This feature is always active and can’t be disabled by the user. But, if your server is not running Apache or Litespeed servers, this feature will not be available at all.

If the .HTACCESS is available, plugin will add a panel under the coreSecurity menu.



Very first thing you need to configure for .HTACCESS, is the format for adding directives. Depending on the Apache version you are using, there are two formats for some of the directives. For most servers, even old legacy method will work due to the compatibility modules used.

Make sure to check your server configuration, for exact version of the Apache and the legacy support, and if you are not sure, check with your hosting provider.


Adding directives to the .HTACCESS has few options to work with:

  • Auto apply rules: Changes to the .HTACCESS will be applied once a day during regular daily maintenance.
  • Apply rules on IP ban: Whenever new IP is banned, .HTACCESS will be automatically updated.
  • Clean file on save: When .HTACCESS is saved, plugin will attempt to clean the empty lines first.
  • Backup before insert: Before adding or removing rules from .HTACCESS, make a backup of the file.

If you have multiple plugins that write into .HTACCESS file, it is advisable to minimize number of times .HTACCESS is changed, because it is possible that two or more plugins can attempt changing .HTACCESS at the same time.

If you want to have maximum efficiency when banning IPs using the .HTACCESS method for banning, it is important to enable option Apply rules on IP ban to ensure that new banned IP is added to .HTACCESS as soon as possible. For most other cases, having daily updates to .HTACCESS is sufficient.

Directives and Rules

IP and File Access

  • Add banned IPs: All banned IPs will be included in the .HTACCESS to stop any activity from these IPs without reaching WordPress.
  • Add blocked files: All files on the blocked list will be added to .HTACCESS and any attempt to load those files directly will be prevented.


  • Default server 403 page: For .HTACCESS rules to be efficient it is recommended to have 403 page handler set in Apache config or in .HTACCESS. There is no guarantee that will work, it can happen that your server is missing default error pages.
  • Disable Server Signature: Disable Server Signature display on all server default error pages.
  • Prevent Directory Browsing: Prevent WordPress installation directory browsing. Any request to get listing of the directory content will result with empty page.
  • Stop Humans.txt Query String Scans: Scan for query string using humans.txt is not very dangerous, but it can be annoying and it can waste your server bandwidth and processing power due to the number of requests. Even if enabled, it will allow access to actual humans.txt file if you have it.


  • Remove: X-Powered-By: Removes X-Powered-By header set by PHP with PHP version number on some servers.
  • Remove: X-Pingback: Removes X-Pingback header that contains URL to the XML-RPC library.


  • Stop comments with Invalid Referer: Deny all comments requests with no valid referer.

    This is important to know:

    • Valid comment requires to come from page that is part of your website with valid referer.
    • If anyone attempts to post comment directly to comments handler file it will be redirected back to itself.
    • If you have multisite network with multiple domain mapping, disable this tweak, right now it works only for one main domain.
  • Prevent Request Methods: Stop all requests that are using one of the selected HTTP request methods. Methods on this list include: CONNECT, DEBUG, MOVE, PATCH, TRACK and TRACE.

    This is important to know:

    • Each HTTP request can use one of the supported methods. Methods like POST and GET are most comment, and others like PUT, DELETE and HEAD are often used.
    • Other methods are not commonly used, and for most cases, WordPress doesn’t need them.
    • You can disable just some of the methods, or all methods listed here.

7G and 8G Firewall

coreSecurity can include a firewall inside the .HTACCESS, and you can choose between two versions of this firewall.

7G and 8G Firewalls are developed by Jeff Starr, and you can learn more about these on the Perishable Press nG Firewall page.

When you choose 7G or 8G version of the firewall to include, you will get list of elements to include. Right now, it is better to use 7G firewall, as it is more stable version.

To learn more of pros and cons of using .HTACCESS Firewall, compared to the standalone Firewall feature, check out this article: Setting up Firewall.


.HTACCESS file is available only on Apache and Apache compatible web servers (Litespeed). It is possible that .HTACCESS is disabled in the server settings, so if that is the case, make sure you enable it on server level, if possible.


When it comes to .HTACCESS, there are two important concepts, that are often used the same way: Directives and Rules. Directive is a command in the Apache configuration and the values provided for some of these commands are considered rules.

For instance, RewriteRule is a directive, but the value for that directive is a rule.

Rate this article

You are not allowed to rate this post.

Leave a Comment