10 htaccess Tips Every WordPress User Should Know

The .htaccess file is used to modify the configuration setting of Apache webs server. WordPress uses this file on per directory basis to control how the pages are served to users. for example, when you enable permalinks then the following code will be added in the .htaccess file of your root directory.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - 
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php 
</IfModule>
# END WordPress

Most of the caching and security plugins use .htaccess file for adding directives in order to control the site’s behavior. In this article, let us explore top 10 htaccess tips every WordPress user should know. Check out this article on how to view .htaccess file on your Mac and how to edit .htaccess file in WordPress.

The .htaccess works higher chronological order. This means the file in the root directory will control all the sub-directories on your server. If you want to have different set of rules for sub-directory then create another .htaccess file and place it inside the sub-directory.

Ensure to take a backup of your .htaccess file before you start modifying.

1. Disable Directory Listing

Directory browsing allows anyone to view the files available in different directories of your server. Hackers can view your files on the browser and try to hack your site. So it is recommended to disable the directory listing by adding the below line in your .htaccess file.

Options -Indexes

2. Block IP

When you find someone from the particular IP address is leaving lot of spam comments or trying to access XMLRPC file then the easy ways is to just block them in your .htaccess file.

Order Deny,Allow
Deny from 0.0.0.0

0.0.0.0 is the sample IP address and you should replace it with your own.

3. Enable wp-login.php Access Only for You

When you are a single administrator and editor of your site then probably you don’t need any other person to access the login page of admin panel. In such case, you can allow your IP address and deny all other IPs from accessing the “wp-login.php”.

<Files wp-login.php>
Order deny,allow
Deny from all
Allow from 0.0.0.0 localhost
</Files>

0.0.0.0 is the sample IP address, you should replace it with your own. Also localhost is added for additional access.

4. Block Bad Bots

Bad blocks not only look for vulnerability on your site but also cost you money by consuming sever resources. Below is the 6G firewall directives for blocking all known bad blocks through .htaccess.
SetEnvIfNoCase User-Agent ({2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
Order Allow,Deny
Allow from All
Deny from env=bad_bot

5. Prevent Image Hot Linking

Every single image on a page sends separate HTTP request to your server. If someone links your image and loading on his site then it basically consumes the resource from your server. This is referred as image hot linking and you can disable it by adding the below lines in your .htaccess file.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ 
RewriteRule \.(gif|jpg|png)$ - 

6. Prevent PHP Script Execution

You can disable anyone from running PHP files on your WordPress theme and plugin folder. Create two .htaccess files and place them inside “/wp-content/plugins/” and “/wp-content/themes/” folder with the following code.

<Files *.php >
deny from all
allow from “ Your IP address”
</Files>

7. Enable HTTP Compression

Serving the compressed files from your server can reduce the page size up to 70% thus increasing the page loading speed. GZIP is the common way of compressing the HTTP responses from the server. You need to add the below code in .htaccess file for enabling the GZIP compression on your WordPress site.

<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript application/javascript
</ifmodule>

Add any other file types if you are using on your site and wanted to serve it compressed.

8. Setting WWW Redirect

You can set a permanent redirect from non-www version of your site to www version by adding the below code. Replace “example.com” with your own domain name.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com 
RewriteRule ^(.*)$ http://www.example.com/$1 

9. Force HTTPS SSL Version

When you have SSL certificate installed on your server, you can force entire site to serve through HTTPS version. Add the below code for forcing HTTPS version:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} 

10. Leverage Browser Caching

Browsers cache the web page files to load them quickly on further visits. Leverage browser caching is a technique to instruct the web browsers how long the files are to be cached by the browser. If you notice the leverage browsing error in Google PageSpeed or any other speed testing tool then add the below lines in your .htaccess file.

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>

Editorial Staff at WebNots are team members who love to build websites and share the learning with webmasters community. Follow us on Facebook and Twitter.

Leave a Comment