WordPress htaccess [Complete Overview] (2020)

WordPress htaccess

The .htaccess file is a very popular WordPress file, which some people consider to be an obligatory part of every WordPress installation.

On the other hand, WordPress htaccess file can cause many issues, and the majority of bloggers and webmasters are not aware that they can get rid of that file almost without any loss!

If you want to find a solution mentioned above, just keep reading. 🙂

 

What is htaccess file in WordPress?

 

The .htaccess file is just a website’s configuration file of the Apache web server.

With .htaccess file you can:

  • add special rules to deliver cached content more efficiently;
  • set up 301/302 redirects;
  • redirect HTTP to HTTPS;
  • ban/restrict access to your site based on IP addresses;
  • increase the maximum file upload size.

 

Where is .htaccess file located?

 

.htaccess file is a file that is automatically created every time you create a new WordPress installation on Apache webserver.

The file is located in the root directory (home directory) of your website.

There are two ways to access that file – using any FTP client (such as FileZilla) or with any WordPress file manager plugin (for example, WP File Manager from my list of best WordPress plugins).

And here, you can see an exemplary screenshot with .htaccess file location.

WordPress .htaccess file location

 

How to create WordPress .htaccess file?

 

If (for any reason) there is no .htaccess file in your website’s home directory, you can generate it in one of two ways. The first way is to create the .htaccess file by setting up permalinks. Alternatively, you can create it manually with any text editor and then upload it to your server.

If you decide to use the first solution, you just need to log into your WordPress dashboard, click Settings -> Permalinks, choose any setting (Post name is definitely the best one from SEO point of view), scroll down to the end of the page and click Save Changes.

WordPress permalinks settings

When it comes to the second solution, you just need to use MS Notepad or Notepad++, paste the following lines to the new file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

and save it as .htaccess.

Those ten lines above contain the default WordPress .htaccess file content.

Important notice:

In order to save your file correctly, you need to set All files (or All types) as its type and use .htaccess as its name.

how to create WordPress htaccess file

You can upload the file to your server using the same methods which you’ve used to access your website’s files – WP File Manager or any FTP client.

 

Exemplary WordPress htaccess Instructions

 

In this section of the article, I will show you some exemplary instructions for .htaccess file.

However, if you are not interested in tampering with .htaccess file, you can omit this section, scroll down this page and read the last two sections of this article for two other solutions. 🙂

 

WordPress htaccess Redirects

 

301 (Permanent) Redirect

 

Redirect 301 /oldpage.html http://www.domain-name.com/newpage.html

 

302 (Temporary) Redirect

 

Redirect 302 /oldpage.html http://www.domain-name.com/newpage.html

 

Force URL to www

 

From here, things are starting to get more and more mysterious and confusing…

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]

 

Force URL to non-www

 

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

 

Force HTTPS

 

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

You may also want to visit my separate article about forcing www and https.

 

Force HTTP

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^https$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

 

Redirect Domain to Subdirectory

 

RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/sub-directory-name/
RewriteRule (.*) /subdir/$1

 

Redirect a URL

 

Redirect 301 / http://www.mynewwebsite.com/

 

Improve Your Site’s Security With WordPress htaccess File

 

Protect .htaccess from unauthorized users

 

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

 

Restrict access to WordPress admin area

 

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from xx.xx.xx.xx
</Limit>

 

Protect wp-config.php file from unauthorized access

 

<files wp-config.php>
order allow,deny
deny from all
</files>

 

Protect /wp-content/ directory

 

/wp-content/ is an essential WordPress directory which contains all the themes, plugins, and media files of your website. Thereby, it can be targeted by spammers and hackers quite frequently.

To protect /wp-content/ directory from unauthorized access, you can create a separate .htaccess file in that folder and paste the following content into it:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpeg|png|gif|js)$">
Allow from all
</Files>

This piece of code specifies which file extensions (.xml, .css, and a few more) you’ll be able to upload to your site.

 

Disable PHP execution

 

<Files *.php>
deny from all
</Files>

This snippet of code allows you to disable PHP execution in any directory of your choice.

To disable the execution of PHP scripts, you should create a separate .htaccess file in a folder of your choice and use the code shown above.

 

File access restriction for additional WordPress accounts

 

If there is any person who can log into your website’s admin area (for example, another author), you can restrict his or her access to the files of your themes and plugins.

In order to do that, use the code snippet presented below:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

 

Script injection protection

 

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

 

Block any IP address from accessing your website

 

<Limit GET POST>
order allow,deny
deny from 123.213.78.91
allow from all
</Limit>

This example blocks access to your site from the IP address 123.213.78.91.

 

Deny access to individual files

 

If you’d like to block access to one of your website’s files, you can do that using the code below (you should obviously set the file name in the first line of code):

<files your-file-name.txt>
order allow,deny
deny from all
</files>

 

Disable browsing of your directories

 

# disable directory browsing
Options All -Indexes

 

Improve WordPress Performance With htaccess File

 

This section contains three snippets of code associated with WordPress performance.

If you’d prefer to avoid editing the .htaccess file, you will find more details in the last two sections of this article.

 

Enable browser caching

 

<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"

# CSS
ExpiresByType text/css "access plus 1 year"

# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"

# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"

# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"

# HTML
ExpiresByType text/html "access plus 0 seconds"

# JavaScript
ExpiresByType application/javascript "access plus 1 year"

# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"

# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"

# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"

# Web fonts
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
</IfModule>

The code shown above could allow you to add expires headers to your WordPress .htaccess file.

 

Enable gzip compression

 

Although you don’t have to use the code snippet shown below, it could allow you to enable gzip compression on your site.

<IfModule mod_deflate.c>

# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>

This task (similarly like the previous one) can be done automatically with one of two plugins recommended below.

 

Restrict image hotlinking

 

The snippet of code shown below is going to prevent image hotlinking on your site.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

 

How to solve potential issues with the .htaccess file?

 

As you could see above, editing the .htaccess file can be quite a tedious task sometimes.

So, is there any way to avoid all the trouble associated with the editing process?

Of course, there is!

In order to do almost all the tasks discussed here automatically, you should choose SiteGround as your hosting provider and use their amazing SG Optimizer WordPress plugin.

As it comes to AliveBetter blog, I moved it to SiteGround’s GoGeek account in the first half of September 2020.

After completing the migration process, my blog started to load as fast as never before!

If you want to check the exact values, feel free to use GTmetrix or any other website speed test and type in alivebetter.com as the URL.

After transferring my blogs (alivebetter.com and alivebetter.pl) to SiteGround, the only editing task I had to do was to force https://www for both these blogs. The snippet of code needed for this task is available in this post.

And if you had any .htaccess-related issue in the future, you could contact SiteGround’s professional support team, and they will do the necessary editing for you.

 

How to get rid of .htaccess file for good and improve website’s speed and security without it?

 

After reviewing WordPress .htaccess file, I can finally reveal the secret about running any WordPress blog without that file.

As I mentioned before, .htacess file is a component of every WordPress site based on Apache server.

The thing is that there is another type of server that does not contain .htaccess file. This server type is called Nginx.

When it comes to server performance and security, they are two crucial features of each Nginx-based webserver! 🙂

So, in order to get rid of the WordPress .htaccess file for good and improve your website’s security and performance, you should just switch to Kinsta. 🙂

On the other hand, I decided to transfer my blogs to SiteGround’s GoGeek account in the first half of September 2020, and then they started to load as fast as never before!

SiteGround’s hosting is also one of the best choices when it comes to the security aspect.

 

Quick Summary

 

WordPress .htaccess file is a website’s configuration file which is available on Apache servers only.

Sometimes it can be challenging to set what you want in the .htaccess file properly. In order to make this aspect of your life easier, you can do one of two things.

If you want to have that file on your server, you should migrate your site to SiteGround. If you prefer to get rid of the .htaccess file, I recommend choosing Kinsta as your hosting provider.

As the year 2021 begins, Core Web Vitals will become quite an important SEO factor.

And how can you get the maximum results in Core Web Vitals tests?

I spent some time figuring this out, and I have to admit that there are only two ways to do that. If you want to achieve great results with no .htaccess file and for a medium price, you should migrate your site to Kinsta. If you prefer maximum results with WordPress htaccess file and for a lower price, then SiteGround is the best possible choice for you!

More information about Core Web Vitals will be available here, and now you should know what to do with your website – choose one of two hosting providers mentioned above, and I can assure you that you will be very, very happy if you follow this advice! 🙂