WordPress htaccess [Complete Overview] (2020)

WordPress htaccess

The .htaccess file is a very popular WordPress file, which some people consider to be an obligatory part of every WordPress installation.

On the other hand, WordPress htaccess file causes many issues, and the majority of bloggers and webmasters are not aware that they can get rid of that file without any loss!

If you want to find a solution mentioned above, just keep reading. 🙂


What is htaccess file in WordPress?


Like I’ve mentioned before, the .htaccess file is a website’s configuration file of Apache web server.

With .htaccess file you can:

  • add special rules to deliver cached content more efficiently;
  • set up 301/302 redirects;
  • redirect HTTP to HTTPS;
  • ban/restrict access to your site based on IP addresses;
  • increase the maximum file upload size.


Where is .htaccess file located?


.htaccess file is a file that is automatically created every time you create a new WordPress installation on Apache webserver.

The file is located in the root directory (home directory) of your website.

There are two ways to access that file – using any FTP client (such as FileZilla) or with any WordPress file manager plugin (for example, WP File Manager from my list of best WordPress plugins).

And here, you can see an exemplary screenshot with .htaccess file location.

WordPress .htaccess file location


How to create WordPress .htaccess file?


If for any reason, there is no .htaccess file in your website’s home directory, you can generate it in one of two ways – by setting up permalinks or just create it manually with any text editor and then upload the file to your server.

If you decide to use the first solution, you just need to log into your WordPress dashboard, click Settings -> Permalinks, choose any setting (Post name is definitely the best one from SEO point of view), scroll down to the end of the page and click Save Changes.

WordPress permalinks settings

When it comes to the second solution, you just need to use MS Notepad or Notepad++, paste the following lines to the new file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

and save it as .htaccess.

Those ten lines above contain the default WordPress .htaccess file content.

Important notice:

In order to save your file correctly, you need to set All files (or All types) as its type and use .htaccess as its name.

how to create WordPress htaccess file

You can upload the file to your server using the same methods which you’ve used to access your website’s files – WP File Manager or any FTP client.


Exemplary WordPress htaccess Instructions


In this section of the article, I will show you some exemplary instructions for .htaccess file.

However, if you are not interested in tampering with .htaccess file, you can omit this section, scroll down this page and learn how to get rid of .htaccess file for good without any loss in functionality. 🙂


WordPress htaccess Redirects


301 (Permanent) Redirect


Redirect 301 /oldpage.html http://www.domain-name.com/newpage.html


302 (Temporary) Redirect


Redirect 302 /oldpage.html http://www.domain-name.com/newpage.html


Force URL to www


From here, things are starting to get more and more mysterious and confusing…

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]


Force URL to non-www


RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]




RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]


Force HTTP


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^https$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}


Redirect Domain to Subdirectory


RewriteCond %{HTTP_HOST} ^example.com$
RewriteCond %{REQUEST_URI} !^/sub-directory-name/
RewriteRule (.*) /subdir/$1


Redirect a URL


Redirect 301 / http://www.mynewwebsite.com/


Improve Your Site’s Security With WordPress htaccess File


Protect .htaccess from unauthorized users


<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all


Restrict access to WordPress admin area


# Limit logins and admin by IP
order deny,allow
deny from all
allow from xx.xx.xx.xx


Protect wp-config.php file from unauthorized access


<files wp-config.php>
order allow,deny
deny from all


Protect /wp-content/ directory


/wp-content/ is an essential WordPress directory which contains all the themes, plugins, and media files of your website. Thereby, it can be targeted by spammers and hackers quite frequently.

To protect /wp-content/ directory from unauthorized access, you can create a separate .htaccess file in that folder and paste the following content into it:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all

This piece of code specifies which file extensions (.xml, .css, and a few more) you’ll be able to upload to your site.


Disable PHP execution


<Files *.php>
deny from all

This snippet of code allows you to disable PHP execution in any directory of your choice.

To disable the execution of PHP scripts, you should create a separate .htaccess file in a folder of your choice and use the code shown above.


File access restriction for additional WordPress accounts


If there is any person who can log into your website’s admin area (for example, another author), you can restrict his or her access to the files of your themes and plugins.

In order to do that, use the code snippet presented below:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]


Script injection protection


Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]


Block any IP address from accessing your website


<Limit GET POST>
order allow,deny
deny from
allow from all

This example blocks access to your site from the IP address


Deny access to individual files


If you’d like to block access to one of your website’s files, you can do that using the code below (you should obviously set the file name in the first line of code):

<files your-file-name.txt>
order allow,deny
deny from all


Disable browsing of your directories


# disable directory browsing
Options All -Indexes


Improve WordPress Performance With htaccess File


As it comes to your site’s performance, the main ingredient of your success is a plugin called WP Rocket. Besides, I have created a separate post on this topic, so you can easily find more information and go through that guide step by step.

Truth to tell, you don’t need to modify any line of WordPress .htaccess file. Furthermore, you don’t even need that file at all!

In this section, I will show you some examples of code to cover this topic entirely, but personally, I wouldn’t recommend you use any of these possibilities.

If you want to learn how to get rid of .htaccess file completely without losing any functionality of your site, just scroll down this page. 🙂


Enable browser caching


<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"

ExpiresByType text/css "access plus 1 year"

# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"

# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"

# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"

ExpiresByType text/html "access plus 0 seconds"

# JavaScript
ExpiresByType application/javascript "access plus 1 year"

# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"

# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"

# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"

# Web fonts
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"

The code shown above could allow you to add expires headers to your WordPress .htaccess file.


Enable gzip compression


Although you don’t need to use the code snippet shown below, it could allow you to enable gzip compression on your site.

<IfModule mod_deflate.c>

# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent

This task (similarly like the previous one) can be easily done with the WP Rocket plugin. You don’t have to edit any code if you choose this solution!


Restrict image hotlinking


The snippet of code shown below is going to prevent image hotlinking on your site.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]


Why is not .htaccess file the best solution for everyone?


Although .htaccess file is a very popular solution, it has a few quite significant downsides…

And here are the reasons why I think that the .htaccess file is a bad solution:

1. As you have noticed while reading this article, htaccess file is quite difficult to be understood and modified by the majority of bloggers and entrepreneurs.

2. It is a time-consuming process to adjust all your settings using .htaccess file.

3. Although there is a syntax for configuring HTTP/HTTPS/www redirects, there are many issues with this functionality (check this post for a few proofs).

4. The editing of htaccess file is not the only way (and not the best way) to increase your site’s speed and security.


How to get rid of .htaccess file for good and improve website’s speed and security without it?


After reviewing WordPress .htaccess file, I can finally reveal the secret about running any WordPress blog without that file.

As I mentioned before, .htacess file is a component of every WordPress site based on Apache server.

The thing is that there is another type of server that does not contain .htaccess file. This server type is called Nginx.

When it comes to server performance and security, they are two crucial features of each Nginx-based webserver! 🙂

So, in order to get rid of the WordPress .htaccess file for good and improve your website’s security and performance, you should just switch to Kinsta. 🙂

Obviously, you can (and you should) speed up your WordPress site, but you don’t have to waste your time trying to modify .htaccess file and figuring out what would go wrong.

Some time ago, I published my own Kinsta review and a separate article comparing 4 best hosting providers in the world, so you could read more about hosting.

As it comes to this blog, it’s hosted at SiteGround at the moment. This service is based on Google Cloud Platform, similarly to Kinsta, but it’s much cheaper!

Unlike Kinsta, SiteGround combines Apache and Nginx servers, so it stores the .htaccess file in my blog’s home directory.

So now you should make a choice – whether you prefer a cheaper service with .htaccess file or Kinsta, which is more expensive but works really well without htaccess.

And if you’d like to check how it’s about my blog’s performance and security, feel free to use any online SEO checker and website speed tester with my domain name (alivebetter.com) as a URL.

And I’m fairly sure you’ll be impressed! 🙂