20 htaccess hacks to prevent your WordPress site from hacking

Posted In: Hacks, Usability, By , 16 Comments

A .htaccess (hypertext access) file is the common name of a directory-level configuration file which allows decentralised management of web server configuration. A .htaccess file is always added to the root directory, it can override many other configuration settings which includes server’s global configuration, content type and character set.

A .htaccess file can be used for lots of hacks that will secure and improve functionality for WordPress blogs and websites. Below are lists of top 20 htaccess hacks which will improve and prevent WordPress sites and blog from hacking. Some will allow to block specific IP addresses to visit the site, redirect visitors to maintenance page when particular site is redesigned or modified, prevent IP addresses to login into the wordpress admin section and many more.

htaccess hacks

1. Blacklist undesired users and bots ip address

Apache can be used to ban undesirable people and bots from your website. This code allows people to visit the blog except the person with the IP addresses

order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780

Article link

2. Redirect Day and name permalinks to /%postname%/

The first thing to do is to login to your WordPress admin, go to Settings → Permalinks and select custom. Fill out the field with /%postname%/.

Your permalinks will now look like the ones on this blog:


Now we got to redirect all backlinks using the old permalinks structure to the new permalink structure. To do so, you’ll have to edit the .htaccess file, located in WordPress root directory.
Be careful while editing .htaccess: Always create a backup before!

Paste the following line in your .htaccess:

RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://www.domain.com/$4

Article link

3. Redirect visitors to a maintenance page

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]

Article link

4. Redirect www to non www or vice versa

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.yourblogname.com [NC]
RewriteRule ^(.*)$ http://yourblogname.com/$1 [L,R=301]
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^yourblogname.com [NC]
RewriteRule ^(.*)$ http://www.yourblogname.com/$1 [L,R=301]

5. Setting canonical url manually using .htaccess

# Set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourblogname\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourblogname.com/$1 [R=301,L]

6. Redirect WordPress Feeds to FeedBurner

This nice hack redirects http://www.yoursite.com/feed to http://feeds.feedburner.com/yoursite.

# temp redirect wordpress content feeds to feedburner
<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
 RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
 RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/webanddesigners [R=302,NC,L]

Article link

7. Redirect WordPress Comment Feeds to FeedBurner

# temp redirect wordpress comment feeds to feedburner
<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
 RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
 RewriteRule ^comments/feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/webanddesigners [R=302,NC,L]

Article link

8. SEO Friendly 301 Redirects

Use the following code to: Redirect to specific page without showing old fashion error page.

#SEO Friendly 301 Redirects
Redirect 301 /abc/file.html http://www.yourblogname.com/def/file.html

9. Force Caching with htaccess

The following htaccess code won’t help the initial pageload, but it will significantly help subsequent pageloads by sending 304 statuses when requested elements haven’t been modified.

FileETag MTime Size
ExpiresActive on
ExpiresDefault "access plus x seconds"

10. Allow only your IP adress on the wp-admin directory

Replace your IP with allow from xx.xx.xx.xx which will only allow your IP to access wp-admin directory.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Wordpress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx

11. How to: Deny comment posting to no referrer requests

Simple hack to prevent spammers posting on your blog.

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Article link

12. The easiest way to ban a WordPress spammer

To block certain IP address from accessing your blog enter the following code into .htaccess file and replace example IP address with the one you want to ban.

<Limit GET POST>
order allow,deny
deny from
allow from all

13. Redirect visitors to a maintenance page

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]

Article link

14. Deny access to your wp-config.php file.

wp-config.php file in WordPress includes all important information like database name,

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

Article link

15. Limit the File upload size to 20MB

To limit file upload size in wordpress to 20MB use the following code.

# limit file uploads to 10mb
LimitRequestBody 10240000

16. Customized HTTP 404 error page

If you’d like to redirect your visitors every time they catch into an HTTP 404 error, use this code:

# custom error pages
ErrorDocument 401 /err/401.php
ErrorDocument 403 /err/403.php
ErrorDocument 404 /err/404.php
ErrorDocument 500 /err/500.php

Article link

17. Add Trailing Slash to URL

To add slash at the end of your URL add the following code to .htaccess file.

#trailing slash enforcement
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]

18. Password protected directories

A simple way to password protect blog directories

AuthType Basic
AuthName "restricted area"
AuthUserFile /usr/local/var/www/html/.htpasses
require valid-user

19. CheckSpelling directive

This directive can be useful to auto-correct simple spelling errors in the URL

<IfModule mod_speling.c>
CheckSpelling On

Article link

20. Quickly secure plugin files

WordPress plugin files might have a loop hole and may allow hackers to get into your website. To prevent others to have direct access to plugin files use following code.

<Files ~ "\.(js|css)$">
  order allow,deny
  allow from all

Using these htaccess hacks have proven to be useful for our blog from spammers and third party automated software trying to enter our blog. These hacks not only prevents your website from hackers but also improve speed and functionality of your blog/website. Do leave your comment if you have come across hacks like these.


Enjoy the real success with actualtests ccna syllabus and realtests cdl practice test online training programs and latest < certkiller ged test online dumps.

About the Author:

Web designer/developer holding Masters degree in IT, currently living in Australia. Passionate about Wordpress, PHP, Fireworks and Jquery.
  • Pingback: 20 htaccess hacks to prevent your Wordpress from hacking and improve functionality | UXWeb.info()

  • http://www.werdswords.com Drew

    I make it a point to prevent my WordPress from hacking.

  • http://artatm.com Rocky

    useful tutorial…. great post..

  • Pingback: Weekly Design News – Resources, Tutorials and Freebies (N.107)()

  • Pingback: Web Development articles, tutorials, help » Blog Archive » Weekly Design News – Resources, Tutorials and Freebies (N.107)()

  • http://www.logoblog.org Logo Blog

    Great Posting :) thanks for all these coding as a designer this would gonna helpful for me to learn more.. thanks :)

  • http://www.pixelstrol.ch Stefan

    These are useful htaccess snippets. Thx

  • http://www.baagdi.com baagdi

    Hey this is wonderful information about htaccess hacks here, but i would like to know is dere any requirement enabled mod rewrite in these codes. or do we need to do any kind of extra server side settings to run these hack on our website?

    • http://www.webanddesigners.com WAD

      Don’t think so.

  • http://www.heptasarim.com/ Kurumsal seo

    Perfect advices. I want to apply 16. matter.

  • Me

    Hello man,

    I want to ask you a question on the part of your topic about wordpress htaccess security : 20. Quickly secure plugin files
    Why do you allow from all ? It wouldn’t be deny from all choice to refuse all access from css and js scripts ?

    Thank you in advance.

  • Pingback: 20 tips htaccess untuk meningkatkan performa dan keamanan situs WordPress – Kertas Elektronik()

  • Ricko Dayat

    A .htaccess (hypertext access) file is the common name of a directory-level configuration file which allows decentralised management of web server configuration. A .htaccess file is always added to the root directory, it can override many other configuration settings which includes server’s global configuration, content type and character set.

    Harga Hp Lenovo : http://hargahpbaru.biz/harga-hp-lenovo.html

  • Well Wisher

    Thanks a lot. Very informative.


  • hameac2034

    Crib shoes are a basic neccesary http://www.dhruwalandankita.com/supra-skytop-1-c-13.html requirement for babies these days because they provide comfort,smoothness and protection to your baby.I have no knowledge of Path internal roadmap or its reasons for not updating/redesigning their app for iOS 7 publicly yet; My answer is informed by my experience designing iOS apps and working with iOS developers on implementing those designs.The final project TMs totally dependence on PowerPoint Software requires the Microsoft PowerPoint installed in any computer on which a presentation is running; And its bulky size make it awkward to distribute.”I definitely had a good feeling about the opportunity to play for them again but you never know, especially with a team like the Pacers that’s successful,” Hill said.

    For youngsters it going to be a superb concept to wear Mickey Mouse costume for Halloween.Escarpins Louboutin a una escala considerable.Nike gained much promotion with this name.If you are happy, your dress should have th .Inspired by the Ebay logo, Nike made a sample pair to take pictures of, and threw them on ebay to see how they would sell.Cost Information – To purchase the “Warrier” Madden gladiator sandal you can expect to pay around $140 to $145 full retail price.The Maroon Tigers have a 2-5 record this season at the holiday break, all in non-conference play.OLED ComponentsWith an email you get pixels on the screen and nothing more.In add-on, the arrival associated with faith based and amusement visitors and also people to the country features pushed industry recently and contains lead in to lower vacancy prices with the retail store shopping centers and also rooms in hotels.

    Moreover, as the legs keep each transfer, coordination and cooperation, not only can improve the function of left and right hemispheres, delay the aging brain cells, can also exercise the power of leg muscles, increased ankle, knee, hip and lumbar joints and other parts of flexibility.and this is great news, especially for Nike football shoes fans.One can find women’s sandals for leisure strolls, physical chores, everyday wear and costume sandals.There are hundreds of hundreds of hair accessory possibilities.Get creative!Wear clothes that fit!I hope that there is someone out there who can benefit from some of this information, and/or who can tell us a story about their own experiences regarding the secrets of the mysterious holes.

    In Lithonia, Ga.Moreover, they provide you rust proof hoop that can easily withstand with the test of time and let you play your favorite game till years.But the store also has the hottest gear for current players – and it’s always in stock.I came in third overall, after two of the male cross country runners.If you want a pair of shoes that will absorb the right color and maintain it, it upra tk society for sale best to choose shoes that are manufactured in materials that are specifically made for dyeing.Then I was told that I have got a pair of fake shoes on online stores.In this role, he continues to ask questions about the current state of the world and what he can do to both educate others and help relieve the problems.Je porte tous les jours parce Im en jeans la plupart du temps, et il semble grand avec des jeans.

    Not all fabrics are alike.More women are affected than men are.However, there are instances when parents can be highly demanding and less responsive to their children needs,.The revenues are up 8% compared to the same quarter a year ago.If you watched us in practice or in our earlier games, sometimes we’ve had a hard time making open shots.The price for a share of a open-end fund is determined by the net asset value, or NAV, which is the total value of the securities the fund owns divided by the number of fund shares outstanding.Now for the Hyperfuse.This premium cheap timberland boots for women ride and fit through the world best running shoes manufacturer provides the runner maximum comfort.They have a daily study plan.Tracing the sandal sock combination is a nearly impossible task, but come summer then you’re sure to spot many offenders loyal to this fashion disgrace.

    This store is an official online outlet selling NFL wholesale jerseys.Team members put in their best efforts to offer reliable services to the customers as per their requirement within the given time frame.Inside the hot summer seasons, this is a type of carefully selected outstanding works, an excellent set of sandals trampled under foot, not only was marked with the superior style, more can make you enjoy wearing a sense of absolute value, love shoes woman prepared for himself a great pair of sandals june!CribbsWhen it comes to buying t-shirts, your options are virtually limitless.I’m embarrassed that my Trail Blazers are known for grooming good players and trading them.This is surely a good thing.When it comes to the stitching of counterfeit Nike shoes, it tends to be sloppy, uneven, and crooked.

  • Steve Gazzo

    #10 is a neat rule, but it would lock the whole world out if your IP changes. I know the days of dial-up are over, but a lot of ISPs still do dynamic IPs that aren’t guaranteed to stay the same, especially following an outage. Is there a way to link this to, I don’t know, maybe the MAC address of a specific network adapter?