How to Restrict WordPress files and Directories access with .htaccess

By default Apache server allows access to all of the website directories and files. Any one can access your files lying under your site’s root folder and of course anyone can list and view your site’s structure. The good thing is you can harden the security of your website using .htaccess file, usually located at the root directory.

namecheap affordale Hosting and domains

Steps to Harden WordPress Security

By default wordpress installation does have .htaccess file located in the document root directory, like the screenshot below.

Restrict wordpress directories and files access using .htaccess

Open .htaccess file in notepad or any text editor, but make sure you have made a copy of the original as a backup.

1. Disable WordPress Directory indexing

There are two ways you can hide wordpress directories.

Adding the following directive to .htaccess file will restrict access to directories and the server will display a 403 forbidden message.

# Disable directory browsing 
Options -Indexes

The following directive when added to .htaccess file will simply hide wordpress directories and server will not show a warning message.

# Hide the contents of directories
IndexIgnore *

If you want to hide only some specific file types, add extension of the file type. You can choose any of these.

# Hide files with these extension .doc, .jpg, .png, .rar, .zip, .gif and .ppt 
IndexIgnore *.rar *.zip *.doc *.jpg *.gif *.png 

2. Prevent Direct File Access

Disabling directories and files listing only hide these from listing but still can be accessed if full path of the file is typed. For preventing unauthorized access to certain file extensions add this to .htaccess file.

# Deny access to files with extensions .ini, .doc, .log, .sh, .rar
<FilesMatch "\.(sh|doc|log|ini|rar)$">
Order allow,deny
Deny from all


3. Disable Access to .htaccess file

Before adding this line to your .htaccess file make sure you have cpanel access to your website file manager. The following line will restrict access to .htaccess file.

# Disable access to .htaccess
<Files .htaccess>
Order allow,deny
Deny from all

What is Apache:

Most of the websites including this one, is powered by Apache servers. If you have bought a Linux hosting package for your website then you are using Apache Server.

What is .htaccess

.htaccess file is a configuration file which is located at the root folder of your site. You can create .htaccess file if your site does not have one. This file can be placed at root directory or in any other directory if you want separate conditions for different directories.

Configuration in .htaccess file at the root directory apply to all of the sub directories and files unless you exclude some files or specify conditions for some.

You can specify different configuration for your website in this file including redirects, directories and files access, displaying warning messages , forcing server to use certain php version etc.

Hope that we helped you, support us by sharing this on social media with your friends.

We will be happy to hear your thoughts

Leave a reply