The .htaccess file is a configuration file that allows you to control files and folders in the current directory, and all sub-directories. The filename is a shortened name for hypertext access and is supported by most servers.
For many WordPress users, their first meeting with the .htaccess file is when they customize their website’s permalink settings. To get those pretty permalinks that we all know and love (e.g. https://www.elegantthemes.com/sample-post/ instead of https://www.elegantthemes.com/?p=123), we need to add something like this to the .htaccess file:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If no .htaccess file exists, you can create one yourself and upload it. All you have to do is create a blank text file, save it as .htaccess and upload it to the root of your WordPress installation. Be sure to include the period at the start of the filename (i.e. save the file as .htaccess and not htaccess).
You also need to ensure your .htaccess file is writeable so that WordPress can add the appropriate permalink code to your .htaccess file. WordPress.org advises file permissions of 644 for the .htaccess file.
The .htaccess file is a hidden file. You therefore need to ensure your FTP client or file manager is configured to display the file in your directory.
The .htaccess file is not only used for permalinks. The file is better known for its ability to strengthen the security of a website. Millions of WordPress users use the .htaccess file to protect their websites from spammers, hackers, and other known threats.
In this article, I would like to share with you several snippets for .htaccess that will make your website secure. I have also included a few additional snippets that I believe you will find useful.
You may have noticed in my permalink example above that the code begins with # BEGIN WordPress and ends with # END WordPress. WordPress can update any code that is placed within those tags. You should therefore add the snippets shown in this article at the top or bottom of your .htaccess file (i.e. before # BEGIN WordPress or after # END WordPress).
Be Careful
The .htaccess file is one of the most temperamental files you will encounter when using WordPress. It only takes one character to be out of place for the code to be incorrect. When that happens, it will usually cause your whole website to go down. It is therefore vital that you copy the code noted in this article correctly to your own .htaccess file.
Even if you are cautious, accidents can happen, and they frequently do.
Do not cut any corners when working with the .htaccess file. Before you begin, make a backup of your current working version of .htaccess. Store it in a safe place on your computer, and if possible, in another location such as a USB flash drive or on cloud storage.
Whenever you update your .htaccess file on your server, refresh your website to see if your website is still live. Do not skip this step as it is vital that you verify your website is still working correctly. If your website returns a blank screen, immediately revert back to your saved copy of .htaccess by uploading it over the version with errors.
If you cannot locate your backup file, either upload a blank .htaccess file or delete the .htaccess file altogether. This will get your website back online; which will obviously be your priority when your website goes offline.
Do not take any chances with .htaccess. Always have a back up. You have been warned 🙂
1. Protect .htaccess
Due to how much control .htaccess has over your whole website, it is important to protect the file from unauthorised users. The following snippet will stop hackers from accessing your .htaccess file. You can, of course, still edit the file yourself via FTP and through your hosting control panel’s file manager.
<files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
2. Protect WP-Config.php
Another important file is wp-config.php. This configuration file contains the login information for your WordPress database as well as other important maintenance settings. It is therefore advisable to disable access to it.
<files wp-config.php> order allow,deny deny from all </files>
3. Protect /Wp-Content/
The wp-content directory is one of the most important areas of your WordPress website. It is where vital files are located such as your themes, plugins, uploaded media (images and videos), and cached files.
Due to this, it is one of the main targets of hackers. When a spammer managed to compromise an old website of mine last year, he did it by uploading a mail script to my uploads folder. He then proceeded to send out spam mail using my server; which subsequently placed my server on spam blacklists.
You can tackle threats like this by creating a separate .htaccess file and adding the following code to it:
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
You then need to upload this separate .htaccess file to the main wp-content directory i.e. www.yourwebsite.com/wp-content/. Doing this will allow media files to be uploaded including XML, CSS, JPG, JPEG, PNG, Gif, and Javascript. All other file types will be denied.
4. Block Include-Only Files
There are certain files that never have to be accessed by the user. You can block access to these files by adding the following code to your .htaccess file:
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
5. Restrict Access to the Admin Area
Another entry point for hackers is the WordPress admin area. If they gain access to this area, they can do almost anything to your website.
To make this area more secure, create a new .htaccess file and add the code below to it:
# Limit logins and admin by IP <Limit GET POST PUT> order deny,allow deny from all allow from 12.34.56.78 </Limit>
Be sure to change 12.34.56.78 to your own IP address (you can find out your IP address at What Is My IP?). Then upload the file to your website’s /wp-admin/ folder i.e. www.yourwebsite.com/wp-admin/.
This will allow you to access your WordPress admin area, but will block everyone else.
Additional IP addresses can be added for other administrators and staff. You can do this by adding additional allow lines or listing their IP addresses in the main allow line and separating them using commas. For example:
allow from 12.34.56.78, 98.76.54.32, 19.82.73.64
6. Ban Someone From Your Website
If you know the IP address of a malicious party, you can completely ban them from your website using the snippet below. For example, you could ban someone who always leaves abusive comments or someone who has attempted to access your admin area.
<Limit GET POST> order allow,deny deny from 123.456.78.9 deny from 987.654.32.1 allow from all </Limit>
7. Send Visitors to a Maintenance Page
Maintenance plugins such as Ultimate Maintenance Mode and Maintenance are useful for displaying a temporary message to visitors when you are developing a website, or when working in the background to update your website.
Unfortunately, maintenance plugins are of little help if you face the infamous WordPress White Screen of Death. They only function correctly if your website is working correctly.
If you want to prepare for the worst, I recommend creating a basic HTML page named maintenance.html that advises visitors that you are currently experiencing problems with your website, but will be back online soon. When your website does go down because of a hacking attempt or because of the White Screen of Death, simply add the snippet below to your .htaccess file to direct all traffic to your message at maintenance.html.
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule $ /maintenance.html [R=302,L]
You need to configure the above code for your own website. Change the html filename to the name and location of your own maintenance file in the second and fourth row. You also need to add your own IP address to the third row to ensure that you can access your website whilst the maintenance message is being displayed to others. The code uses a 302 redirect ensure that the maintenance page itself is not indexed.
8. Disable Directory Browsing
Allowing unauthorised individuals to look at your files and folders can be a major security risk. To disable browsing of your directories, simply add this small piece of code to your .htaccess file:
# disable directory browsing Options All -Indexes
9. Enable Browser Caching
Browser Caching is something I recently discussed in my article “Optimize Your WordPress Website Using These Simple Tips“. Once enabled, browser caching will allow visitors to save items from your web page so that they do not need to be downloaded again.
It is used for design elements such as CSS stylesheets and media items such as images. It is a practical solution as when someone uploads an image to a website, the image is rarely updated again. Browser caching would therefore allow visitors to load the image saved on their computer rather than your server. This reduces bandwidth and increases page loading times.
To enabling browsing caching, all you need to do is add this code to your .htaccess file:
## EXPIRES CACHING ## <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/gif "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType text/css "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType text/x-javascript "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresByType image/x-icon "access 1 year" ExpiresDefault "access 2 days" </IfModule> ## EXPIRES CACHING ##
10. Redirect a URL
301 redirects allow you to inform search engines that a URL has permanently moved to a new location. They can be used to redirect a page, folder, or even a completely new website.
They are therefore used whenever the URL of a page changes. This can be due to changing a domain, changing the permalink structure of your website, or simply changing the page slug (e.g. changing the page slug of an article from my-news to mygreatnews).
To redirect a location, all you need to do is add a line with Redirect 301, followed by the old location and then the new location. You can see how this works in practice below:
Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html Redirect 301 /oldfolder/page2.html /folder3/page7.html Redirect 301 / http://www.mynewwebsite.com/
11. Disable Hotlinking
Hotlinking is a practice in which someone shares an image from your website by linking directly to the image URL. It commonly occurs on discussion forums, but many website owners still do it too (which is a mistake as it means images can be removed from your content at any time). Hotlinking can have a negative effect on your website. In addition to slowing your website down, it can also significantly increase your bandwidth costs with your hosting company.
You can prevent hotlinking by only allowing your own website, and any others you own, to execute image files. Add the code below to your .htaccess file to stop others from hotlinking your images. Be sure to replace the URL’s below with your own website addresses.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourotherwebsite.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ http://i.imgur.com/g7ptdBB.png [NC,R,L]
When someone now views an image of yours at another URL, they will instead be shown the image denoted in the last line of code. This image can be changed to whatever you want.
* Note that disabling hotlinking may cause some RSS readers to have problems displaying your images from your RSS feed.
I hope you have enjoyed this list of tips and tricks for the .htaccess file. As you can see, it is a versatile configuration file that can be used for many things.
If you enjoyed this article, I encourage you to subscribe to the Elegant Themes Blog. Also, please feel free to share your own .htaccess tips and tricks with others in the comment area 🙂
Article thumbnail image by venimo / shutterstock.com