Disable XML-RPC in WordPress via .htaccess and functions.php
Block WordPress xmlrpc.php at the server level with .htaccess or nginx rules to prevent brute-force and DDoS amplification attacks.
Prevent WordPress username enumeration attacks
Block the ?author=N redirect and disable the REST API users endpoint to prevent attackers from discovering WordPress usernames.
Add HTTP security headers to WordPress via .htaccess
Configure X-Frame-Options, CSP, HSTS and other security headers in .htaccess to protect your WordPress site.
Protect wp-config.php and xmlrpc.php via .htaccess
The wp-config.php file is the single most sensitive file in any WordPress installation. It holds the database hostname, database name, username, and password in plain text alongside the secret authentication keys and salts that sign user session cookies, the database table prefix, and any custom environment constants you have defined. If an attacker reads this…
Force HTTPS in WordPress with a Permanent 301 Redirect in .htaccess
Once you install an SSL certificate and configure your WordPress site to use HTTPS, there is one remaining gap: the old HTTP URLs still work. A visitor who bookmarked http://example.com years ago, or a link on an external site pointing to the HTTP version, will arrive on an insecure connection. Search engines may index both…
How to Password-Protect Your Entire WordPress Site with .htaccess
Sometimes you need to hide your site entirely from unauthorized visitors — for example, during active development or staging. The quickest and most reliable way to do this is with HTTP Basic Authentication using .htpasswd and .htaccess.