.htaccess is directory level configuration file used by Apache (and some others) web servers. Content for this file is very similar to web server global configuration file. Htaccess is used to override settings from global configuration and can be added to any directory of the website.
I will not bore you with everything .htaccess can be used for, because it’s a lot, but here are some basics. WordPress uses .htaccess for activating rewriting engine and getting all the pretty permalinks that we are so used to. So, most likely you will have .htaccess file in the root of your website installation. You can add .htaccess to any directory, if you need to set something differently from parent directory, a good method to add extra protection to wp-admin folder.
Basic thing you can do with .htaccess is to protect files from being accessed at all. Some types of files are already protected by global server configuration, but it’s better to ensure the protection using .htaccess also. You should protect .htaccess and wp-config.php files at least. If you attempt to access wp-config.php like this: http://www.example.com/wp-config.php, you will get empty page, since PHP is processing and that file and has no output to display. But, due to some exploit methods that can affect server, it’s also good idea to prevent access to this file. It’s recommended to prevent access to readme.html, since it contains WP version.
By default, web server allows browsing of directories on the website, and that can reveal the content of directories that are not protected. One way to prevent that is to add index.php or index.html file to each directory, but better method is to do it with .htaccess and prevent it for all directories at once.
Each web request should contain the user agent string identifying source of the request. UA strings are used to identify different browsers or other programs trying to access website. Based on the UA string we can identify many spammers, content scraper and other source that it’s best to ban from the website. With that you can even improve website performance since requests from banned sources will be stopped before server will generate content. There are many good lists available on the internet, and one such list is part of GD Press Tools Pro plugin (more info at the end of the article).
GD Press Tools 3.9 Pro adds a .htaccess modifications to Security panel. Right now this panel allows you to control all tips from this article (except for IP limitations, that will be added in 4.0). Plugin can modify and update .htaccess on its own, so you don’t need to do it manually ever time you need to change something, just enable or disable some of the options, and plugin will do the rest.