Restrict Access to WordPress Files: Your WordPress site is composed of various files. These files are vulnerable to hack attempts because they form the core of your WordPress websites. Thus safeguarding these files is critical to your website safety. Anyone with access to these files effectively has access to your website itself! Restricting access to some of the files in your site can really make a difference. Using the .htaccess file you can block access to WordPress files and keep it safe from hackers who target your website.

Earlier we spoke of how to ban users based on IP addresses but that’s possible only if you know the IPs of suspicious users. You don’t really need to wait for suspicious users to come to knock on the door. You can take security measures beforehand by restricting access to your files. The .htaccess file allows users to restrict access to the files of their choice. In this post, we’ll show you how.

How to Restrict Access to WordPress Files Using Htaccess?

First, you must decide which files you want to put under lockdown. For instance, I don’t want anyone to fiddle with the wp-config files. wp-config is a very important file as it helps connect all WordPress files to the database. Making modifications to this file could spell disaster. What if someone gains unauthorized access to my web host? What happens if this file (wp-config) is tampered with, and its unable to connect to the database? My visitors will see a 403 error every time they try to access my site, which makes it imperative that I restrict access to the wp-config files.

How to Hide wp-config File Using Htaccess?

Step 1: The .htaccess file can be found in the File Manager. Log in to your Web Host and open the cPanel. In the cPanel, you’ll see the File Manager option, select that. A typical file manager looks somewhat like this (see the picture below).

restrict access to WordPress files

Step 2: On the left side of the File Manager, you’ll see the Home directory along with a number of folders. Select public_html folder and search for .htaccess file.

restrict access to WordPress files

Step 3: Right click on the file and select Edit. The .htaccess folder will open in a new tab.

restrict access to WordPress files

Step 4: Place the following code at the end of the .htaccess file.

<files wp-config.php> 

order allow, deny 

deny from all 


Now, when trying to access wp-config.php through the browser, a 403 error will be displayed.

restrict access to WordPress files

If you want to restrict access to a different file, just change the filename. Replace wp-config.php with the file you want to prevent access to. And in this way, you can restrict access to WordPress files of your choice.

While the .htaccess file can really help you restrict access to WordPress files, it’s important to note that the .htaccess file itself is not safe from external attack and access. If hackers manage to gain access to a folder in the File Manager (more on this later) they can prevent you from using the file. This makes it necessary to secure this file from external access and tampering.

How to Secure Htaccess File?

Let’s first understand how a hacker may gain access to a folder in your File Manager. WordPress websites allow users to upload images. These images are stored in the Upload folder. Suppose a loophole in the uploading instructions allows users to upload malicious scripts instead of uploading an image. The malicious script now stored in the Upload folder can be executed remotely. After being executed, it prevents you from accessing the .htaccess file. If you don’t want to fall prey to such hack attempts, you need to disable php execution in the Upload folder.

Step 1: To disable php execution in the Uploads folder, simply create a .htaccess file in the Upload folder. You can find the folder in wp-content under public_html.

restrict access to WordPress files

Step 2: Now open notepad (for Windows) or TextEdit (for Mac) to create a file. Include the following code and save this file as .htaccess (not .htaccess.txt):

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L] </IfModule>

# END WordPress

Step 3: Save the code and upload the file in the Upload folder.

restrict access to WordPress files

Step 4: Now you have a new .htaccess file in the Upload folder. Right-click and select Edit. Place the following piece of code in your brand new .htaccess file.

<filesmatch “\.php$”> 

order allow, deny 

deny from all 


This should stop the execution of a malicious script on the Upload folder.

How to Restrict Directory View Using Htaccess?

Besides using .htaccess to restrict access to WordPress files, you can also protect WordPress folders.

Sometimes it’s easy for visitors to view the directory listing of files present in a certain folder. For instance, visitors to our site Westworld Fansite can see everything in the wp-include folder simply by opening “” in the browser. This may reveal sensitive information which can be used to exploit a vulnerability in Westword Fansite.

restrict access to WordPress files

To disable directory listing on your site add the following line in the .htaccess file. Remember to edit the .htaccess file present in the same directory as that of the folder that you want to protect from snooping visitors. For instance, you want to protect the folder wp-include, place the following line in the .htaccess file of the folder wp-include.

Options All –Indexes

On trying to view the directory listing, a 403 error page will be displayed.

restrict access to WordPress files

While security by obscurity is frowned upon, it is best to hide as much information as possible. The less the hackers know about you, the less likely they are to attack you.

Remember to take backups of your site before modifying the .htaccess files. An important point to note is that a single mistake in the codes can cause big problems. It can break your site. Ensure that you have timely backups of your site so that you can quickly revert to a working copy of your site, in case of an issue.

Over to You

We learned how to restrict access to WordPress files and folder but these are just one of the many ways to secure a WordPress site from hack attempts. A few other security measures that you can take include using a security plugin, using an SSL certificate, using a unique and strong username and password, implementing HTTP authentication and two-factor authentication among other things.