WP-Safety

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Security & Risk Analysis

wordpress.org/plugins/htaccess

Protect WordPress website – allow and deny access for certain IP addresses, hostnames, etc.

400 active installs v1.8.8 PHP + WP + Updated Dec 3, 2025
accessallow-directivecontrol-accessdeny-directivedirective-block
99
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 1, 2020
Plugin page Download
Safety Verdict

Is Htaccess by BestWebSoft – WordPress Website Access Control Plugin Safe to Use in 2026?

Generally Safe

Score 99/100

Htaccess by BestWebSoft – WordPress Website Access Control Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 1, 2020Updated 5mo ago
Risk Assessment

The "htaccess" v1.8.8 plugin exhibits a generally good security posture based on the static analysis. It has a very small attack surface with only two AJAX entry points, both of which appear to have proper authentication checks. The code signals indicate strong practices with a high percentage of properly escaped output and a good number of nonce and capability checks. There are no identified dangerous functions or critical/high severity taint flows, suggesting a low risk of common code injection vulnerabilities. However, the plugin has a history of known vulnerabilities, including one high and one medium severity, with the last recorded issue in 2020. While there are currently no unpatched vulnerabilities, this history indicates a past tendency for security flaws to emerge. The presence of a significant number of file operations (23) and external HTTP requests (6) warrants careful review in any future analyses to ensure these operations are handled securely and do not introduce new risks.

Key Concerns

  • History of high severity vulnerabilities
  • History of medium severity vulnerabilities
  • 17% of SQL queries not using prepared statements
  • 23 file operations detected
  • 6 external HTTP requests detected
Vulnerabilities
2 published

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2020
2020
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2020-8658high · 8.8Cross-Site Request Forgery (CSRF)

Htaccess <= 1.8.1 - Cross-Site Request Forgery

Feb 1, 2020 Patched in 1.8.2 (1452d)
CVE-2017-18496medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Htaccess by BestWebSoft – WordPress Website Access Control Plugin <= 1.7.5 - Reflected Cross-Site Scripting

Apr 14, 2017 Patched in 1.7.6 (2681d)
Version History

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Release Timeline

v1.8.8Current
v1.8.6
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.11 CVE
CVE-2020-8658
v1.8.01 CVE
CVE-2020-8658
v1.7.91 CVE
CVE-2020-8658
v1.7.81 CVE
CVE-2020-8658
v1.7.71 CVE
CVE-2020-8658
v1.7.61 CVE
CVE-2020-8658
v1.7.52 CVEs
CVE-2017-18496 CVE-2020-8658
v1.7.42 CVEs
CVE-2017-18496 CVE-2020-8658
v1.7.32 CVEs
CVE-2017-18496 CVE-2020-8658
v1.7.22 CVEs
CVE-2017-18496 CVE-2020-8658
v1.7.12 CVEs
CVE-2017-18496 CVE-2020-8658
v1.7.02 CVEs
CVE-2017-18496 CVE-2020-8658
v1.6.92 CVEs
CVE-2017-18496 CVE-2020-8658
v1.6.82 CVEs
CVE-2017-18496 CVE-2020-8658
Code Analysis
Analyzed Mar 16, 2026

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
2 prepared
Unescaped Output
26
499 escaped
Nonce Checks
21
Capability Checks
3
File Operations
23
External Requests
6
Bundled Libraries
0

SQL Query Safety

17% prepared12 total queries

Output Escaping

95% escaped525 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

8 flows
bws_add_menu_render (bws_menu\bws_menu.php:18)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_bws_submit_request_feature_actionbws_menu\class-bws-settings.php:1466
authwp_ajax_bws_submit_uninstall_reason_actionbws_menu\deactivation-form.php:433
WordPress Hooks 26
filterload_textdomain_mofilebws_menu\bws_functions.php:43
filtermce_external_pluginsbws_menu\bws_functions.php:1146
filtermce_buttonsbws_menu\bws_functions.php:1147
actionadmin_initbws_menu\bws_functions.php:1433
actionadmin_enqueue_scriptsbws_menu\bws_functions.php:1434
actionadmin_headbws_menu\bws_functions.php:1435
actionadmin_footerbws_menu\bws_functions.php:1436
actionadmin_noticesbws_menu\bws_functions.php:1438
actionwp_enqueue_scriptsbws_menu\bws_functions.php:1440
actionnetwork_admin_menuhtaccess.php:1605
actionadmin_menuhtaccess.php:1607
actioninithtaccess.php:1611
actionadmin_inithtaccess.php:1612
actionplugins_loadedhtaccess.php:1613
actionadmin_enqueue_scriptshtaccess.php:1615
actionadmin_noticeshtaccess.php:1616
actionnetwork_admin_noticeshtaccess.php:1617
filterplugin_action_linkshtaccess.php:1619
filterplugin_row_metahtaccess.php:1621
filtermod_rewrite_ruleshtaccess.php:1622
actionlmtttmpts_htaccess_hook_for_copy_allhtaccess.php:1624
actionlmtttmpts_htaccess_hook_for_delete_allhtaccess.php:1625
actionlmtttmpts_htaccess_hook_for_blockhtaccess.php:1626
actionlmtttmpts_htaccess_hook_for_reset_blockhtaccess.php:1627
actionlmtttmpts_htaccess_hook_for_delete_from_whitelisthtaccess.php:1628
actionlmtttmpts_htaccess_hook_for_add_to_whitelisthtaccess.php:1629
Maintenance & Trust

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version
Downloads42K

Community Trust

Rating80/100
Number of ratings2
Active installs400
Alternatives

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Alternatives

Login Require Press

Login Require Press

loginrequirepress

A
85

Easy way to require user login to view specific pages / posts.

100 No CVEs
SafeGuard DRM Protection – Protect Web Pages

SafeGuard DRM Protection – Protect Web Pages

safeguard-drm

A
100

Add access rights protection (DRM) to WordPress pages and posts.

30 No CVEs
Redirection

Redirection

redirection

A
97

Manage 301 redirects, track 404 errors, and improve your site. No knowledge of Apache or Nginx required.

2.0M 5 CVEs
Loginizer

Loginizer

loginizer

A
87

Loginizer is a WordPress security plugin which helps you fight against bruteforce attacks.

1.0M 8 CVEs
User Role Editor

User Role Editor

user-role-editor

A
97

User Role Editor WordPress plugin makes user roles and capabilities changing easy. Edit/add/delete WordPress user roles and capabilities.

700K 2 CVEs
Developer Profile

Htaccess by BestWebSoft – WordPress Website Access Control Plugin Developer Profile

bestwebsoft

18 plugins · 207K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
1695 days
View full developer profile
Detection Fingerprints

How We Detect Htaccess by BestWebSoft – WordPress Website Access Control Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/htaccess/css/style.css/wp-content/plugins/htaccess/js/htccss.js
Script Paths
/wp-content/plugins/htaccess/js/htccss.js
Version Parameters
/wp-content/plugins/htaccess/css/style.css?ver=/wp-content/plugins/htaccess/js/htccss.js?ver=

HTML / DOM Fingerprints

JS Globals
htccss_admin_url
FAQ

Frequently Asked Questions about Htaccess by BestWebSoft – WordPress Website Access Control Plugin