My website was under siege. A relentless digital assault. Someone was trying to break in. It was a wake-up call. I dove into research, determined to fortify my WordPress site. I discovered the power of .htaccess, a seemingly simple file with the potential to shield against cyber threats.The truth is, WordPress sites are prime targets. Statistics show that countless websites fall victim to attacks every day. Your site could be next.This is why I'm sharing what I learned. This guide is a lifeline for any WordPress user, whether you're a seasoned pro or just starting out. We'll uncover the essential .htaccess security rules that every WordPress website needs.What You'll Learn:- The simple tweaks that can make your site a fortress.
- How to block bad bots, prevent hotlinking, and more.
- Why these security measures are non-negotiable.
- Anyone with a WordPress website.
- Those who value their data and their visitors' safety.
- Anyone ready to take control of their website's security.
- What it does: This rule acts as a bouncer at your website's door. It identifies known bad bots and crawlers by their "user agent" (a string of text that identifies the browser or application). If a suspicious agent tries to enter, it gets shown the door.
- Why it's crucial: Bad bots can overload your server, steal content, and spread malware. Blocking them keeps your site running smoothly and your data safe.
- What it does: Hotlinking is when another site directly uses your images or media on their pages, stealing your bandwidth. This rule prevents that by checking where the request is coming from. If it's not your domain, access is denied.
- Why it's crucial: Hotlinking wastes your resources. Blocking it saves you money and ensures your website performs optimally.
- What it does: This simple rule stops visitors from seeing the structure of your website's directories. Think of it as closing the blinds on your house – you don't want strangers peering in.
- Why it's crucial: Directory browsing gives attackers a roadmap to your sensitive files. Disabling it adds an extra layer of protection.
- What it does: This rule puts a lock on your most important files – the ones that control your site's configuration and access. It ensures that only you (or those you authorize) can view or modify them.
- Why it's crucial: These files, if compromised, can give attackers control of your website. Protecting them is non-negotiable.
- What it does: Websites communicate using different methods (GET, POST, etc.). This rule only allows the safe ones (GET, POST, HEAD), blocking others that could be used for malicious purposes.
- Why it's crucial: Limiting request methods reduces the attack surface of your website, making it harder for hackers to find vulnerabilities.
- What it does: SQL injection is a common attack where hackers try to manipulate your database. This rule acts as a filter, blocking requests that contain suspicious SQL code.
- Why it's crucial: SQL injection can have devastating consequences, from data leaks to complete site takeover. This rule offers a basic level of protection.
Implementing the Rules: Your .htaccess Cheat Sheet
Here's the complete set of rules you can add to your .htaccess file:
.htaccess Security Rules for WordPress

# BEGIN WordPress Security Rules
# Block Suspicious User Agents
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteCond %{HTTP_USER_AGENT} (BadBot|EvilRobot|SpamCrawler) # Customize this list
RewriteRule ^.*$ -
# Prevent Hotlinking (replace "yourdomain.com" with your actual domain)
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www.)?yourdomain.com/.*$
RewriteRule .(gif|jpg|jpeg|png|bmp)$ -
# Disable Directory Browsing
Options -Indexes
# Protect Sensitive Files

Order allow,deny
Deny from all

# Limit Request Methods

Order deny,allow
Deny from all

# Block Basic SQL Injection Attempts
RewriteEngine On
RewriteCond %{QUERY_STRING} ()
RewriteCond %{QUERY_STRING} (UNION|SELECT)
RewriteRule .* -
# END WordPress Security Rules

How to Add the Rules:
Using a Plugin (File Manager):- Install a file manager plugin (e.g., WP File Manager).
- Navigate to your website's root directory.
- Locate the .htaccess file.
- Open it for editing and paste the rules at the beginning of the file.
- Connect to your website using an FTP client (e.g., FileZilla).
- Navigate to your website's root directory.
- Download the .htaccess file.Open it in a text editor, add the rules at the beginning, and save.
- Upload the modified file back to the server. Using Terminal Access:The command to find the .htaccess file in the terminal depends on where you think it might be located. Here are some options:1. Search from the root directory:If you're not sure where the .htaccess file is, start by searching from the root directory:Bash
find / -name ".htaccess" -printThis command will search the entire filesystem for files named ".htaccess".2. Search from a specific directory:If you have an idea of where the file might be, you can narrow down the search:Bash
find /path/to/directory -name ".htaccess" -printReplace /path/to/directory with the actual path to the directory you want to search in.Important Note: The .htaccess file is a hidden file (starts with a dot), so you might not see it by default in your file manager.Example: If you're searching within your website's document root, which is often /var/www/html, the command would be:Bash
find /var/www/html -name ".htaccess" -printAlternative: If you want to search for all .htaccess files on the server, you can omit the -print option:Bash
find / -name ".htaccess"This will list all .htaccess files without printing their full path.
Your Website's Security: It's In Your Hands
A secure website isn't a luxury; it's a necessity. Your data, your visitors' trust, and your hard work are all on the line. The .htaccess file is a powerful tool in your arsenal. It's your shield against the unseen threats lurking in the digital shadows.Don't wait for disaster to strike. Implement these essential rules today. It's a small investment of time with a huge payoff. A fortified website is a resilient website, ready to withstand whatever the internet throws its way.Protect what you've built. Secure your WordPress site. Your future self will thank you.PS: Complementary reading: 50 Web Security Stats You Should Know In 2024 
https://speed.cy/technology/protect-your-wordpress-website