Write Review

How to Stop Access to Sensitive Files of Your WordPress Website

Just a few days ago, one of our clients had to face a hard time when his website got injected with some malicious code; it happened because of the poor security.

Most of the WordPress users neglect the vulnerabilities, which may turn into a backdoor, and hackers always look such a space to inject code.

You may be wondering how can someone come to know whether your website has any vulnerability or not. Well, automotive bots run the scripts, and if they find a chance to create a backdoor on your site, they hack it.

The hacking process is complicated to grasp. Instead, you should focus on hardening your website's security. Adding more and more security layers is a plus point.

As you know, WordPress has some sensitive files, which can break the whole website, it's essential to secure such files.

Core files like .htaccess, wp-config.php, and more play a vital role. The wp-config.php is responsible for making a connection between your website's data and its database, and if something goes wrong, your site can't remain intact.

Secure the Most Important WordPress Core Files

If you go through any WordPress forum, you can find people pleading how their website isn't working, someone injects code in any of the files, the database doesn't work, and more.

I hope you don't want to be in a situation where you need to deal with a hard time. I understand how hard it is to build a website, and you too.

Losing the content takes only a few minutes, writing it requires years. I am going to walk you through a simple process to harden the security, so that authorized users can't access sensitive files.

Follow the steps.

Step 1:

Login to cPanel and search for the file manager icon. In most of the cases, you can see an icon along with other files, but a few companies have a different system.

I am sure, you have tried Hostinger, options are similar, but the layout of cPanel is entirely different than the classic design.

How to Stop Access to Sensitive Files of Your WordPress Website

If you use Bluehost, the design is in blue, which is because to keep the brand value, Bluehost uses the same color everywhere.

So, no worries, find the file manager and open it.

Step 2:

If you host only one domain on your web hosting server, you need to open the public_html folder, where all of your core files and folders are available.

But if you run multiple domains on the same server, you may in need to look for the specific folder in the root directory.

How to Stop Access to Sensitive Files of Your WordPress Website

Click on public_html from the vertical left-hand sidebar, and you can see WordPress files.

Search for the .htaccess file and right-click to edit.

Note: You need to add code to .htaccess, which can protect all of your sensitive files.

If you don’t find the .htaccess file, you have go to Settings at the top-right corner of the screen, and check to box to display hidden files.

How to Stop Access to Sensitive Files of Your WordPress Website

Step 3:

Now a popup displays, from which you need to click on the Edit button to authenticate that you are sure about editing the .htaccess file.

How to Stop Access to Sensitive Files of Your WordPress Website

Step 4:

You can see a new tab having many coding lines. You need to copy and paste the code between #Start WordPress and #End WordPress.

<FilesMatch "^.*(error_log|wp-config.php|php.ini|.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

You may be wondering what this code does.

Well, as you can see, it has wp-config, error log, PHP.ini, and .htaccess, which means the code prevents all of these files from accessing by any other user.

Note: Backup the .htaccess file before making any changes so that if something goes wrong with your website, you revert to the old .htaccess file.

And it's necessary to back up your whole website and its database. Sometimes, coding doesn't match with other redirects.

Having a backup secures you from losing your data, and you can restore it anytime you want.

Isn't it So Simple to Protect Your Website's Sensitive Files

if you have noticed, most of the time, you require the wp-config.php and .htaccess files to increase the default file upload limit, set up a direct, and more.

The PHP.ini file also plays a vital role. If you're a techie person, you may know how simple it is to fix the maximum execution time exceeded error using PHP.ini.


Knowing the importance of all sensitive files is essential for a WordPress user. I remember when I deleted the wp-config.php in my starting days, it was an honest mistake, and my 2 days of hard work was gone.

I was in luck, but you might not be. So, be prepared to have the back and secure such files using .htaccess. I hope, it's an easy task.

Check out these top 3 cPanel hosting services:

Was this article helpful?