Many WordPress users come across .htaccess file when fixing their permalinks. However you can do so much more. The .htaccess file is a powerful configuration file that allows you to improve your site’s security and performance. In this article, we will show you 9 most useful .htaccess tricks for WordPress that you can try on your site right away.
Getting Started
Before you make any changes, you need to backup your existing .htaccess file. Connect to your website using an FTP client and simply download the .htaccess file to your computer. If something goes wrong, then you can upload the backup file.
If you cannot see the .htaccess file, then make sure your FTP client is configured to show hidden files. Read our guide on why you can’t find .htaccess file on your WordPress site for more details.
If you do not have a .htaccess file in your website’s root folder, then you need to create one. Simply create a blank text file and save it as .htaccess. Make sure that the file name is .htaccess and not htaccess. Lastly, you need to upload the file to your website’s root folder.
Protect Your WordPress Admin Area
You can use .htaccess to protect your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste this code into your .htaccess file:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist Syed's IP address allow from xx.xx.xx.xxx # whitelist David's IP address allow from xx.xx.xx.xxx # whitelist Amanda's IP address allow from xx.xx.xx.xxx # whitelist Muhammad's IP address allow from xx.xx.xx.xxx # whitelist Work IP address allow from xx.xx.xx.xxx </LIMIT>
Replace xx.xx.xx.xxx with your own IP addresses. If you use more than one IP address to access the internet, then make sure you add them as well. See our guide on how to protect your admin folder in WordPress using .htaccess
Password Protect WordPress Admin Folder
First you need to create a .htpasswds file. You can easily create one by using this online generator.
Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:
home/user/.htpasswds/public_html/wp-admin/passwd/
Now you need to create a new .htaccess file and add this code:
AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile /dev/null AuthType basic require user putyourusernamehere <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.
Upload this .htaccess file to your wp-admin folder. That’s all, your WordPress admin folder is now password protected and only you or the users you allow will be able to access it. For detailed instructions, take a look at how to password protect your WordPress admin (wp-admin) directory.
3. Disable Directory Browsing in WordPress
Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file. Learn more about why and how to disable directory browsing in WordPress.
To disable directory browsing in WordPress all you need to do is add this single line in your .htaccess file:
Options -Indexes
Disable PHP Execution in Some WordPress Directories
Sometimes hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders. An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.
Create a blank .htaccess file and paste this code inside it:
<Files *.php> deny from all </Files>
Now upload this file to your /wp-content/uploads/ and /wp-includes/ directories. For more information check out this tutorial on how to disable PHP execution in certain WordPress directories.
Protect Your WordPress Configuration wp-config.php File
Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it. To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:
<files wp-config.php> order allow,deny deny from all </files>
Setting up 301 Redirects Through .htaccess File
Using 301 redirects is the most SEO friendly way to tell your users that a content has moved to a new location. If you want to properly manage your 301 Redirects on posts per post basis then check out how to do 301 redirects in WordPress with Quick Page/Post Redirect.
On the other hand if you just quickly want to redirect users from one URL to another, then all you need to do is paste this code in your .htaccess file
Redirect 301 /oldurl/ http://www.example.com/newurl Redirect 301 /category/television/ http://www.example.com/category/tv/
Ban Suspicious IP Addresses
Seeing unusual requests from an IP address? Want to block an IP address from accessing your website? Add this code to your .htaccess file:
<Limit GET POST> order allow,deny deny from xxx.xxx.xx.x allow from all </Limit>
Disable Image Hotlinking in WordPress Using .htaccess
Other people can slow down your website and steal your bandwidth by hotlinking images from your website. Normally, this doesn’t concern most users. However, if you run a popular site with lots of images and photos, then hotlinking can become a serious issue. You can prevent image hotlinking by adding this code in your .htaccess file:
#disable hotlinking of images with forbidden or custom image option RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?binhminhitc.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/binhminhitc [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
Don’t forget to replace binhminhitc.com with your own domain name.
Protect .htaccess From Unauthorized Access
As you have seen that there are so many things that can be done using .htaccess file. Due to the power and control it has on your web server, it is important that you protect it from unauthorized access by hackers. Simply add this code to your .htaccess file:
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
We hope this article helped you learn some of the most useful .htaccess tricks for WordPress.