DISCLAIMER: this post is older than one year and may not be up to date with latest WordPress version.

Obviously, security is a very important issue on a website. By default, WordPress is very secure but you can still improve it. Today, let’s see how you can a .htaccess file to secure your uploads directory and only accept specific files extensions.

Create a file named .htaccess and paste the following code in it. Once done, upload the filet into your wp-content/uploads directory.

The following example will only accept images files. If you need to be able to upload other file types, such as .pdf, don’t forget to add the file extension to the list on line 5.

<Files ~ ".*..*">
	Order Allow,Deny
	Deny from all
<FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff)$">
	Order Deny,Allow
	Allow from all

Thanks to Jeff Starr for the great tip!


  1. Jeff is a legend. 🙂
    PS – The links to the premium themes in the footer of this page all go to 404 pages.. just saying.

  2. Is there any way to set the directory to where instead of blocking uploads to *any* directory, it will only block to certain ones? Ex. so someone can have only mp3 uploadable to /podcasts, only images to /images, etc.

    Or would we just create a new .htaccess like this and change it around as needed, then upload it into each individual folder?

  3. Yes RiaanP is right. Even page navigation and link to forum also the same result.

  4. Larem, you can just upload the .htaccess to each folder you want to protect will work 🙂

  5. Wow, thanks a lot Jeff and WPrecipe!

  6. This is really helpful, being open source WordPress users often face security threats but the other advantage of open source is that we get free fix and optimizing tips.

    Thanks to everyone.

  7. Nice Post.. It is really Helpful 🙂

  8. Just applied to my site and blog. tested OK… Thanks

  9. I am getting lots of help here. Really cool “receipes”.

    I have question – I am using a subdomain to load images from. Example: img.mysite.com.

    The images although are located in wp-contents/uploads itself.

    Will this be problematic if I create an .htaccess file here?

  10. I always include the following to my .htaccess to block execution of ANY code in the Upload folder

    AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi
    Options -ExecCGI -Indexes

  11. Another awesome hack!

Leave a Comment

Your email address will not be published. Required fields are marked *