htpw is a curated .htaccess ruleset for Apache that hardens a WordPress site without relying on plugins.
The goal is to raise the baseline security posture with low overhead and minimal changes to WordPress itself.
The htaccess ruleset focuses on common hardening measures:
- Protects sensitive system files (e.g.,
wp-config.php, logs, backups). - Disables directory listing.
- Adds modern security headers.
- Blocks known malicious or scanning user agents.
- Prevents PHP execution inside
wp-content/uploads. - Restricts
xmlrpc.phpto trusted services (Jetpack and Akismet).
WordPress is a frequent target. Security plugins can be effective, but they may add overhead or conflicts. htpw provides a lightweight alternative using Apache rules that:
- Reduce the attack surface.
- Require no PHP runtime or plugin.
- Are easy to review, audit, and adjust.
- Download the
htaccessfile from this repository. - Append its contents to the bottom of your existing WordPress
.htaccess. - Ensure your web server is Apache with
mod_rewriteandmod_headersenabled.
Note: These rules are not designed for NGINX.
The file ships with a modern header set (HSTS, X-Frame-Options, X-Content-Type-Options, etc.). There is also a commented Content-Security-Policy (CSP) block that you can enable when ready. CSP can be strict and may require allowlisting external domains used by your theme or plugins.
- If you use a CDN (e.g., Cloudflare), consider enabling
mod_remoteipso visitor IPs are logged correctly. - Some plugins that rely on XML-RPC may need adjustments if you tighten that block.
- If you enable the optional CSP, expect a short tuning phase.
You can validate that htpw is working by running a scanner such as WPScan. If the default scan is blocked, the rules are active.
- Pull requests are welcome. Please keep changes minimal, well scoped, and documented.
- If you find this project useful, you can support it via Buy Me a Coffee: https://buymeacoffee.com/andreadraghetti
GNU General Public License v3.0