Problems Hardening WordPress Security With .htaccess

A couple nights ago, I modified the .htaccess files on my blogs in order to add better security for WordPress. has written an excellent piece on how to do this, but I still encountered a few difficulties…


The first problem was a syntax issue. Under their heading, Prevent Directory Browsing, has the following code:

Options All -Indexes

I won’t say this is wrong, but it does give an error on my site host (GoDaddy).

TheSiteWizard also has a page on how to prevent a directory listing of your website, and here he omits the All modifier. This seemed to work much better for me:

Options -Indexes


The second problem was another syntax issue. Under their heading, Protect /wp-content Directory, has the following code:

order deny,allow

Again, this yielded an error. But altering the sequence in which deny and allow occur in the line corrects the problem:

order allow, deny


The final problem was noticed a day after all the .htaccess modifications were made. Quite inexplicably, the Xorbin Flash Clock plugin ceased to display on my general interest blog!

Eventually I realized that this issue was caused by the Protect /wp-content Directory code. For most users, the code in this line should work perfectly well:

<files ~ ".(xml|css|jpe?g|png|gif|js)$">

However, WordPress users that are utilizing Flash plugins will need to add the swf extension (thereby allowing access to Flash swf files). This yields the following code:

<files ~ ".(xml|css|jpe?g|png|gif|js|swf)$">

Postscript: has much more information about .htaccess, which is well worth reading.

This entry was posted in WordPress, WordPress - Security. Bookmark the permalink.