The .htaccess file is used to modify the configuration setting of Apache web server. WordPress uses this file on per directory basis to control how the pages are served to users. When you enable permalinks in settings section, WordPress will add the following code in the .htaccess file located in your root directory.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
In addition, most of the caching and security plugins use .htaccess file for adding directives in order to control the site’s behavior. Therefore, it is important for all WordPress users to make use of the .htaccess file. In this article, let us explore top 10 htaccess tips every WordPress user should know. Remember, since the file has no name with only .htaccess as an extension, it will be hidden on your system by default. Check out these articles on how to view .htaccess file on your Mac and how to edit .htaccess file in WordPress.
.htaccess File Order
The .htaccess works higher chronological order. This means the file in the root directory will control all the sub-directories on your server. If you want to have different set of rules for sub-directory then create another .htaccess file and place it inside the sub-directory. Before you start modifying, ensure to take a backup of your current .htaccess file. You can use this for restoring in case of any unforeseen issues.
1. Disable Directory Listing
Directory browsing allows anyone to view the files available in different directories of your server. Hackers can view your files on the browser and try to hack your site. So, we recommend you to disable the directory listing by adding the below line in your .htaccess file.
Options -Indexes
2. Block IP
When you find someone from the particular IP address is leaving lot of spam comments or trying to access XML-RPC file then the easy ways is to just block them in your .htaccess file.
Order Deny,Allow
Deny from 0.0.0.0
0.0.0.0 is the sample IP address and you should replace it with your own.
3. Enable wp-login.php Access Only for You
When you are a single administrator and editor of your site then probably you don’t need any other person to access the login page of admin panel. In such case, you can whitelist your IP address and deny all other IPs from accessing the “wp-login.php”.
<Files wp-login.php>
Order deny,allow
Deny from all
Allow from 0.0.0.0 localhost
</Files>
0.0.0.0 is the sample IP address, you should replace it with your own. Also, we have added localhost for additional access.
4. Block Bad Bots
Bad blocks not only look for vulnerability on your site but also cost you money by consuming sever resources. Below is the 6G firewall directives for blocking all known bad blocks through .htaccess.
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
Order Allow,Deny
Allow from All
Deny from env=bad_bot
5. Prevent Image Hot Linking
Every single image on a page sends separate HTTP request to your server. If someone links your image and loading on his site, then it basically consumes the resource from your server. This is referred as image hot linking and you can disable it by adding the below lines in your .htaccess file.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png)$ - [F]
6. Prevent PHP Script Execution
You can disable anyone from running PHP files on your WordPress theme and plugin folder. Create two .htaccess files and place them inside “/wp-content/plugins/” and “/wp-content/themes/” folder with the following code.
<Files *.php >
deny from all
allow from “ Your IP address”
</Files>
7. Enable HTTP Compression
Serving the compressed files from your server can reduce the page size up to 70% thus increasing the page loading speed. GZIP is the common way of compressing the HTTP responses from the server. You need to add the below code in .htaccess file for enabling the GZIP compression on your WordPress site.
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript application/javascript
</ifmodule>
Add any other file types if you are using on your site and wanted to serve it compressed.
8. Setting WWW Redirect
You can set a permanent redirect from non-www version of your site to www version by adding the below code. Replace “example.com” with your own domain name.
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
9. Force HTTPS SSL Version
When you have SSL certificate installed on your server, you can force entire site to serve through HTTPS version. Add the below code for forcing HTTPS version:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
10. Leverage Browser Caching
Browsers cache the web page files to load them quickly on further visits. Leverage browser caching is a technique to instruct the web browsers how long the files are to be cached by the browser. If you notice the leverage browsing error in Google PageSpeed or any other speed testing tool then add the below lines in your .htaccess file.
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
Leave a Reply
Your email is safe with us.