Read this post to learn about the basics of accessing and editing the all-important WordPress .htaccess file for better performance and security.
If you own a small design and web development agency that provides WordPress website building services, you probably know how crucial it is to edit the default WordPress .htaccess file properly to maximize the site’s security and speed. However, editing WordPress .htaccess can be quite challenging, especially if this is something new for you.
Keep reading to learn how to edit the .htaccess file without breaking your website. The rules and configurations in this article work mostly with Apache, but you can also convert .htaccess to NGINX.
The .htaccess file is a server configuration file that comprises essential rules for handling and regulating certain things on your website. You can use .htaccess for many useful tasks such as controlling access to website pages, protecting the admin area with a password, improving security, enhancing performance, and redirecting users.
The WordPress .htaccess file is located in the root folder of your WordPress site. You can also place it in any other folder to change the site’s behavior and manage redirects.
There are several cases when the .htaccess file may not be available in your website’s root folder:
To resolve the first issue, change your FTP client settings. If you are using the FileZilla FTP program, you can view the .htaccess file in two simple steps:
In WinSCP FTP,
As for the second issue, the system might have not generated the file yet. To fix this problem, go to the ‘Settings’ page and click on ‘Save Changes.’ WordPress will now try to create the .htaccess file automatically.
However, if you have file permission issues, WordPress may not be able to generate .htaccess. In this case, you will need to create it yourself. Follow these steps:
*Note: If you can’t upload the file, change the file permission for your root directory.
Now that you have found or created the WordPress .htaccess file, you can start editing it. First, though, make sure you’ve made its backup copy. Without this step, you risk losing the original content if something goes wrong while you edit it.
To make a backup of the .htaccess file, go to the folder that contains it (/wp-content/htaccess-editor-backups/) and copy the file. Change the name of the copy so that you won’t confuse it with the edited file. If the editing goes well, you can delete the backup. If something goes awry, you can go back to the basic WordPress .htaccess file and change its code.
You can edit the default .htaccess file in your root directory. This requires using the file manager of your WordPress hosting provider or an FTP client such as FileZilla or WinSCP.
Start with logging into your web hosting account. Then, open the ‘public_html’ folder and find the .htaccess file in the WordPress installation. Click on the ‘View/Edit’ option to open the file in your preferred text editor and make the required changes.
You can also make a copy of the .htaccess file and edit it in your local system. Once you are done with making the changes, you can replace the live version using an FTP client or file manager.
301 Redirect
A 301 Redirect is a permanent redirect that tells search engines that the URL, folder, page, or website has been moved to another location. Here’s the rule that allows redirecting oldpage.html to newpage.html:
Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html
A 302 Redirect is a temporary redirect. To apply it, add the following rule to .htaccess:
Redirect 302 /oldpage.html http://www.yourwebsite.com/newpage.html
Once you apply this rule, all the website visitors on example.com will be sent to www.example.com:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]
This WordPress .htaccess rule has the opposite effect. After you add it, it will force all visitors on www.example.com to use example.com:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]
Add the following rule to the WordPress .htaccess file to force visitors to replace HTTPS with HTTP for all URLs:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
This rule in .htaccess for WordPress does the opposite of the previous one. It forces website visitors to use HTTP instead of HTTPS:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^https$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}</IfModule>
To redirect the domain’s root URL to the subdirectory of your choice, add the following rule to the WordPress .htaccess file:
RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/sub-directory-name/
RewriteRule (.*) /subdir/$1
If you need to redirect a visitor from one domain to another, use the following .htaccess rule:
Redirect 301 / http://www.mynewwebsite.com/
You can also edit the .htaccess file to protect WordPress directories and files on the server.
Considering that the .htaccess file can potentially control the entire site, protecting it from unauthorized users is crucial. Use this rule to restrict access to your website for all unauthorized visitors:
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
Another file that needs to be secured is wp-config.php. It contains the hosting and database credentials along with other sensitive data. Add the following rule to prevent hackers from accessing this file:
<files wp-config.php>
order allow,deny
deny from all
</files>
To protect your .htaccess file along with error logs, wp-config.php, and php.ini files, use the following rule:
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>
Make sure to name one of your files php.ini.
If you use a static IP address, you can block your admin dashboard with this rule:
ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
If you or any of your clients use dynamic IP addresses or a Multisite network, but still want to protect your site from hackers who use bots to access the admin dashboard or try to get hold of your users’ login details, add the following rule instead:
ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>
wp-content is a directory that contains themes, plugins, media, and cached files. This folder is the main target for hackers and spammers, so they will always search for ways to access it. To secure wp-content from unauthorized access, create a separate .htaccess file in the wp-content folder and paste the following code into it:
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
The wp-includes is the second core WordPress folder. It contains files and folders required for your website to function properly. Using this rule, you can block all unauthorized access to your wp-includes directory:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Since hackers can use PHP files to infect your site with malicious code, it is crucial to block direct access to your PHP files:
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
In addition to restricting direct access to your PHP files, you can block their unauthorized execution. If a hacker does break into your site, they won’t be able to upload a PHP file with malicious code inside.
Add the following code to prevent the execution of PHP files within the uploads folder:
<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>
Hackers often try to change the WordPress GLOBALS and _REQUEST variables. There is an efficient way to prevent this. Add the following code to the .htaccess file:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
By modifying the WordPress .htaccess file, you can also block an IP address. If someone continuously spams your website or makes hacking attempts, you will see their IP address in the WordPress admin panel. Simply add this address to the rule below. This way you will deny them access to your site:
<Limit GET POST>
order allow,deny
deny from INSERT_IP_ADRESS_HERE
allow from all
</Limit>
Deny Access to Certain Files
If you want to restrict access to certain files, use the following .htaccess rule:
<files your-file-name.txt>
order allow,deny
deny from all
</files>
The WordPress file structure allows all visitors to see your site’s directories in the front end when entering your domain. This way cyber criminals can easily hack your essential files. Block access to your website directories by adding the following line:
Options All -Indexes
Another benefit of editing the WordPress .htaccess file is that it allows you to enhance your website’s performance.
Editing .htaccess to improve a website’s performance is like putting the cherry on the cake. Do it at the final tuning stage.
Dmitriy K., WordPress Lead Developer at GetDevDone with over 10 years of experience
The browser cache stores files that your browser downloads to render your website properly. These may be HTML, CSS, and JavaScript files, as well as diverse multimedia content such as images. By modifying the WordPress .htaccess file, you can set these rules to determine how long particular files should be cached:
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"
# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"
# HTML
ExpiresByType text/html "access plus 0 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
# Web fonts
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
</IfModule>
Gzip is an effective compression algorithm. It can reduce the overall file size by locating and temporarily replacing similar strings within a text file. Many hosting providers use Gzip by default as a load speed optimization tool. If it is not included in your .htaccess, you can add the following rule:
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
Every time an external resource requests an image, your server uses its bandwidth to deliver it. Thus, image hotlinking can significantly affect your site’s bandwidth usage. You can reduce bandwidth consumption by adding the following to the .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
The Htaccess File Editor plugin is probably the best solution for safe .htaccess editing. If you directly edit the file via cPanel or an FTP client, you can make a fatal error. With this plugin, though, you risk nothing. It automatically scans your .htaccess file and looks for syntax errors.
Plus, every time you edit the file, the plugin will automatically generate its backup. This means you will be able to restore your website even if there is an error within the .htaccess file.
The .htaccess file plays an essential role in keeping your site accessible and secure. It determines how the server runs and functions, so you should edit it carefully.
The .htaccess file is a server configuration file that allows website administrators to handle important managerial tasks, such as restricting access to certain web pages, strengthening the website security, setting a password to access the admin area, redirecting visitors, and improving performance.
The .htaccess file is placed in the root folder but can be moved to another directory to change the way the website behaves or redirect users.
If you don’t find the .htaccess file in your root folder, it usually means that the file manager software hides it or no .htaccess file has been created at all.
We consider Htaccess File Editor to be the most efficient plugin for modifying the .htaccess file. It automatically spots any syntax errors, preventing the file from being corrupted. The plugin also automatically creates backups of the .htaccess file, so that you can easily restore its previous “healthy” version.
Have any questions left? Our WordPress developers are always ready to share their years-long expertise of the most popular content management system with you. Get in touch with us for any WP-related task, from building a custom theme to performance optimization and website maintenance.
You might also find these posts interesting:
How to Increase WordPress Memory Limit: 2 Tried-and-True Methods
WordPress Multisite vs Single Site: Unveiling the Truth about the Controversial WP Feature
Top 3 WordPress Backup Plugins to Ensure Your Website Data Safety
How to Remove “Powered by…” in WordPress, Shopify, and Squarespace
What Are Core Web Vitals and Why They Matter
Can You Solve All Your Content Editing Problems with Gutenberg?
7 Reasons Why a Custom WordPress Theme Is Better for Your Business
Why Use WordPress Over Other CMS Platforms?
Turn Your WordPress Site into a Powerful E-Commerce Store With WooCommerce
React WordPress Theme Development: Benefits and Drawbacks
WordPress Website Development: Common Problems and How to Deal with Them
The Best WordPress Developer Tools to Use in 2021
WordPress.org vs WordPress.com: 4 Distinctions Worth Noting
The Best WordPress Page Builder Contest: WPBakery vs Elementor
P2H Inc Is Recognized by Clutch as a Top-Performing WordPress Development Company
How to Duplicate a Page in WordPress: 1 Advanced and 2 Simple Methods
7 Methods to Fix the http Error When Uploading Images in WordPress
A favicon is a small icon you can see in a browser tab next to the website title. In this post, we discuss the main reasons to use favicons and the common methods you can apply to create and add one to your website.
Explore how to build an effective real estate website to generate leads, enhance client trust, and boost your business.
Learn about the key criteria for selecting the best IT/web development agency on the market In this post, we will show you how to choose an IT company that will bring real value to your business. The selection process is two-fold. You need to do your homework first before you talk to the vendors you’ve […]