If you own a small design and web development agency that provides WordPress website building services, you probably know how crucial it is to edit the default WordPress .htaccess file properly to maximize the site’s security and speed. However, editing WordPress .htaccess can be quite challenging, especially if this is something new for you.
Keep reading to learn how to edit the .htaccess file without breaking your website. The rules and configurations in this article work mostly with Apache, but you can also convert .htaccess to NGINX.
What is a .htaccess File?
The .htaccess file is a server configuration file that comprises essential rules for handling and regulating certain things on your website. You can use .htaccess for many useful tasks such as controlling access to website pages, protecting the admin area with a password, improving security, enhancing performance, and redirecting users.
The WordPress .htaccess file is located in the root folder of your WordPress site. You can also place it in any other folder to change the site’s behavior and manage redirects.
Why Can’t You Find the .htaccess File on Your WordPress Site?
There are several cases when the .htaccess file may not be available in your website’s root folder:
Your file manager software hides it.
It doesn’t exist.
To resolve the first issue, change your FTP client settings. If you are using the FileZilla FTP program, you can view the .htaccess file in two simple steps:
Find the ‘Server’ option in the menu bar at the top.
Select ‘Force showing hidden files.’
In WinSCP FTP,
Select ‘Options’ in the menu bar at the top.
Open the ‘Preferences’ option and select ‘Panels’ from the left column.
Select ‘Show hidden files.’
As for the second issue, the system might have not generated the file yet. To fix this problem, go to the ‘Settings’ page and click on ‘Save Changes.’ WordPress will now try to create the .htaccess file automatically.
However, if you have file permission issues, WordPress may not be able to generate .htaccess. In this case, you will need to create it yourself. Follow these steps:
Copy and paste this code into a text editor such as Notepad:
Save the document as a .htaccess file on a local disk.
Use an FTP client to open your site and upload the .htaccess file from your computer.
*Note: If you can’t upload the file, change the file permission for your root directory.
Before Making Any Changes or Why Backup Is Important
Now that you have found or created the WordPress .htaccess file, you can start editing it. First, though, make sure you’ve made its backup copy. Without this step, you risk losing the original content if something goes wrong while you edit it.
To make a backup of the .htaccess file, go to the folder that contains it (/wp-content/htaccess-editor-backups/) and copy the file. Change the name of the copy so that you won’t confuse it with the edited file. If the editing goes well, you can delete the backup. If something goes awry, you can go back to the basic WordPress .htaccess file and change its code.
How to Edit .htaccess File
You can edit the default .htaccess file in your root directory. This requires using the file manager of your WordPress hosting provider or an FTP client such as FileZilla or WinSCP.
Start with logging into your web hosting account. Then, open the ‘public_html’ folder and find the .htaccess file in the WordPress installation. Click on the ‘View/Edit’ option to open the file in your preferred text editor and make the required changes.
You can also make a copy of the .htaccess file and edit it in your local system. Once you are done with making the changes, you can replace the live version using an FTP client or file manager.
.htaccess for Redirects
301 Redirect
A 301 Redirect is a permanent redirect that tells search engines that the URL, folder, page, or website has been moved to another location. Here’s the rule that allows redirecting oldpage.html to newpage.html:
If you need to redirect a visitor from one domain to another, use the following .htaccess rule:
Redirect 301 / http://www.mynewwebsite.com/
.htaccess for Security
You can also edit the .htaccess file to protect WordPress directories and files on the server.
Protect .htaccess
Considering that the .htaccess file can potentially control the entire site, protecting it from unauthorized users is crucial. Use this rule to restrict access to your website for all unauthorized visitors:
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
Another file that needs to be secured is wp-config.php. It contains the hosting and database credentials along with other sensitive data. Add the following rule to prevent hackers from accessing this file:
<files wp-config.php> order allow,deny deny from all </files>
To protect your .htaccess file along with error logs, wp-config.php, and php.ini files, use the following rule:
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> Order deny,allow Deny from all </FilesMatch>
Make sure to name one of your files php.ini.
Restrict Access to WordPress Admin Panel
If you use a static IP address, you can block your admin dashboard with this rule:
If you or any of your clients use dynamic IP addresses or a Multisite network, but still want to protect your site from hackers who use bots to access the admin dashboard or try to get hold of your users’ login details, add the following rule instead:
wp-content is a directory that contains themes, plugins, media, and cached files. This folder is the main target for hackers and spammers, so they will always search for ways to access it. To secure wp-content from unauthorized access, create a separate .htaccess file in the wp-content folder and paste the following code into it:
Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files>
Protect Include-Only files
The wp-includes is the second core WordPress folder. It contains files and folders required for your website to function properly. Using this rule, you can block all unauthorized access to your wp-includes directory:
In addition to restricting direct access to your PHP files, you can block their unauthorized execution. If a hacker does break into your site, they won’t be able to upload a PHP file with malicious code inside.
Add the following code to prevent the execution of PHP files within the uploads folder:
<Directory "/var/www/wp-content/uploads/"> <Files "*.php"> Order Deny,Allow Deny from All </Files> </Directory>
Script Injection Protection
Hackers often try to change the WordPress GLOBALS and _REQUEST variables. There is an efficient way to prevent this. Add the following code to the .htaccess file:
By modifying the WordPress .htaccess file, you can also block an IP address. If someone continuously spams your website or makes hacking attempts, you will see their IP address in the WordPress admin panel. Simply add this address to the rule below. This way you will deny them access to your site:
<Limit GET POST> order allow,deny deny from INSERT_IP_ADRESS_HERE allow from all </Limit>
Deny Access to Certain Files
If you want to restrict access to certain files, use the following .htaccess rule:
<files your-file-name.txt> order allow,deny deny from all </files>
Disable Directory Browsing
The WordPress file structure allows all visitors to see your site’s directories in the front end when entering your domain. This way cyber criminals can easily hack your essential files. Block access to your website directories by adding the following line:
Options All -Indexes
.htaccess Rules for Performance
Another benefit of editing the WordPress .htaccess file is that it allows you to enhance your website’s performance.
Editing .htaccess to improve a website’s performance is like putting the cherry on the cake. Do it at the final tuning stage.
Dmitriy K., WordPress Lead Developer at GetDevDone with over 10 years of experience
Enable Browser Cache
The browser cache stores files that your browser downloads to render your website properly. These may be HTML, CSS, and JavaScript files, as well as diverse multimedia content such as images. By modifying the WordPress .htaccess file, you can set these rules to determine how long particular files should be cached:
<IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 month" # CSS ExpiresByType text/css "access plus 1 year" # Data interchange ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" # Favicon (cannot be renamed!) ExpiresByType image/x-icon "access plus 1 week" # HTML components (HTCs) ExpiresByType text/x-component "access plus 1 month" # HTML ExpiresByType text/html "access plus 0 seconds" # JavaScript ExpiresByType application/javascript "access plus 1 year" # Manifest files ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" # Media ExpiresByType audio/ogg "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType video/mp4 "access plus 1 month" ExpiresByType video/ogg "access plus 1 month" ExpiresByType video/webm "access plus 1 month" # Web feeds ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType application/rss+xml "access plus 1 hour" # Web fonts ExpiresByType application/font-woff2 "access plus 1 month" ExpiresByType application/font-woff "access plus 1 month" ExpiresByType application/vnd.ms-fontobject "access plus 1 month" ExpiresByType application/x-font-ttf "access plus 1 month" ExpiresByType font/opentype "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" </IfModule>
Enable Gzip Compression
Gzip is an effective compression algorithm. It can reduce the overall file size by locating and temporarily replacing similar strings within a text file. Many hosting providers use Gzip by default as a load speed optimization tool. If it is not included in your .htaccess, you can add the following rule:
Every time an external resource requests an image, your server uses its bandwidth to deliver it. Thus, image hotlinking can significantly affect your site’s bandwidth usage. You can reduce bandwidth consumption by adding the following to the .htaccess file:
The Htaccess File Editor plugin is probably the best solution for safe .htaccess editing. If you directly edit the file via cPanel or an FTP client, you can make a fatal error. With this plugin, though, you risk nothing. It automatically scans your .htaccess file and looks for syntax errors.
Plus, every time you edit the file, the plugin will automatically generate its backup. This means you will be able to restore your website even if there is an error within the .htaccess file.
Conclusion
The .htaccess file plays an essential role in keeping your site accessible and secure. It determines how the server runs and functions, so you should edit it carefully.
Editing the .htaccess File: FAQs
What is the .htaccess file and what is its significance for a WordPress website?
The .htaccess file is a server configuration file that allows website administrators to handle important managerial tasks, such as restricting access to certain web pages, strengthening the website security, setting a password to access the admin area, redirecting visitors, and improving performance.
The .htaccess file is placed in the root folder but can be moved to another directory to change the way the website behaves or redirect users.
What are the main causes of not finding the .htacccess file on a WordPress website?
If you don’t find the .htaccess file in your root folder, it usually means that the file manager software hides it or no .htaccess file has been created at all.
What is the best plugin for editing the .htaccess file?
We consider Htaccess File Editor to be the most efficient plugin for modifying the .htaccess file. It automatically spots any syntax errors, preventing the file from being corrupted. The plugin also automatically creates backups of the .htaccess file, so that you can easily restore its previous “healthy” version.
How can you enhance your WordPress website’s performance by editing the .htaccess file?
You can enable the browser cache and set how long certain files should be cached.
You can enable Gzip compression. It can shrink the .htaccess file size by finding and replacing the same strings within the file for the specified time period.
You can control/restrict image hotlinking.
Have any questions left? Our WordPress developers are always ready to share their years-long expertise of the most popular content management system with you. Get in touch with us for any WP-related task, from building a custom theme to performance optimization and website maintenance.
Whether it's web pages, email templates, or HTML5 banner ads, you'll be amazed at what we can accomplish in record time. Dive in and explore our time-tested solutions for your rush projects.
YouTube is full of exciting videos. You might want to add one to your WordPress website, but just copying and pasting it won't do the trick. You need to embed it. Read this post to learn how you can do that.