COMPANY BLOG & NEWSROOM
28Sep

What Is the WordPress .htaccess File and How to Edit It Without Breaking Your Site

Learn how to locate and edit a .htaccess  file in WorrdPress.

If you own a small design and web development agency that provides WordPress website building services, you probably know how crucial it is to edit the default WordPress .htaccess file properly to maximize the site’s security and speed. However, editing WordPress .htaccess can be quite challenging, especially if this is something new for you. 

Keep reading to learn how to edit the .htaccess file without breaking your website. The rules and configurations in this article work mostly with Apache, but you can also convert .htaccess to NGINX.


Table of Contents 

What is a .htaccess File?
Why Can’t You Find the .htaccess File on Your WordPress Site?
Before Making Any Changes or Why Backup Is Important
How to Edit .htaccess File
.htaccess for Redirects

301 Redirect
302 Redirect
Force URL to www
Force URL to non-www
Force HTTPS
Force HTTP
Domain to Sub-Directory
Redirect a URL

.htaccess for Security

Protect .htaccess
Restrict Access to WordPress Admin Panel
Protect /wp-content/
Protect Include-Only files
PHP File Access Restriction
Disable PHP Execution
Script Injection Protection
Block IP Address
Deny Access to Certain Files
Disable Directory Browsing

.htaccess Rules for Performance

Enable Browser Cache
Enable Gzip Compression
Control/Restrict Image Hotlinking

Plugins to Edit .htaccess


What is a .htaccess File?

The .htaccess file is a server configuration file that comprises essential rules for handling and regulating certain things on your website. You can use .htaccess for many useful tasks such as controlling access to website pages, protecting the admin area with a password, improving security, enhancing performance, and redirecting users. 

The WordPress .htaccess is in the root folder

The WordPress .htaccess file is located in the root folder of your WordPress site. You can also place it in any other folder to change the site’s behavior and manage redirects.

Why Can’t You Find the .htaccess File on Your WordPress Site?

There are several cases when the .htaccess file may not be available in your website’s root folder:

  1. Your file manager software hides it. 
  2. It doesn’t exist.

To resolve the first issue, change your FTP client settings. If you are using the FileZilla FTP program, you can view the .htaccess file in two simple steps:

  1. Find the ‘Server’ option in the menu bar at the top.
  2. Select ‘Force showing hidden files.’
To see .htaccess in WordPress, choose the "Force showing hidden files" opiton

In WinSCP FTP, 

  1. Select ‘Options’ in the menu bar at the top.
  2. Open the ‘Preferences’ option and select ‘Panels’ from the left column.
  3. Select ‘Show hidden files.’
In the WinSCP FTP tool, choose "Show hidden files." That will reveal the WordPress .htaccess file.

As for the second issue, the system might have not generated the file yet. To fix this problem, go to the ‘Settings’ page and click on ‘Save Changes.’ WordPress will now try to create the .htaccess file automatically.

However, if you have file permission issues, WordPress may not be able to generate .htaccess. In this case, you will need to create it yourself. Follow these steps:

  1. Copy and paste this code into a text editor such as Notepad:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /live/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /live/index.php [L]
</IfModule>
# END WordPress
  1. Save the document as a .htaccess file on a local disk.
  2. Use an FTP client to open your site and upload the .htaccess file from your computer.

*Note: If you can’t upload the file, change the file permission for your root directory.

Before Making Any Changes or Why Backup Is Important

Now that you have found or created the WordPress .htaccess file, you can start editing it. First, though, make sure you’ve made its backup copy. Without this step, you risk losing the original content if something goes wrong while you edit it.

To make a backup of the .htaccess file, go to the folder that contains it (/wp-content/htaccess-editor-backups/) and copy the file. Change the name of the copy so that you won’t confuse it with the edited file. If the editing goes well, you can delete the backup. If something goes awry, you can go back to the basic WordPress .htaccess file and change its code.  

How to Edit .htaccess File

You can edit the default .htaccess file in your root directory. This requires using the file manager of your WordPress hosting provider or an FTP client such as FileZilla or WinSCP.

Start with logging into your web hosting account. Then, open the ‘public_html’ folder and find the .htaccess file in the WordPress installation. Click on the ‘View/Edit’ option to open the file in your preferred text editor and make the required changes.

You can also make a copy of the .htaccess file and edit it in your local system. Once you are done with making the changes, you can replace the live version using an FTP client or file manager.

.htaccess for Redirects

301 Redirect

A 301 Redirect is a permanent redirect that tells search engines that the URL, folder, page, or website has been moved to another location. Here’s the rule that allows redirecting oldpage.html to newpage.html:

Redirect 301 /oldpage.html  http://www.yourwebsite.com/newpage.html

302 Redirect

A 302 Redirect is a temporary redirect. To apply it, add the following rule to .htaccess:

Redirect 302 /oldpage.html  http://www.yourwebsite.com/newpage.html

Force URL to www

Once you apply this rule, all the website visitors on example.com will be sent to www.example.com:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]

Force URL to non-www

This WordPress .htaccess rule has the opposite effect. After you add it, it will force all visitors on www.example.com to use example.com:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Force HTTPs

Add the following rule to the WordPress .htaccess file to force visitors to replace HTTPS with HTTP for all URLs:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Force HTTP

This rule in .htaccess for WordPress does the opposite of the previous one. It forces website visitors to use HTTP instead of HTTPS:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^https$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}</IfModule>

Redirect Domain to Sub-Directory

To redirect the domain’s root URL to the subdirectory of your choice, add the following rule to the WordPress .htaccess file:

RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/sub-directory-name/
RewriteRule (.*) /subdir/$1

Redirect a URL

If you need to redirect a visitor from one domain to another, use the following .htaccess rule:

Redirect 301 / http://www.mynewwebsite.com/

.htaccess for Security

You can also edit the .htaccess file to protect WordPress directories and files on the server.

Protect .htaccess

Considering that the .htaccess file can potentially control the entire site, protecting it from unauthorized users is crucial. Use this rule to restrict access to your website for all unauthorized visitors:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Another file that needs to be secured is wp-config.php. It contains the hosting and database credentials along with other sensitive data. Add the following rule to prevent hackers from accessing this file:

<files wp-config.php>
order allow,deny
deny from all
</files>

To protect your .htaccess file along with error logs, wp-config.php, and php.ini files, use the following rule:

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

Make sure to name one of your files php.ini.

Restrict Access to WordPress Admin Panel

If you use a static IP address, you can block your admin dashboard with this rule:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

If you or any of your clients use dynamic IP addresses or a Multisite network, but still want to protect your site from hackers who use bots to access the admin dashboard or try to get hold of your users’ login details, add the following rule instead:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?your-site.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

Protect /wp-content/

wp-content is a directory that contains themes, plugins, media, and cached files. This folder is the main target for hackers and spammers, so they will always search for ways to access it. To secure wp-content from unauthorized access, create a separate .htaccess file in the wp-content folder and paste the following code into it:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Protect Include-Only files

The wp-includes is the second core WordPress folder. It contains files and folders required for your website to function properly. Using this rule, you can block all unauthorized access to your wp-includes directory:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

PHP File Access Restriction

Since hackers can use PHP files to infect your site with malicious code, it is crucial to block direct access to your PHP files:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Disable PHP Execution

In addition to restricting direct access to your PHP files, you can block their unauthorized execution. If a hacker does break into your site, they won’t be able to upload a PHP file with malicious code inside.

Add the following code to prevent the execution of PHP files within the uploads folder:

<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

Script Injection Protection

Hackers often try to change the WordPress GLOBALS and _REQUEST variables. There is an efficient way to prevent this. Add the following code to the .htaccess file:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Block IP Address

By modifying the WordPress .htaccess file, you can also block an IP address. If someone continuously spams your website or makes hacking attempts, you will see their IP address in the WordPress admin panel. Simply add this address to the rule below. This way you will deny them access to your site: 

<Limit GET POST>
order allow,deny
deny from INSERT_IP_ADRESS_HERE
allow from all
</Limit>

Deny Access to Certain Files

If you want to restrict access to certain files, use the following .htaccess rule:

<files your-file-name.txt>
order allow,deny
deny from all
</files>

Disable Directory Browsing

The WordPress file structure allows all visitors to see your site’s directories in the front end when entering your domain. This way cyber criminals can easily hack your essential files. Block access to your website directories by adding the following line:

Options All -Indexes

.htaccess Rules for Performance

Another benefit of editing the WordPress .htaccess file is that it allows you to enhance your website’s performance.

Editing .htaccess to improve a website’s performance is like putting the cherry on the cake. Do it at the final tuning stage.

Dmitriy K., WordPress Lead Developer at PSD2HTML with over 10 years of experience

Enable Browser Cache

The browser cache stores files that your browser downloads to render your website properly. These may be HTML, CSS, and JavaScript files, as well as diverse multimedia content such as images. By modifying the WordPress .htaccess file, you can set these rules to determine how long particular files should be cached:

<IfModule mod_expires.c>
       ExpiresActive on
       ExpiresDefault                                    "access plus 1 month"
   # CSS
       ExpiresByType text/css                            "access plus 1 year"
   # Data interchange
       ExpiresByType application/json                    "access plus 0 seconds"
       ExpiresByType application/xml                     "access plus 0 seconds"
       ExpiresByType text/xml                            "access plus 0 seconds"
   # Favicon (cannot be renamed!)
       ExpiresByType image/x-icon                        "access plus 1 week"
   # HTML components (HTCs)
       ExpiresByType text/x-component                    "access plus 1 month"
   # HTML
       ExpiresByType text/html                           "access plus 0 seconds"
   # JavaScript
       ExpiresByType application/javascript              "access plus 1 year"
   # Manifest files
       ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
       ExpiresByType text/cache-manifest                 "access plus 0 seconds"
   # Media
       ExpiresByType audio/ogg                           "access plus 1 month"
       ExpiresByType image/gif                           "access plus 1 month"
       ExpiresByType image/jpeg                          "access plus 1 month"
       ExpiresByType image/png                           "access plus 1 month"
       ExpiresByType video/mp4                           "access plus 1 month"
       ExpiresByType video/ogg                           "access plus 1 month"
       ExpiresByType video/webm                          "access plus 1 month"
   # Web feeds
       ExpiresByType application/atom+xml                "access plus 1 hour"
       ExpiresByType application/rss+xml                 "access plus 1 hour"
   # Web fonts
       ExpiresByType application/font-woff2              "access plus 1 month"
       ExpiresByType application/font-woff               "access plus 1 month"
       ExpiresByType application/vnd.ms-fontobject       "access plus 1 month"
       ExpiresByType application/x-font-ttf              "access plus 1 month"
       ExpiresByType font/opentype                       "access plus 1 month"
       ExpiresByType image/svg+xml                       "access plus 1 month"
</IfModule>

Enable Gzip Compression

Gzip is an effective compression algorithm. It can reduce the overall file size by locating and temporarily replacing similar strings within a text file. Many hosting providers use Gzip by default as a load speed optimization tool. If it is not included in your .htaccess, you can add the following rule:

<IfModule mod_deflate.c>
 # Compress HTML, CSS, JavaScript, Text, XML and fonts
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
 AddOutputFilterByType DEFLATE application/x-font
 AddOutputFilterByType DEFLATE application/x-font-opentype
 AddOutputFilterByType DEFLATE application/x-font-otf
 AddOutputFilterByType DEFLATE application/x-font-truetype
 AddOutputFilterByType DEFLATE application/x-font-ttf
 AddOutputFilterByType DEFLATE application/x-javascript
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE font/opentype
 AddOutputFilterByType DEFLATE font/otf
 AddOutputFilterByType DEFLATE font/ttf
 AddOutputFilterByType DEFLATE image/svg+xml
 AddOutputFilterByType DEFLATE image/x-icon
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/javascript
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/xml
 # Remove browser bugs (only needed for really old browsers)
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 Header append Vary User-Agent
</IfModule>

Control/Restrict Image Hotlinking

Every time an external resource requests an image, your server uses its bandwidth to deliver it. Thus, image hotlinking can significantly affect your site’s bandwidth usage. You can reduce bandwidth consumption by adding the following to the .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Plugins to Edit .htaccess

The Htaccess File Editor plugin is probably the best solution for safe .htaccess editing. If you directly edit the file via cPanel or an FTP client, you can make a fatal error. With this plugin, though, you risk nothing. It automatically scans your .htaccess file and looks for syntax errors.

Plus, every time you edit the file, the plugin will automatically generate its backup. This means you will be able to restore your website even if there is an error within the .htaccess file.

Plugins to edit the WordPress .htaccess file.

Conclusion

The .htaccess file plays an essential role in keeping your site accessible and secure. It determines how the server runs and functions, so you should edit it carefully .


Have any questions left? Our WordPress developers are always ready to share their years-long expertise of the most popular content management system with you. Get in touch with us for any WP-related task, from building a custom theme to performance optimization and website maintenance. 

All posts Back to top