Secure Website Using .htaccess Policy Headers XSS WordPress

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Website with good content in necessary but you also need to secure website using htaccess file and other different methods. Because there are many of theft and hacker who just want to stole your data and some time harm you business too. I’m blog writer but I face these kind of attacks too This is my only way of earning If someone attack then it can me worse to me. So I always try to be safe by backup data time to time and apply necessary updates.

Nobody is can be 100% sure some time big giants also hacked you have listen in news so we can just hope and apply some tricks to secure our website. Below we discuss different type of method and simple tips to Secure website using htaccess and without website using htaccess

How to Creating .htaccess file

First you need to create a .htaccess using notepad because without it you can’t be secure website using htaccess file. some of website scripts automatically create a .htaccess file on server you can edit this file. If file not showing make sure you checked hidden files and folder check mark like shown in below picture.

show-hidden-files-in server

You can create file on your system as well but some operating systems don’t let you create a .htaccess file. The easiest way to get around this is to:

  • Using Notepad or a similar plain text editor, add your configuration commands.
  • Save the file as a .txt file.
  • upload the file to your site.
  • Once uploaded, rename the file to .htaccess

Also, it’s a good idea to refresh your site after making each of the changes below so you can quickly switch back to a previous version of your .htaccess file in case any changes throw up errors.


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. This can be used to avoid clickjacking attacks, by ensuring that your content is not embedded into other sites.

Secure Website Using htaccess or .htaccess Policy Headers XSS and this directive is pretty similar to the frame buster code explained in “Double Trouble on Google Images” except that it is only supported in the following browsers:

Internet Explorer 8+, Opera 10.50+, Safari 4+, Chrome, There are three possible values for this header:

DENY – This setting prevents any pages served from being placed in a frame even if it is on the same website it originates from. should be used if you never intend for your pages to be used inside of a frame.
SAMEORIGIN – This setting allows pages to be served in a frame of a page on the same website. If an external site attempts to load the page in a frame the request will be denied.
ALLOW-FROM origin – If the value contains the token ALLOW-FROM origin, the browser will block rendering only if the origin of the top-level browsing context is different than the origin value supplied with the Allow-From directive.

# Prevent from Clickjacking attack
Header set X-Frame-Options DENY


<ifModule mod_headers.c>

# Security improvements
Header unset Server
#Header unset X-Pingback
Header unset Accept-Ranges
<FilesMatch "\.html>
	Header set X-Frame-Options "SAMEORIGIN"
	BrowserMatch MSIE ie
	Header set Imagetoolbar "no" env=ie
	Header set X-Content-Type-Options "nosniff" env=ie
	Header set X-UA-Compatible "IE=edge" env=ie
	Header set X-XSS-Protection "1;mode=block" env=ie
	Header set X-Content-Security-Policy "default-src 'self'; img-src 'self'; \
			script-src 'self'; font-src 'self' data:" env=ie
	BrowserMatch Firefox ff
	Header set Content-Security-Policy "default-src 'self'; img-src 'self'; \
	script-src 'self'; \
	font-src 'self' data:" env=ff
	BrowserMatch SAFARI safari
	Header set X-XSS-Protection "1;mode=block" env=safari
	Header set X-WebKit-CSP "default-src 'self'; img-src 'self'; \
			script-src 'self'; font-src 'self' data:" env=safari
	BrowserMatch CHROME ch
	Header set X-Content-Type-Options "nosniff" env=ch
	Header set X-WebKit-CSP "default-src 'none'; img-src 'self'; \
			script-src 'self'; font-src 'self' data:" env=ch
	BrowserMatch chromeframe chf
	Header set Imagetoolbar "no" env=chf
	Header set X-Content-Type-Options "nosniff" env=chf
	Header set X-UA-Compatible "IE=edge,chrome=1" env=chf
	Header set X-XSS-Protection "1;mode=block" env=chf
	Header set X-WebKit-CSP "default-src 'none'; img-src 'self'; \
			script-src 'self'; font-src 'self' data:" env=chf


For reference for CSP is
Specific Browser support can be seen here

Secure Website Using htaccess : CSP Challenges

It is biggest challenge that you need to resolve because user might experience some difficulties and you have to resolve all of errors some tools like Caspr Google Chrome Plugin and These are the amazing tools which allow you to analysis and send you report about errors. Helps to Secure Website Using htaccess



#Header: X-Frame-Options for XSS Protection
add_header X-Frame-Options SAMEORIGIN;
#Header: X-Content-Type Options
add_header X-Content-Type-Options nosniff;
#Header: X-XSS Protection Header
add_header X-XSS-Protection "1; mode=block";
#Header: Strict-Transport-Security
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
#Header: Content-Security-Policy
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://* https://* https://* https://*; img-src 'self' data: https://* https://* https://*; style-src 'self' 'unsafe-inline' https://* https://*; font-src 'self' data:; frame-src 'self' https://* https://* https://*; object-src 'none'; report-uri<ommitted>;";

Secure WordPress using .htaccess file some of method to disable direct access to secure files and folders.

Prevent Directory Browsing:

This method will hide your website directory to directly access from browser using website URL use below code in htaccess file

Options All -Indexes

Protecting wp-config.php

This file is most important file of WordPress because it contains all access to database and other security folders. It is located in root folder.

<files wp-config.php> order allow,deny deny from all </files>

Prevent Image Hot Linking

Hot linking image that anybody can open images on your website directly from address of your .jpg, .png, .gif or .bmp file. This code will prevent user from doing so.

RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC] RewriteRule \.(gif|jpg)$ [R,L]

Protect Your .htaccess File

Last but least you must protect .htaccess file itself as well because it’s can me the main file for attack because without it how you can Secure Website Using htaccess below is code can help you.

<Files .htaccess> order allow,deny deny from all </Files>

Hope you like these please share this post and don’t forget to comment.

personal technology columnist, author and founder of, a widely read tech and how-to blog since 2009. Wants to explore and share interesting Tips, Tutorials and More. Also WordPress Theme Designer @ here. Contact: Contact

Leave a Reply

Your email address will not be published. Required fields are marked *