SETTING UP YOUR .HTACCESS FILE
You will want to place this .htaccess file in your root web directory, commonly this is the public_html folder. This file should have 444 file permissions.
Then you will want to add the following section above the “# BEGIN WORDPRESS” line in your .htaccess file.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Then you will want to add this to the end of your .htaccess file after the “# END WORDPRESS” line.
# Custom WordPress Security
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Options -Indexes
# END Custom WordPress Security
This last part of the .htaccess file is optional, and is only recommended if you wish to only be able to login to your wordpress website from a specific IP or specific range of IP addresses. If you do not know what your IP address is, you can go to
vcn.com/ip or
ipchicken.com to learn your Public IP. You would place this section of code right after the “# Custom WordPress Security” line.
<Files "wp-login.php">
Order deny,allow
Deny from all
# Your Public IP Nickname
Allow from (your.ip.here)
</Files>