How to Set .htaccess to Read-Only in WordPress for Better Security
March 16, 2022
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Set your .htaccess file to read-only (permission 444 on Linux, Read-Only attribute on Windows) to prevent malicious scripts from modifying your server configuration.
Why Setting .htaccess to Read-Only Matters
The .htaccess file controls how your Apache or LiteSpeed server handles requests. It contains rewrite rules, security directives, and access controls. If a malicious script gains write access to this file, it can redirect your visitors to phishing sites, disable your security rules, or open backdoors that bypass every other protection you have in place.
Setting .htaccess to read-only is one of the simplest and most effective server-level hardening steps you can take. This is not done through .htaccess itself. It is done at the operating system or hosting panel level.
The same principle applies to other sensitive configuration files like wp-config.php. Any file that contains connection settings, security rules, or server directives should be locked down to prevent unauthorized modification.
How to Set .htaccess to Read-Only on Linux Servers
This applies to Apache, LiteSpeed, and Nginx servers running on Linux or Unix. Set the .htaccess file permission to 444 (read-only for owner, group, and everyone).
Using an sFTP Client
1. Connect to your server using an sFTP client like WinSCP, FileZilla, or Cyberduck.
2. Navigate to your WordPress root directory (the folder that contains wp-config.php).
3. Right-click on the .htaccess file and select Properties (or File Permissions depending on your client).
4. Set the permission to 444. This makes the file read-only for all users.
5. Click OK to apply.
Using Your Hosting File Manager
If your sFTP client does not support permission changes, use the File Manager in your hosting control panel (cPanel, Plesk, DirectAdmin, etc.).
1. Log into your hosting panel and open File Manager.
2. Navigate to your WordPress root directory.
3. Right-click on .htaccess and select Change Permissions.
4. Set the permission to 444 and save.
Using SSH Command Line
If you have SSH access to your server, you can set the permission with a single command. Navigate to your WordPress root directory and run:
chmod 444 .htaccess
How to Set .htaccess to Read-Only on Windows Servers
For Windows servers running IIS or Apache on Windows, you set the read-only attribute through the Windows file properties dialog.
1. Navigate to your WordPress root directory using File Explorer or a file manager.
2. Right-click on the .htaccess file (or web.config on IIS) and select Properties.
3. Check the Read-only attribute.
4. For IIS servers, also set the file as read-only for the IUSR (Internet Guest Account) user specifically. For Apache on Windows, set it for the System account or the Apache user.
5. Click OK to apply.
Important – Temporarily Unlock Before Saving WP Ghost Settings
WP Ghost writes its security rules to the .htaccess file when you save settings. If .htaccess is set to 444 (read-only), WP Ghost can not update the rules and your configuration changes will not be applied.
Before saving WP Ghost settings, temporarily change .htaccess back to 644 (owner can write, group and others read-only). After saving, set it back to 444. This applies to any plugin or WordPress core action that modifies .htaccess, including permalink changes.
WP Ghost’s built-in Security Check includes a file permissions task that will flag whether your .htaccess has the recommended permission level.
Frequently Asked Questions
Will setting .htaccess to 444 break my website?
No. Setting .htaccess to read-only does not affect how the server reads the file. It only prevents writing to it. Your site will function normally. The only impact is that plugins (including WP Ghost and WordPress itself) will not be able to modify the file until you temporarily unlock it.
Should I also set wp-config.php to read-only?
Yes. wp-config.php contains your database credentials and security keys. Setting it to 444 is strongly recommended. Unlike .htaccess, wp-config.php rarely needs to be modified after initial setup, so you can leave it locked down permanently in most cases.
Can WP Ghost fix file permissions automatically?
WP Ghost Premium includes a file permission fix feature that can set recommended permissions for your WordPress files and directories. You can find it in the Security Check results. For details, see How to Change File Permissions in WordPress.
What if my hosting does not let me change file permissions?
Some managed hosting providers restrict permission changes for security reasons. Contact your hosting support and ask them to set .htaccess to 444 for you. Most managed WordPress hosts already enforce strict file permissions as part of their server-level security.
Does WP Ghost modify WordPress core files?
No. WP Ghost writes rewrite rules to .htaccess (on Apache/LiteSpeed) or config files (on Nginx) and uses WordPress hooks. No WordPress core files are moved, renamed, or modified. Deactivating the plugin restores all default paths instantly.
