Generate a Hardened
.htaccess File
Toggle security rules on and off to build a custom WordPress .htaccess file. Copy to clipboard or download when ready.
Security Rules
11 of 13 rules enabled
Access Control
Block XML-RPC
Blocks access to xmlrpc.php, which is commonly exploited for brute force and DDoS amplification attacks.
Disable if you use Jetpack, the WordPress mobile app, or pingbacks.
Prevent User Enumeration
Blocks ?author=N queries that attackers use to discover WordPress usernames.
Block Common Exploit Patterns
Blocks malicious query strings commonly used in SQL injection and file inclusion attacks.
File Protection
Protect wp-config.php
Prevents direct access to wp-config.php, which contains database credentials and security keys.
Block PHP in Uploads
Prevents PHP execution in wp-content/uploads/, stopping uploaded malware from running.
This rule blocks PHP execution via rewrite. Place in root .htaccess.
Protect .htaccess
Prevents direct access to the .htaccess file itself.
Block Debug Log Access
Prevents access to debug.log which may contain sensitive error information.
Block readme.html & license.txt
Hides readme.html and license.txt which reveal your WordPress version.
Protect wp-includes
Blocks direct access to PHP files in the wp-includes directory.
HTTP Headers
Security Headers
Adds X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers.
Server Hardening
Disable Directory Listing
Prevents Apache from showing directory contents when no index file is present.
Force HTTPS Redirect
Redirects all HTTP traffic to HTTPS, ensuring encrypted connections.
Only enable if your site has a valid SSL certificate. May cause redirect loops with some hosting setups.
Limit File Upload Size
Restricts maximum upload size to 10MB to prevent abuse.
Adjust the value based on your needs. Affects all file uploads including media.
.htaccess Preview
# ──────────────────────────────────────────────────
# WordPress Security .htaccess
# Generated by WPSentry (wpsentry.com)
# ──────────────────────────────────────────────────
# Block XML-RPC access
<Files xmlrpc.php>
Require all denied
</Files>
# Protect wp-config.php
<Files wp-config.php>
Require all denied
</Files>
# Disable directory listing
Options -Indexes
# Block PHP execution in uploads directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-content/uploads/.*\.php$ - [F,L]
</IfModule>
# Protect .htaccess file
<Files .htaccess>
Require all denied
</Files>
# Block access to debug.log
<Files debug.log>
Require all denied
</Files>
# Block readme.html and license.txt
<FilesMatch "^(readme\.html|license\.txt)$">
Require all denied
</FilesMatch>
# Prevent author/user enumeration
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^author= [NC]
RewriteRule .* - [F,L]
</IfModule>
# Security Headers
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
# Block common exploit patterns in query strings
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|%[0-9A-Z]{0,2})
RewriteRule .* - [F,L]
</IfModule>
# Protect wp-includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
11 rules enabled · 75 lines
Want a full security audit?
Run a comprehensive scan with 36 security checks covering plugins, SSL, headers, DNS, and more.