Web Development WordPress

What Is the WordPress .htaccess File and How to Edit It Without Breaking Your Site

Read this post to learn about the basics of accessing and editing the all-important WordPress .htaccess file for better performance and security.

thumbnail

If you own a small design and web development agency that provides WordPress website building services, you probably know how crucial it is to edit the default WordPress .htaccess file properly to maximize the site’s security and speed. However, editing WordPress .htaccess can be quite challenging, especially if this is something new for you. 

Keep reading to learn how to edit the .htaccess file without breaking your website. The rules and configurations in this article work mostly with Apache, but you can also convert .htaccess to NGINX.

What is a .htaccess File?

The .htaccess file is a server configuration file that comprises essential rules for handling and regulating certain things on your website. You can use .htaccess for many useful tasks such as controlling access to website pages, protecting the admin area with a password, improving security, enhancing performance, and redirecting users. 

The WordPress .htaccess file is located in the root folder of your WordPress site. You can also place it in any other folder to change the site’s behavior and manage redirects.

Why Can’t You Find the .htaccess File on Your WordPress Site?

There are several cases when the .htaccess file may not be available in your website’s root folder:

  1. Your file manager software hides it. 
  2. It doesn’t exist.

To resolve the first issue, change your FTP client settings. If you are using the FileZilla FTP program, you can view the .htaccess file in two simple steps:

  1. Find the ‘Server’ option in the menu bar at the top.
  2. Select ‘Force showing hidden files.’

In WinSCP FTP, 

  1. Select ‘Options’ in the menu bar at the top.
  2. Open the ‘Preferences’ option and select ‘Panels’ from the left column.
  3. Select ‘Show hidden files.’

As for the second issue, the system might have not generated the file yet. To fix this problem, go to the ‘Settings’ page and click on ‘Save Changes.’ WordPress will now try to create the .htaccess file automatically.

However, if you have file permission issues, WordPress may not be able to generate .htaccess. In this case, you will need to create it yourself. Follow these steps:

  • Copy and paste this code into a text editor such as Notepad:
  • Save the document as a .htaccess file on a local disk.
  • Use an FTP client to open your site and upload the .htaccess file from your computer.

*Note: If you can’t upload the file, change the file permission for your root directory.

Before Making Any Changes or Why Backup Is Important

Now that you have found or created the WordPress .htaccess file, you can start editing it. First, though, make sure you’ve made its backup copy. Without this step, you risk losing the original content if something goes wrong while you edit it.

To make a backup of the .htaccess file, go to the folder that contains it (/wp-content/htaccess-editor-backups/) and copy the file. Change the name of the copy so that you won’t confuse it with the edited file. If the editing goes well, you can delete the backup. If something goes awry, you can go back to the basic WordPress .htaccess file and change its code.  

How to Edit .htaccess File

You can edit the default .htaccess file in your root directory. This requires using the file manager of your WordPress hosting provider or an FTP client such as FileZilla or WinSCP.

Start with logging into your web hosting account. Then, open the ‘public_html’ folder and find the .htaccess file in the WordPress installation. Click on the ‘View/Edit’ option to open the file in your preferred text editor and make the required changes.

You can also make a copy of the .htaccess file and edit it in your local system. Once you are done with making the changes, you can replace the live version using an FTP client or file manager.

.htaccess for Redirects

301 Redirect

A 301 Redirect is a permanent redirect that tells search engines that the URL, folder, page, or website has been moved to another location. Here’s the rule that allows redirecting oldpage.html to newpage.html:

Redirect 301 /oldpage.html  http://www.yourwebsite.com/newpage.html

302 Redirect

A 302 Redirect is a temporary redirect. To apply it, add the following rule to .htaccess:

Redirect 302 /oldpage.html  http://www.yourwebsite.com/newpage.html

Force URL to www

Once you apply this rule, all the website visitors on example.com will be sent to www.example.com:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]

Force URL to non-www

This WordPress .htaccess rule has the opposite effect. After you add it, it will force all visitors on www.example.com to use example.com:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Force HTTPs

Add the following rule to the WordPress .htaccess file to force visitors to replace HTTPS with HTTP for all URLs:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Force HTTP

This rule in .htaccess for WordPress does the opposite of the previous one. It forces website visitors to use HTTP instead of HTTPS:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^https$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}</IfModule>

Redirect Domain to Sub-Directory

To redirect the domain’s root URL to the subdirectory of your choice, add the following rule to the WordPress .htaccess file:

RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/sub-directory-name/
RewriteRule (.*) /subdir/$1

Redirect a URL

If you need to redirect a visitor from one domain to another, use the following .htaccess rule:

Redirect 301 / http://www.mynewwebsite.com/

.htaccess for Security

You can also edit the .htaccess file to protect WordPress directories and files on the server.

Protect .htaccess

Considering that the .htaccess file can potentially control the entire site, protecting it from unauthorized users is crucial. Use this rule to restrict access to your website for all unauthorized visitors:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Another file that needs to be secured is wp-config.php. It contains the hosting and database credentials along with other sensitive data. Add the following rule to prevent hackers from accessing this file:

<files wp-config.php>
order allow,deny
deny from all
</files>

To protect your .htaccess file along with error logs, wp-config.php, and php.ini files, use the following rule:

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

Make sure to name one of your files php.ini.

Restrict Access to WordPress Admin Panel

If you use a static IP address, you can block your admin dashboard with this rule:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

If you or any of your clients use dynamic IP addresses or a Multisite network, but still want to protect your site from hackers who use bots to access the admin dashboard or try to get hold of your users’ login details, add the following rule instead:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

Protect /wp-content/

wp-content is a directory that contains themes, plugins, media, and cached files. This folder is the main target for hackers and spammers, so they will always search for ways to access it. To secure wp-content from unauthorized access, create a separate .htaccess file in the wp-content folder and paste the following code into it:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Protect Include-Only files

The wp-includes is the second core WordPress folder. It contains files and folders required for your website to function properly. Using this rule, you can block all unauthorized access to your wp-includes directory:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

PHP File Access Restriction

Since hackers can use PHP files to infect your site with malicious code, it is crucial to block direct access to your PHP files:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Disable PHP Execution

In addition to restricting direct access to your PHP files, you can block their unauthorized execution. If a hacker does break into your site, they won’t be able to upload a PHP file with malicious code inside.

Add the following code to prevent the execution of PHP files within the uploads folder:

<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

Script Injection Protection

Hackers often try to change the WordPress GLOBALS and _REQUEST variables. There is an efficient way to prevent this. Add the following code to the .htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Block IP Address

By modifying the WordPress .htaccess file, you can also block an IP address. If someone continuously spams your website or makes hacking attempts, you will see their IP address in the WordPress admin panel. Simply add this address to the rule below. This way you will deny them access to your site: 

<Limit GET POST>
order allow,deny
deny from INSERT_IP_ADRESS_HERE
allow from all
</Limit>

Deny Access to Certain Files

If you want to restrict access to certain files, use the following .htaccess rule:

<files your-file-name.txt>
order allow,deny
deny from all
</files>

Disable Directory Browsing

The WordPress file structure allows all visitors to see your site’s directories in the front end when entering your domain. This way cyber criminals can easily hack your essential files. Block access to your website directories by adding the following line:

Options All -Indexes

.htaccess Rules for Performance

Another benefit of editing the WordPress .htaccess file is that it allows you to enhance your website’s performance.

Editing .htaccess to improve a website’s performance is like putting the cherry on the cake. Do it at the final tuning stage.

Dmitriy K., WordPress Lead Developer at GetDevDone with over 10 years of experience

Enable Browser Cache

The browser cache stores files that your browser downloads to render your website properly. These may be HTML, CSS, and JavaScript files, as well as diverse multimedia content such as images. By modifying the WordPress .htaccess file, you can set these rules to determine how long particular files should be cached:

<IfModule mod_expires.c>
       ExpiresActive on
       ExpiresDefault                                    "access plus 1 month"
   # CSS
       ExpiresByType text/css                            "access plus 1 year"
   # Data interchange
       ExpiresByType application/json                    "access plus 0 seconds"
       ExpiresByType application/xml                     "access plus 0 seconds"
       ExpiresByType text/xml                            "access plus 0 seconds"
   # Favicon (cannot be renamed!)
       ExpiresByType image/x-icon                        "access plus 1 week"
   # HTML components (HTCs)
       ExpiresByType text/x-component                    "access plus 1 month"
   # HTML
       ExpiresByType text/html                           "access plus 0 seconds"
   # JavaScript
       ExpiresByType application/javascript              "access plus 1 year"
   # Manifest files
       ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
       ExpiresByType text/cache-manifest                 "access plus 0 seconds"
   # Media
       ExpiresByType audio/ogg                           "access plus 1 month"
       ExpiresByType image/gif                           "access plus 1 month"
       ExpiresByType image/jpeg                          "access plus 1 month"
       ExpiresByType image/png                           "access plus 1 month"
       ExpiresByType video/mp4                           "access plus 1 month"
       ExpiresByType video/ogg                           "access plus 1 month"
       ExpiresByType video/webm                          "access plus 1 month"
   # Web feeds
       ExpiresByType application/atom+xml                "access plus 1 hour"
       ExpiresByType application/rss+xml                 "access plus 1 hour"
   # Web fonts
       ExpiresByType application/font-woff2              "access plus 1 month"
       ExpiresByType application/font-woff               "access plus 1 month"
       ExpiresByType application/vnd.ms-fontobject       "access plus 1 month"
       ExpiresByType application/x-font-ttf              "access plus 1 month"
       ExpiresByType font/opentype                       "access plus 1 month"
       ExpiresByType image/svg+xml                       "access plus 1 month"
</IfModule>

Enable Gzip Compression

Gzip is an effective compression algorithm. It can reduce the overall file size by locating and temporarily replacing similar strings within a text file. Many hosting providers use Gzip by default as a load speed optimization tool. If it is not included in your .htaccess, you can add the following rule:

<IfModule mod_deflate.c>
 # Compress HTML, CSS, JavaScript, Text, XML and fonts
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
 AddOutputFilterByType DEFLATE application/x-font
 AddOutputFilterByType DEFLATE application/x-font-opentype
 AddOutputFilterByType DEFLATE application/x-font-otf
 AddOutputFilterByType DEFLATE application/x-font-truetype
 AddOutputFilterByType DEFLATE application/x-font-ttf
 AddOutputFilterByType DEFLATE application/x-javascript
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE font/opentype
 AddOutputFilterByType DEFLATE font/otf
 AddOutputFilterByType DEFLATE font/ttf
 AddOutputFilterByType DEFLATE image/svg+xml
 AddOutputFilterByType DEFLATE image/x-icon
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/javascript
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/xml
 # Remove browser bugs (only needed for really old browsers)
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 Header append Vary User-Agent
</IfModule>

Control/Restrict Image Hotlinking

Every time an external resource requests an image, your server uses its bandwidth to deliver it. Thus, image hotlinking can significantly affect your site’s bandwidth usage. You can reduce bandwidth consumption by adding the following to the .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Plugins to Edit .htaccess

The Htaccess File Editor plugin is probably the best solution for safe .htaccess editing. If you directly edit the file via cPanel or an FTP client, you can make a fatal error. With this plugin, though, you risk nothing. It automatically scans your .htaccess file and looks for syntax errors.

Plus, every time you edit the file, the plugin will automatically generate its backup. This means you will be able to restore your website even if there is an error within the .htaccess file.

Plugins to edit the WordPress .htaccess file.

Conclusion

The .htaccess file plays an essential role in keeping your site accessible and secure. It determines how the server runs and functions, so you should edit it carefully.

Editing the .htaccess File: FAQs

What is the .htaccess file and what is its significance for a WordPress website?

The .htaccess file is a server configuration file that allows website administrators to handle important managerial tasks, such as restricting access to certain web pages, strengthening the website security, setting a password to access the admin area, redirecting visitors, and improving performance.

The .htaccess file is placed in the root folder but can be moved to another directory to change the way the website behaves or redirect users.

What are the main causes of not finding the .htacccess file on a WordPress website?

If you don’t find the .htaccess file in your root folder, it usually means that the file manager software hides it or no .htaccess file has been created at all.

What is the best plugin for editing the .htaccess file?

We consider Htaccess File Editor to be the most efficient plugin for modifying the .htaccess file. It automatically spots any syntax errors, preventing the file from being corrupted. The plugin also automatically creates backups of the .htaccess file, so that you can easily restore its previous “healthy” version.

How can you enhance your WordPress website’s performance by editing the .htaccess file?

  • You can enable the browser cache and set how long certain files should be cached.
  • You can enable Gzip compression. It can shrink the .htaccess file size by finding and replacing the same strings within the file for the specified time period.
  • You can control/restrict image hotlinking.

Have any questions left? Our WordPress developers are always ready to share their years-long expertise of the most popular content management system with you. Get in touch with us for any WP-related task, from building a custom theme to performance optimization and website maintenance. 

You might also find these posts interesting: 

How to Increase WordPress Memory Limit: 2 Tried-and-True Methods
WordPress Multisite vs Single Site: Unveiling the Truth about the Controversial WP Feature
Top 3 WordPress Backup Plugins to Ensure Your Website Data Safety
How to Remove “Powered by…” in WordPress, Shopify, and Squarespace
What Are Core Web Vitals and Why They Matter
Can You Solve All Your Content Editing Problems with Gutenberg?
7 Reasons Why a Custom WordPress Theme Is Better for Your Business
Why Use WordPress Over Other CMS Platforms?
Turn Your WordPress Site into a Powerful E-Commerce Store With WooCommerce
React WordPress Theme Development: Benefits and Drawbacks
WordPress Website Development: Common Problems and How to Deal with Them
The Best WordPress Developer Tools to Use in 2021
WordPress.org vs WordPress.com: 4 Distinctions Worth Noting
The Best WordPress Page Builder Contest: WPBakery vs Elementor
P2H Inc Is Recognized by Clutch as a Top-Performing WordPress Development Company
How to Duplicate a Page in WordPress: 1 Advanced and 2 Simple Methods
7 Methods to Fix the http Error When Uploading Images in WordPress

Dmytro Mashchenko

Dmytro is the CEO of GetDevDone, an experienced web developer, and a prolific author of in-depth technology and business-related posts. He is always eager to share his years-long expertise with everyone who wants to succeed in the web development field.

For more professional insights from Dmytro, connect with him on LinkedIn.