any code that is placed within those tags. You should therefore add the snippets shown in this article at the top or bottom of your .htaccess file (i.e. before # BEGIN WordPress or after # END WordPress).

Be Careful

The .htaccess file is one of the most temperamental files you will encounter when using WordPress. It only takes one character to be out of place for the code to be incorrect. When that happens, it will usually cause your whole website to go down. It is therefore vital that you copy the code noted in this article correctly to your own .htaccess file.

Even if you are cautious, accidents can happen, and they frequently do.

Do not cut any corners when working with the .htaccess file. Before you begin, make a backup of your current working version of .htaccess. Store it in a safe place on your computer, and if possible, in another location such as a USB flash drive or on cloud storage.

Whenever you update your .htaccess file on your server, refresh your website to see if your website is still live. Do not skip this step as it is vital that you verify your website is still working correctly. If your website returns a blank screen, immediately revert back to your saved copy of .htaccess by uploading it over the version with errors.

If you cannot locate your backup file, either upload a blank .htaccess file or delete the .htaccess file altogether. This will get your website back online; which will obviously be your priority when your website goes offline.

Do not take any chances with .htaccess. Always have a back up. You have been warned :)

1. Protect .htaccess

Due to how much control .htaccess has over your whole website, it is important to protect the file from unauthorised users. The following snippet will stop hackers from accessing your .htaccess file. You can, of course, still edit the file yourself via FTP and through your hosting control panel’s file manager.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

2. Protect WP-Config.php

Another important file is wp-config.php. This configuration file contains the login information for your WordPress database as well as other important maintenance settings. It is therefore advisable to disable access to it.

<files wp-config.php>
order allow,deny
deny from all
</files>

3. Protect /Wp-Content/

The wp-content directory is one of the most important areas of your WordPress website. It is where vital files are located such as your themes, plugins, uploaded media (images and videos), and cached files.

Due to this, it is one of the main targets of hackers. When a spammer managed to compromise an old website of mine last year, he did it by uploading a mail script to my uploads folder. He then proceeded to send out spam mail using my server; which subsequently placed my server on spam blacklists.

You can tackle threats like this by creating a separate .htaccess file and adding the following code to it:

Order deny,allow
    Deny from all
    <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
    Allow from all
    </Files>

You then need to upload this separate .htaccess file to the main wp-content directory i.e. www.yourwebsite.com/wp-content/. Doing this will allow media files to be uploaded including XML, CSS, JPG, JPEG, PNG, Gif, and Javascript. All other file types will be denied.

4. Block Include-Only Files

There are certain files that never have to be accessed by the user. You can block access to these files by adding the following code to your .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

5. Restrict Access to the Admin Area

Another entry point for hackers is the WordPress admin area. If they gain access to this area, they can do almost anything to your website.

To make this area more secure, create a new .htaccess file and add the code below to it:

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>

Be sure to change 12.34.56.78 to your own IP address (you can find out your IP address at What Is My IP?). Then upload the file to your website’s /wp-admin/ folder i.e. www.yourwebsite.com/wp-admin/.

This will allow you to access your WordPress admin area, but will block everyone else.

Additional IP addresses can be added for other administrators and staff. You can do this by adding additional allow lines or listing their IP addresses in the main allow line and separating them using commas. For example:

allow from 12.34.56.78, 98.76.54.32, 19.82.73.64

6. Ban Someone From Your Website

If you know the IP address of a malicious party, you can completely ban them from your website using the snippet below. For example, you could ban someone who always leaves abusive comments or someone who has attempted to access your admin area.

<Limit GET POST>
order allow,deny
deny from 123.456.78.9
deny from 987.654.32.1
allow from all
</Limit>

7. Send Visitors to a Maintenance Page

Maintenance plugins such as Ultimate Maintenance Mode and Maintenance are useful for displaying a temporary message to visitors when you are developing a website, or when working in the background to update your website.

Unfortunately, maintenance plugins are of little help if you face the infamous WordPress White Screen of Death. They only function correctly if your website is working correctly.

If you want to prepare for the worst, I recommend creating a basic HTML page named maintenance.html that advises visitors that you are currently experiencing problems with your website, but will be back online soon. When your website does go down because of a hacking attempt or because of the White Screen of Death, simply add the snippet below to your .htaccess file to direct all traffic to your message at maintenance.html.

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]

You need to configure the above code for your own website. Change the html filename to the name and location of your own maintenance file in the second and fourth row. You also need to add your own IP address to the third row to ensure that you can access your website whilst the maintenance message is being displayed to others. The code uses a 302 redirect ensure that the maintenance page itself is not indexed.

8. Disable Directory Browsing

Allowing unauthorised individuals to look at your files and folders can be a major security risk. To disable browsing of your directories, simply add this small piece of code to your .htaccess file:

# disable directory browsing
Options All -Indexes

9. Enable Browser Caching

Browser Caching is something I recently discussed in my article “Optimize Your WordPress Website Using These Simple Tips“. Once enabled, browser caching will allow visitors to save items from your web page so that they do not need to be downloaded again.

It is used for design elements such as CSS stylesheets and media items such as images. It is a practical solution as when someone uploads an image to a website, the image is rarely updated again. Browser caching would therefore allow visitors to load the image saved on their computer rather than your server. This reduces bandwidth and increases page loading times.

To enabling browsing caching, all you need to do is add this code to your .htaccess file:

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
</IfModule>
 
## EXPIRES CACHING ##

10. Redirect a URL

301 redirects allow you to inform search engines that a URL has permanently moved to a new location. They can be used to redirect a page, folder, or even a completely new website.

They are therefore used whenever the URL of a page changes. This can be due to changing a domain, changing the permalink structure of your website, or simply changing the page slug (e.g. changing the page slug of an article from my-news to mygreatnews).

To redirect a location, all you need to do is add a line with Redirect 301, followed by the old location and then the new location. You can see how this works in practice below:

Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html
Redirect 301 /oldfolder/page2.html /folder3/page7.html
Redirect 301 / http://www.mynewwebsite.com/

11. Disable Hotlinking

Hotlinking is a practice in which someone shares an image from your website by linking directly to the image URL. It commonly occurs on discussion forums, but many website owners still do it too (which is a mistake as it means images can be removed from your content at any time). Hotlinking can have a negative effect on your website. In addition to slowing your website down, it can also significantly increase your bandwidth costs with your hosting company.

You can prevent hotlinking by only allowing your own website, and any others you own, to execute image files. Add the code below to your .htaccess file to stop others from hotlinking your images. Be sure to replace the URL’s below with your own website addresses.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourotherwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/g7ptdBB.png [NC,R,L]

When someone now views an image of yours at another URL, they will instead be shown the image denoted in the last line of code. This image can be changed to whatever you want.

* Note that disabling hotlinking may cause some RSS readers to have problems displaying your images from your RSS feed.

I hope you have enjoyed this list of tips and tricks for the .htaccess file. As you can see, it is a versatile configuration file that can be used for many things.

If you enjoyed this article, I encourage you to subscribe to the Elegant Themes Blog. Also, please feel free to share your own .htaccess tips and tricks with others in the comment area :)

Article thumbnail image by venimo / shutterstock.com

96 Comments

  1. Do you have a trick for addon domains where if someone goes to addon.domain1.com it will change the browser bar to addondomain.com? I’ve been looking all over for that!

    • Kevin Muldoon

      Are you referring to masking the domain? You can do this via your domain registrar?

    • I don’t know if I got this right, but I think you are referring to an addon domain. Right? (i.e. you have a website: ‘www.yourwebsite.com’. You then registered a new domain, let’s say “newdomain.com” and instead of purchasing a new hosting, you added an addon domain to your main hosting plan (www.yourwebsite.com). So, now your new domain is hosted in: ‘www.newdomain.yourwebsite.com’) Is this the case?

      If that’s what you’re talking about, use the 301 redirect. From ‘www.newdomain.yourwebsite.com’ —> to ‘www.newdomain.com’

      (I’m not an expert by any means, so if someone here thinks I’m wrong, please correct me! ;) )

    • Amy,
      You might want to check out the BlueHost (www.bluehost.com) FAQ or support pages. I have two add on domains and they are working without incident.

  2. Thanks for the article.

    Another great post for all WordPress users.

    A few weeks back I was looking for this (how to disable directory browsing) Good to know this resources are in your blog.

    Makes my membership an even better value.

  3. Great one-stop post for all the essentials and then some. Outstanding job!

    Quick and easy script I use to direct everyone except the dev team to the old site while the new site is under development.

    /* define redirection with IP exceptions */
    RewriteEngine On
    RewriteBase /

    #Dev Team
    RewriteCond %{REMOTE_HOST} !^123\.123\.123\.123

    RewriteCond %{REQUEST_URI} !/index\.html$
    RewriteRule .* http://www.oldsite.com/ [R=302,L]

    • @Mike – that script is a great idea! But since I am not very proficient (yet) with .htaccess could you please give more details on what the different elements are? Thanks!!

      BTW – This is a great post!! You have all the elements I’ve been looking for in one place, and then some.

    • Sorry I hadn’t seen your reply until now. This script is used to redirect traffic from a list of IPs (only one shown here, but you could add others) while all others are directed to the old site (the public). This allows my team to type in the new URL and get to the new site.

      The RewriteRule simply redirects all non-specified IP traffic to the old site with a temporary redirect (302, not a 301). The RewriteCond allows traffic from included IPs to proceed to the new, under development, site (REMOTE_HOST)

      Check out the Apache .htaccess guides for all kinds of technical, but useful info: http://httpd.apache.org/docs/2.0/misc/rewriteguide.html

      Really hope this helps,
      Mike

  4. Kevin

    All hints are very helpful, and I’d like to implement all of them.

    Should we have only one zone

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ – [F,L]
    RewriteRule !^wp-includes/ – [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
    RewriteRule ^wp-includes/theme-compat/ – [F,L]
    more Rewrite
    more Rewrite
    more Rewrite

    or could we have several if..endif in the .htaccess.

    Other question: I’ve seen joint attack from different countries at the same time. Have you a simple solution to ban a group of countries ? (IP ranges are too numerous).

    Thanks

    • Great question. I have this question too.
      Somebody?
      Thanks

    • Kevin Muldoon

      You should have several zones. Each snippet is separate from the next.

      I am not aware of a simple solution to ban a group of countries. It may be worth installing a security plugin that blocks known spammers and hackers.

        • Thanks John, but does anybody know if there is a limit for the list of “deny from”.

          Just to bar ukranian hackers, the list is 2490 lines :)

          It would become a very big .htaccess file for baring joint attacks involving several countries.

          I will use it right now.

          Cheers

  5. I’ve used Bulletproof security plugin for configuring htaccess files and the like. Any reason to do it manually and not use the plugin besides load time?

    Also, how do you guys display the social icons to the left of the page in the blog? I’ve been looking for a way to do that.

    Thanks and keep up the good work.

    • Scott,

      You could simply use the Custom HTML widget and hand code it in about 5 minutes or so. Much easier than finding a plugin capable of the same thing. Unless you are wanting sharing parameters for each individual blog type.

    • Kevin Muldoon

      I can’t recall if BulletProof security offers real-time monitoring.

      If all it does is modify your .htaccess file, then you could activate the plugin, harden your security, save the .htaccess file for reference, and then deactivate the plugin.

      With regards to the floating sharing bar: https://wordpress.org/plugins/addthis-smart-layers/

      :)

  6. Great post Kevin,

    I’ve been stumped trying to find a way to redirect a referring link to a specific page. I know and have implemented almost every step that you listed above and use them regularly on mine and my client’s sites that I build in WordPress.

    However, on my own site I have a referring link that is pointing to the root level of my domain and I keep losing these people because they are unable to find the information that pertains to them specifically.

    So literally, I want to point http://www.referringURL.com to http://www.mydomain.com/special-portfolio/

    I can’t find this answer anywhere. Any help would be great. I can’t wait for Divi 2.0

    Regards,
    David

      • Thanks Kevin,

        I know of that method. However, that won’t work for me since the site that is referring the traffic is not mine. It was an ad space that was bought a long time ago and they kept a referral link for web design on their site that goes to me.

        I want to take that link and send it to a specific page on my site. I might be asking something that isn’t possible. It would seem that way since I haven’t been able to find the right answer/solution to it yet.

      • Hey Kevin,

        Thank you so much for your help. The link you gave didn’t get me to the correct spot, but it got me thinking and I found the solution.

        I’ve added an example of the RewriteRule that is required to this and how to use in the off chance that anyone else might want to use this.

        I made some advancements to this Rewrite to allow it to redirect from any referring point of another domain. I made it cover Rewriting from http and https and also allowed it to Rewrite from domain, sub-domain, sub-sub-domain and so on.

        To use:
        1.) Replace “link-on-your-site-to-point-to/” with any special landing page slug you wish to send the people to. Make sure to keep the trailing slash.

        2.) Then change “xyz\.com” to the domain name that you are getting the traffic from that you want to point to the specific page in step one. Make sure to keep the “\.com” at the end.

        3.) Next, add your domain name WITHOUT the “www.” and the landing page slug that you wrote in step one. Keep the trailing slash and everything after it or else it won’t work.

        4.) Finally, add this BELOW your WordPress Rewrite. Look for the “# END WordPress” and paste it there. If not you will set the redirect loop of death and not be able to figure out what happened.

        5.) Refresh your browser and test the referring link. If you don’t see it working clear your browser cache and try again.

        Here’s the code:

        RewriteEngine on
        RewriteCond $1 !^link-on-your-site-to-point-to/
        RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*xyz\.com
        RewriteRule (.*) http://yourdomain/link-on-your-site-to-point-to/$1 [R=302,L]

        Regards,
        David

        • Kevin Muldoon

          Glad you got it sorted. I appreciate you coming back and sharing the code for others too. :)

          Kevin

  7. Thanks for another great post Kevin. I look forward to these bits of information (and inspiration) being delivered almost daily.

  8. I like I themes security plugin (formerly Better WP Security). Great controls plus secures .htaccess. Make sure you have a backup before changing things. It will create a database backup for you via a prompt.

  9. This is great, exactly what I have been looking for.

  10. Really great post,

    Thanks sir for these information.

    Excellent work!

  11. Doesn’t that trick conflict with the plugins themselfs?

    “Order deny,allow
    Deny from all

    Allow from all

    For example – if caching plugin like W3TC generates static html pages or copies php there?

    • Just found answer myself!
      WP-Content hosts all your themes and caches – if you add to .htaccess recommendation:
      ” 3. Protect /Wp-Content/ ”
      your site will corrupt…
      Just checked it myself.
      Be careful!

      • Kevin Muldoon

        Thanks for checking that Andru. I am sure someone will find that useful.

  12. Great post. Greatly appreciated :º)

  13. Won’t any of these .htaccess declaration conflict with plugins? And thanks for tip no7, I’ve been searching for that many weeks ago.

  14. All those pieces of code, starting at point 1, may be added anywhere in .htaccess file and in any order?

    • Kevin Muldoon

      The order does not matter. You only have to ensure that the code is outside of the Begin WordPress and End WordPress code area as WordPress will automatically update that section.

      • Thanks for this, but what is the purpose of point 1 precisely? all .something files are already supposed to NOT being accessible…

        • Kevin Muldoon

          It is not for protecting the file against internet users, it’s for denying access to scripts etc :)

  15. Hi Kevin,

    I am a newbie in wordpress, its very useful information. Thank you for your sharing.

  16. Thanks for the great post. Useful . .

  17. Amazing tips, thanks a lot. I found that disable hotlinking is rather easy to do and secures my blog from unwanted threats.

  18. Great post Kevin, thanks!

  19. Thanks a lot for the post, especially 5th point is very important for our website security, have to implement all these on my sites now :)

  20. Thanks a lot for informative post. Really important to protect WordPress blog from hackers. These tips surely reduce the risk of hacking blogs.

    THANKS FOR SHARING WONDERFUL ARTICLE

  21. Thanks for the professional informations about .htaccess Kevin. My compliment for your articles.

  22. This is a really great resource Kevin! It can be so hard to find practical tricks like these all in one place. Thanks muches, I will be adding a few to my site this week! :)

  23. Great examples.. Congratulations !

    Update this tips always ! :)

  24. This is the most useful ET Blog post I’ve seen so far (newbie to WP and apache).

    For migrating sites from asp.NET to WP, I wish there was some way to do a 301 redirect for every .aspx page in a site to a page with the same name (but obviously without the aspx extension) in WP, like with wildcards or something.

  25. Thanks for the great info! I am new to Elegant Themes and enjoying every day! Love the professionalism!!

  26. Oh, I broke down my website by following all the instructions here. Don’t know why, just got the page not found error message. I have to delete all the add code to the .htaccess and my website is back to normal.

    One word of caution: after adding the code, use another browser or another computer to view the website for checking. Some .htaccess directives does not apply immediately if you have viewed the website on the same browser just a moment ago. This is the fact I learnt the hard way. My website was down for over 3 hours unaware.

    • Kevin Muldoon

      This is something I stressed in my tutorial. You need to backup .htaccess and you need to refresh your website again after modifying your .htaccess file. You need to do this every time.

      .htaccess is always applied immediately – always.

      As I stressed, do not ever take any risks with .htaccess. It is a very powerful file and can close down your website if you do not enter the code correctly. :)

      • I was just about to copy the snippet for 9. Enable Browsers Caching when I noticed
        was missing from it! Maybe that is what happened to WP Learner?

        • “” is missing

          • the end IfModule part is missing.

          • Kevin Muldoon

            Thanks for noticing that Sigurfreyr. I am not sure how I missed that.

            I have asked Nick to correct the post for me. Appreciate you letting me know :)

  27. Hotlinking is great for SEO, it’s a legit incoming link. It only costs you bandwidth which is normally a very cheap resource these days. I wouldn’t disable hotlinking..

    • Kevin Muldoon

      You would perhaps change your opinion if an image of yours was shared on a high traffic discussion forum or a social network such as Reddit (e.g. the comment area).

      • If your stats show high traffic sites *which hold no SEO value*, you can always disable hotlinking from them specifically.

  28. I have heard rumours that .htaccess only works on Apache servers. Is this true or can the stuff in this blog be used on any wordpress site wherever hosted? Regards
    Mike

    • Yes you need to use it on Apache servers. I believe Windows servers have something similar called a web.config file.

      • I’m building my first WP page on an Apache web server and this REALLY helped me out! Thanks for sharing!

  29. Hi Kevin,

    We use a lot of theme for clients from Elegant Themes. By far this is one of the best .htaccess post I have come across today. We already use Browser Caching quite frequently but the other tips are quite helpful too!

    Thanks for sharing!

    Dave

  30. Hi,
    really a great article, thanks so much for sharing!

    Is there a way to do a rewrite only for the frontend? So the rule shouldn’t have an effect on the admin panel?

    Thanks,
    Regards, Bettina

  31. I’ve recently signed on with ET and finding sooo much more even than I’d hoped for, including your many wonderful blog posts. I’ve been using most of what you suggest in this post for a while now on two sites. I’ve always hesitated to use the #3 protect wp-content suggestion, wondering how it would be with the ways various plugins use/engage that folder, but thought I’d give it a try after reading here.

    After 12 hours I’ve pulled the .htaccess file out of both wp-content folders. On one site Pingdom started saying the site was down, though it wasn’t. On the other site Jetpack monitor started saying the same thing for that site.

    Within minutes of deleting the .htaccess files from the wp-content folders of both sites. I received messages from both services saying the both sites were up again, after 12 hours of being down, though neither site was actually down at all during that time.

    I found also that on the site jetpack was installed that jetpack itself was having problems in it’s setting pane, not able to engage with its various modules. That also disappeared as soon as I pulled the .htaccess file in that site’s wp-content folder.

    I copy pasted your code here, after finding it identical to other sources for that code. I have experience creating and modifying cPanel files including .htaccess files.

    Wanted to share this in case it is helpful, and also because I’m wondering if there is something more here for me to learn.

    Kind regards.

  32. If I have pdf in wp-content, I just add that extention to the code right? Like this?
    #place in wp-content
    Order deny,allow
    Deny from all

    Allow from all

  33. Ok, well the comment system stripped the code. Which is fine. I just add pdf to the end of the media file list right?

  34. Hi Kevin,

    Thank you for sharing with us all these great tips.
    Do you have any idea how to hide the WP theme used through .htaccess file?

    Thank you in advance,
    George

  35. Many thanks Kevin, some of this is new to me and I love it.

    I implemented the wp-content protection on one site and did not spot that I needed to add |woff| ttf| svg| eot for my font icons for quite a while.

    I thought I’d share in case it helps anyone.

  36. Great article!

    I just had a problem with respect to implementation of protection of wp-content folder.

    I created a new htaccess file, after I added this code:

    Order deny,allow
    Deny from all

    Allow from all

    I had problems after you put it inside the wp-content folder. Some social icons, functions, and text fonts do not appear correctly.

    Could anyone help me or show me what I’m doing wrong?

    • The comment excluded part of the code. I used only what was taught in step 3. Protect /Wp-Content/

      • I had the same issue – see comment above yours.

        I think you need to add to the snippet the other file types for your font and icons. Adding these – |woff|ttf|svg|eot worked for me.

  37. Really helpful ! thanks for your article

  38. For the wp-content directory I added ttf, eot, svg, otf and woff for fonts

  39. Thanks for great post! Any idea – how to protect .htaccess file itself from hacking? I got this problem on several sites, and can’t do anyting – always bad code in .htaccess files – a bunch of redirect links. Cleaning up doesn’t help – after sometimes code become appearing again((

  40. Regarding protecting Wp-Content directory… will the htaccess file your recommend creating for in the wp-content directory (which would restrict access to only pretty much images and similar content), will it cause problems with the new WP automatic updates/upgrades?

    I ask because WP uses a subfolder underneath Wp-content directory called “upgrades” and since htaccess protects subfolders, I wonder whether this would cause update/upgrades failures/problems? By following this advice, wouldn’t WP itself have a problem using that subdirectory as a temp upgrade location?

  41. I have a client that has a folder on his site that he wants to give everyone access to, but when he types in the domain name/folder name, he gets a page not found error. Is there a (safe) way to give everyone in the world access to such a folder and maintain security for the rest of the site?

    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

Current ye@r *

Join 253,319 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This