using .htaccess only for wordpress security no plugins

Yes, you can use a htaccess.

In fact, I often recommend htaccess based protections over plugins because they do not depend upon PHP code or WordPress. The use a completely independent system – Apache.

The more important question is:

Do your htaccess rules protect against the threats you with to
mitigate?

Some protections may require a plugin simply because the functionality is not available through what Apache offers.

For example, many plugins attempt to block brute force attacks against your WordPress Login.

You can also achieve the same result by using HTTP Authentication.

Similarly, some plugins try to protect against code-injection, but you can also do this with Apache’s mod_rewrite.

Related Posts:

  1. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  2. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  3. Are WordPress Plugins essential?
  4. What are the common security flaws I need to look for? [closed]
  5. Disabled plugins are they security holes – rumor or reality?
  6. How Can I Securely Implement a Password-less Login Feature?
  7. Security and .htaccess
  8. Are there procedures to prevent malicious plugin updates?
  9. How to stop wordpress from changing default .htaccess permissions to 444
  10. Secure WordPress paid plugin
  11. How to make media upload private? [duplicate]
  12. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  13. What does a security risk in a plugin look like?
  14. WordPress Capabilities: edit_user vs edit_users
  15. Should we use plugins that aren’t available from the official WordPress site?
  16. How to check plugins for malicious code?
  17. How to properly secure my WordPress installation?
  18. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  19. Where should my plugin POST to?
  20. Security error WP 4.0 + WP phpBB Bridge [closed]
  21. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  22. Prevent Brute Force Attack
  23. Why users disable the WordPress update?
  24. Will WordPress username displayed somewhere in the site?
  25. Is revealing just the AUTH_KEY a security issue?
  26. Error Message from W3 Total Cache when .htaccess Rules Cannot Be Modified? [closed]
  27. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  28. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  29. How to expire all wordpress user passwords instantly?
  30. Weird problems after recovery from security breach
  31. Security checking in meta_box save is reluctant?
  32. Should you escape hardcoded URLs?
  33. Preventing BFA in WordPress without using a plugin
  34. W3 Total Cache: Load CSS asynchronously for better PageSpeed score? [closed]
  35. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  36. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  37. WordPress filter that hook after each action/filter hook
  38. With W3 Total Cache when I publish a post it does not appear in the homepage. Only if i purge all cache [closed]
  39. How to delete Passwrd Protected posts cookies when a user logged out from the site
  40. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  41. Headers Content-Security-Policy CSP Major Issue
  42. How to block plugin activations with no known user or coming from unknown IP address range?
  43. Check for security updates
  44. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  45. Is it wise to add plugins to the Object Cache?
  46. Malicious File Upload [closed]
  47. Stop Plugin Enumeration [closed]
  48. Malware installation during plugin update?
  49. w3 Total Cache not Caching – Requested URI is rejected [closed]
  50. I should enable automatic updates?
  51. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  52. Security and Must Use Plugins
  53. Is it safe to use admin-ajax.php in the frontend?
  54. How to protect WordPress from security scanner [closed]
  55. Too many login attempts
  56. Website show Google Ads when we have no Google Ads linked to our website
  57. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  58. How to add support for caching plugins for my own plugin?
  59. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  60. Object Caching Plugin force every plugin to cache objects?
  61. Webservice credential storage [duplicate]
  62. Regarding plugin security
  63. How do I determine if the user who registered is not spam?
  64. Is this plugin safe to run?
  65. Sociable buttons displaying seemingly at random [closed]
  66. W3 Total Cache Help – How to update DNS Zone for a static domain [closed]
  67. Is the Block Bad Queries Plugin Still Relevant?
  68. 404 errors when updating options in admin dashboard
  69. What archive plugin works with W3 total cache? [closed]
  70. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  71. Can I disable xml-rpc by setting it to false?
  72. How can I disable new plugin and theme install, but allow updates?
  73. Memcaching recurring SQL Queries
  74. Help to Create a Simple Plugin to make a post
  75. Validating ajax search
  76. WordPress disable direct access of files in WordPress installation path
  77. Asking help regarding potential malware
  78. My wp database has been hacked
  79. Bing/msn bots is heavily requesting random of my website
  80. WordPress Dashboard shows no plugins installed!
  81. Redux framework somehow added to my site, can’t locate in plugins
  82. Primary Menu doesn’t show because of w3 cache
  83. Being hacked. Is there a list of WordPress security holes I can check against?
  84. wp_verify_nonce fails always
  85. Write mysql credentials in plugin
  86. w3 total cache and post__not_in
  87. W3 Total Cache Can’t Really Detect Things
  88. Validating values using Settings API?
  89. Unwanted Links and Spam WordPress Pages and Posts
  90. Problem with permissions in wp-content/plugins
  91. File permissions for wp-minify plugin
  92. What is the recommended way to be notified of security updates to my plugins? [closed]
  93. My WP site and password was hacked, what to do? [closed]
  94. WP Super Cache versus W3 Total Cache [closed]
  95. How to resolve these findings from security audit
  96. How I can hide my wp folders from Inspect Element (Developer Tools)
  97. How to Find WordPress site has backdoor login Codes
  98. Stop the user if login from the cookies
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes