Disable XML-RPC in WordPress via .htaccess and functions.php
Block WordPress xmlrpc.php at the server level with .htaccess or nginx rules to prevent brute-force and DDoS amplification attacks.
Prevent WordPress username enumeration attacks
Block the ?author=N redirect and disable the REST API users endpoint to prevent attackers from discovering WordPress usernames.
Add HTTP security headers to WordPress via .htaccess
Configure X-Frame-Options, CSP, HSTS and other security headers in .htaccess to protect your WordPress site.
Disable file editing in WordPress admin dashboard
WordPress ships with a built-in code editor under Appearance → Theme File Editor and Plugins → Plugin File Editor that lets administrators edit PHP, JavaScript, and CSS files directly from the browser. This feature was designed for the era when WordPress was primarily a blogging tool and hosting environments made FTP the standard file management…
Protect wp-config.php and xmlrpc.php via .htaccess
The wp-config.php file is the single most sensitive file in any WordPress installation. It holds the database hostname, database name, username, and password in plain text alongside the secret authentication keys and salts that sign user session cookies, the database table prefix, and any custom environment constants you have defined. If an attacker reads this…
How to Password-Protect Your Entire WordPress Site with .htaccess
Sometimes you need to hide your site entirely from unauthorized visitors — for example, during active development or staging. The quickest and most reliable way to do this is with HTTP Basic Authentication using .htpasswd and .htaccess.