How do I protect my .htaccess file?
Introduction
Securing a website is challenging, there are many different aspects of website security and countless vulnerabilities that need to be addressed. We have compiled some useful htaccess security tips, tweaks and code snippets to fix common website security issues. These fixes all work flawlessly on our web hosting platform. Security scanners often detect these issues. Here's how you can fix them to improve the overall security of your website. You can use these htaccess security tips and code snippets for WordPress and any other website.

What is a .htaccess file?
.htaccess is a file used by the Apache web server to set server environment variables and configuration settings for the specified directory only. It is usually located in the root directory of your website, for example, /home/username/public_html/.htaccess
Enable HTTP Strict Transport Security (HSTS) in .htaccess
HTTP Strict Transport Security (HSTS) support is often indicated by SEO and security scanners. What does it do? It simply tells web browsers that you want your website to be accessible only through a valid https connection. To enable it, simply add this line to your htaccess:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Block PHP code execution in specific directories in .htaccess
This is a quick .htaccess website security tweak that works for WordPress or any other custom website with directories that you want to protect from PHP code execution. With this .htaccess trick, you can easily block PHP execution in your central WordPress directories to stop common attacks. However, check your site carefully to make sure that the functionality of existing themes or plugins is not affected. To do this, simply create an .htaccess file in each directory you want to protect and include this code:
Order allow,deny
Deny from all
Require all denied
Restrict access by IP address in .htaccess
If you have a static IP address, you can use it to control access to specific files or directories on your website, such as your login page or admin area. This is often used to secure WordPress websites by restricting access to the wp-login.php and /wp-admin/ directories, but also works for other content management systems and custom websites and applications.
To restrict access to a specific file
<Files .php>
Order deny,allow
Deny from all
Allow from
To restrict access to an entire directory, create an .htaccess file in the directory you want to protect and paste this code:
Order Deny,Allow
Deny from all
Allow from
Prevent directory browsing in .htaccess
This is often set by default by your hosting provider, but if not, you can add the following line to your .htaccess file to prevent browsing your directories via a web browser.
Options All -Indexes
Prevent hotlinking of images in .htaccess
This prevents other websites from displaying images hosted on your website. This is not a big problem, but if the website has a lot of traffic, it can quickly consume your bandwidth and cause your website to be blocked or incur additional bandwidth charges. You can also replace the image with one that shows your website's name and address to advertise yourself a bit, or replace it with something cheeky if you see fit. Just add this code to your .htaccess file and change your domain and image URL accordingly without hotlinks:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
RewriteRule .(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG)$ https://www.yourdomain.com/no-hotlinking.png [R,L]
Header for Cross-Origin Resource Sharing (CORS)
Basically, this header restricts access to resources such as CSS stylesheets, images, and scripts to the specified domain. We recommend that you read more about CORS on the Mozilla Developers Website to read. If you want to enable CORS, simply add the following line to your .htaccess:
Header set Access-Control-Allow-Origin https://www.yourdomain.com
Disable HTTP Track & Trace
Another method often indicated by security scans is to disable the HTTP TRACE and HTTP TRACK methods. This can be accomplished in Apache by either adding TraceEnable Off to your httpd.conf or by adding the following code to your .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]