The Loop Log

tech mind culture

WordPress Hardening – Part 3: Cleaning and Understanding Your Rewrite Rules

A padlock displayed over a computer motherboard.

How to keep your .htaccess clean, secure, and conflict‑free

If you’ve ever opened your .htaccess file and felt like you were staring at ancient runes, you’re not alone. This tiny file controls a surprising amount of your site’s behavior, from permalinks to redirects to security rules, and it’s one of the most overlooked parts of WordPress hardening.

A messy or misconfigured .htaccess can:

  • break your permalinks
  • expose sensitive directories
  • allow unintended file execution
  • conflict with plugins
  • weaken your security posture

This article walks through how to understand your rewrite rules, clean them up safely, and add hardening rules without breaking your site.

What .htaccess Actually Does

On Apache-based hosting (which includes many shared hosts), .htaccess controls:

  • URL rewriting
  • access restrictions
  • directory permissions
  • security rules
  • redirects
  • caching headers

WordPress uses it primarily for pretty permalinks, but plugins often add their own rules, sometimes sloppily.

Understanding what belongs in this file (and what doesn’t) is a huge step toward a hardened site.

Step 1 – Identify the Core WordPress Rewrite Block

Every WordPress site should have a block that looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

What this block does:

  • Enables URL rewriting
  • Routes all non-file, non-directory requests to index.php
  • Powers your permalink structure
  • Must remain intact and unmodified

If this block is missing or altered, your permalinks may break.

Step 2 – Understand Wordfence WAF Bootstrap Rules

If you use Wordfence (a popular security plugin), you’ll see a block above the WordPress section that looks something like:

# Wordfence WAF
<IfModule mod_php7.c>
php_value auto_prepend_file '/path/to/wordfence-waf.php'
</IfModule>

What this does:

  • Loads the Wordfence firewall before WordPress runs
  • Helps block malicious requests early
  • Is safe and should remain untouched

These rules are automatically managed by Wordfence.

Step 3 – Add Hardening Rules for wp-includes

WordPress core files inside /wp-includes/ should never be accessed directly by visitors.
A safe hardening block looks like:

# Block access to wp-includes files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

What this protects:

  • prevents direct access to core PHP files
  • blocks known exploit paths
  • reduces exposure of internal WordPress components

This block is optional but recommended.

Step 4 – Remove Duplicate or Conflicting Rules

Over time, plugins may add:

  • duplicate rewrite blocks
  • outdated rules
  • conflicting redirects
  • leftover entries from plugins you’ve removed

These can cause:

  • 404 errors
  • redirect loops
  • broken permalinks
  • security gaps

What to remove:

  • duplicate WordPress blocks
  • plugin rules for plugins you no longer use
  • commented-out junk from old configurations
  • rules referencing missing directories

A clean .htaccess is easier to maintain and safer.

Step 5 – Keep Custom Rules Outside the WordPress Block

Anything you add manually should go above or below the WordPress block, never inside it.

WordPress overwrites everything between:

# BEGIN WordPress
...
# END WordPress

So if you put custom rules inside that section, they will be erased the next time you save your permalink settings.

Safe places for custom rules:

  • above the WordPress block
  • below the WordPress block
  • inside /wp-content/uploads/.htaccess for upload-specific rules

Step 6 – Verify Your Rewrite Rules Are Working

  1. Permalinks
    Visit a few posts and pages.
  2. Admin access
    Ensure /wp-admin/ loads normally.
  3. Uploads directory
    Confirm PHP execution is still blocked.

If everything works, your rewrite rules are clean and secure.

Why This Matters for Hardening

A clean, correct .htaccess:

  • reduces attack surface
  • prevents accidental exposure of sensitive files
  • ensures your security rules load properly
  • avoids plugin conflicts
  • improves site stability

This is one of the most overlooked parts of WordPress security, and one of the most impactful.

Coming Up Next: Part 4 – Shutting Down XML-RPC and Author Enumeration

In the next article, we’ll tackle two major information-exposure vectors:

  • XML-RPC (a legacy feature attackers love)
  • author enumeration (how bots discover your usernames)

Both are easy to test and easy to fix, and both dramatically reduce your attack surface.

InfiniteLoop

, , ,