WordPress htaccess [Complete Overview] (2020)

WordPress htaccess

The .htaccess file is a very popular WordPress file, which is considered to be an obligatory part of every WordPress installation by some people.

On the other hand, it causes many issues, and the majority of bloggers and webmasters are not aware that they can get rid of that file without any loss!

If you want to find a solution that I use, just keep reading. 🙂


What is htaccess file in WordPress?


Like I’ve mentioned before, the .htaccess file is a website’s configuration file of Apache web server.

With .htaccess file you can:

  • add special rules to deliver cached content more efficiently;
  • set up 301/302 redirects;
  • redirect HTTP to HTTPS;
  • ban/restrict access to your site based on IP addresses;
  • increase the maximum file upload size.


Where is .htaccess file located?


.htaccess file is a file that is automatically created every time you create a new WordPress installation on Apache webserver.

The file is located in the root directory (home directory) of your website.

There are two ways to access that file – using any FTP client (such as FileZilla) or with any WordPress file manager plugin (for example, WP File Manager from my list of best WordPress plugins).

And here, you can see an exemplary screenshot with .htaccess file location.

WordPress .htaccess file location


How to create WordPress .htaccess file?


If for any reason, there is no .htaccess file in your website’s home directory, you can generate it in one of two ways – by setting up permalinks or just create it manually with any text editor and then upload the file to your server.

If you decide to use the first solution, you just need to log into your WordPress dashboard, click Settings -> Permalinks, choose any setting (Post name is definitely the best one from SEO point of view), scroll down to the end of the page and click Save Changes.

WordPress permalinks settings

When it comes to the second solution, you just need to use MS Notepad or Notepad++, paste the following lines to the new file:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]


# END WordPress

and save it as .htaccess.

Those ten lines above contain the default WordPress .htaccess file content.

Important notice:

In order to save your file correctly, you need to set All files (or All types) as its type and use .htaccess as its name.

how to create WordPress htaccess file

You can upload the file to your server using the same methods which you’ve used to access your website’s files – WP File Manager or any FTP client.


Exemplary WordPress htaccess Instructions


In this section of the article, I will show you some exemplary instructions for .htaccess file.

If you are, however, not interested in tampering with .htaccess file, you can omit this section, scroll down this page and learn how to get rid of .htaccess file for good without any loss in functionality. 🙂


WordPress htaccess Redirects


301 (Permanent) Redirect


Redirect 301 /oldpage.html http://www.domain-name.com/newpage.html


302 (Temporary) Redirect


Redirect 302 /oldpage.html http://www.domain-name.com/newpage.html


Force URL to www


From here, things are starting to get more and more mysterious and confusing…

RewriteEngine on

RewriteCond %{HTTP_HOST} ^example.com [NC]

RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]


Force URL to non-www


RewriteEngine on

RewriteCond %{HTTP_HOST} ^www.example.com [NC]

RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]




RewriteEngine On

RewriteCond %{HTTP:X-Forwarded-Proto} !https

RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]


Force HTTP


<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTP:X-Forwarded-Proto} ^https$

RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}



Redirect Domain to Subdirectory


RewriteCond %{HTTP_HOST} ^example.com$

RewriteCond %{REQUEST_URI} !^/sub-directory-name/

RewriteRule (.*) /subdir/$1


Redirect a URL


Redirect 301 / http://www.mynewwebsite.com/


Improve Your Site’s Security With WordPress htaccess File


Protect .htaccess from unauthorized users


<files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all



Restrict access to WordPress admin area


# Limit logins and admin by IP


order deny,allow

deny from all

allow from xx.xx.xx.xx



Protect wp-config.php file from unauthorized access


<files wp-config.php>

order allow,deny

deny from all



Protect /wp-content/ directory


/wp-content/ is an essential WordPress directory which contains all the themes, plugins, and media files of your website. Thereby, it can be targeted by spammers and hackers quite frequently.

To protect /wp-content/ directory from unauthorized access, you can create a separate .htaccess file in that folder and paste the following content into it:

Order deny,allow

Deny from all

<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>

Allow from all


This piece of code specifies which file extensions you’ll be able to upload to your site.


Disable PHP execution


<Files *.php>

deny from all


This snippet of code allows you to disable PHP execution in any directory of your choice.

In order to disable execution of PHP scripts, you should create a separate .htaccess file in a folder of your choice and use the code shown above.


File access restriction for additional WordPress accounts


If there is any person who can log into your website’s admin area (for example, another author), you can restrict their access to the files of your themes and plugins.

In order to do that, use the code snippet presented below:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/

RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]

RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/

RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]


Script injection protection


Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]


Block any IP address from accessing your website


<Limit GET POST>

order allow,deny

deny from 123.456.78.9

allow from all


This example blocks access to your site from the IP address 123.456.78.9.


Deny access to individual files


If you’d like to block access to any file of your website, you can do that using the code below (you should obviously set the file name in the first line of code):

<files your-file-name.txt>

order allow,deny

deny from all



Disable browsing of your directories


# disable directory browsing

Options All -Indexes


Improve WordPress Performance With htaccess File


As it comes to your site’s performance, the main ingredient of your success is a plugin called WP Rocket. Besides, I have created a separate post in this topic, so you can easily find more information and go through that guide step by step.

Truth to tell, you don’t need to modify any line of WordPress .htaccess file. Furthermore, you don’t even need that file at all!

In this section, I will show you some examples of code to cover this topic completely, but personally, I wouldn’t recommend you use any of these possibilities.

If you want to learn how to get rid of .htaccess file completely without losing any functionality of your site, just scroll down this page. 🙂


Enable browser caching


<IfModule mod_expires.c>

ExpiresActive on

ExpiresDefault “access plus 1 month”


ExpiresByType text/css “access plus 1 year”

# Data interchange

ExpiresByType application/json “access plus 0 seconds”

ExpiresByType application/xml “access plus 0 seconds”

ExpiresByType text/xml “access plus 0 seconds”

# Favicon (cannot be renamed!)

ExpiresByType image/x-icon “access plus 1 week”

# HTML components (HTCs)

ExpiresByType text/x-component “access plus 1 month”


ExpiresByType text/html “access plus 0 seconds”

# JavaScript

ExpiresByType application/javascript “access plus 1 year”

# Manifest files

ExpiresByType application/x-web-app-manifest+json “access plus 0 seconds”

ExpiresByType text/cache-manifest “access plus 0 seconds”

# Media

ExpiresByType audio/ogg “access plus 1 month”

ExpiresByType image/gif “access plus 1 month”

ExpiresByType image/jpeg “access plus 1 month”

ExpiresByType image/png “access plus 1 month”

ExpiresByType video/mp4 “access plus 1 month”

ExpiresByType video/ogg “access plus 1 month”

ExpiresByType video/webm “access plus 1 month”

# Web feeds

ExpiresByType application/atom+xml “access plus 1 hour”

ExpiresByType application/rss+xml “access plus 1 hour”

# Web fonts

ExpiresByType application/font-woff2 “access plus 1 month”

ExpiresByType application/font-woff “access plus 1 month”

ExpiresByType application/vnd.ms-fontobject “access plus 1 month”

ExpiresByType application/x-font-ttf “access plus 1 month”

ExpiresByType font/opentype “access plus 1 month”

ExpiresByType image/svg+xml “access plus 1 month”



The code shown above could allow you to add expires headers to your WordPress .htaccess file.


Enable gzip compression


Although you don’t need to use the code snippet shown below, it could allow you to enable gzip compression on your site.

<IfModule mod_deflate.c>

# Compress HTML, CSS, JavaScript, Text, XML and fonts

AddOutputFilterByType DEFLATE application/javascript

AddOutputFilterByType DEFLATE application/rss+xml

AddOutputFilterByType DEFLATE application/vnd.ms-fontobject

AddOutputFilterByType DEFLATE application/x-font

AddOutputFilterByType DEFLATE application/x-font-opentype

AddOutputFilterByType DEFLATE application/x-font-otf

AddOutputFilterByType DEFLATE application/x-font-truetype

AddOutputFilterByType DEFLATE application/x-font-ttf

AddOutputFilterByType DEFLATE application/x-javascript

AddOutputFilterByType DEFLATE application/xhtml+xml

AddOutputFilterByType DEFLATE application/xml

AddOutputFilterByType DEFLATE font/opentype

AddOutputFilterByType DEFLATE font/otf

AddOutputFilterByType DEFLATE font/ttf

AddOutputFilterByType DEFLATE image/svg+xml

AddOutputFilterByType DEFLATE image/x-icon

AddOutputFilterByType DEFLATE text/css

AddOutputFilterByType DEFLATE text/html

AddOutputFilterByType DEFLATE text/javascript

AddOutputFilterByType DEFLATE text/plain

AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)

BrowserMatch ^Mozilla/4 gzip-only-text/html

BrowserMatch ^Mozilla/4\.0[678] no-gzip

BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

Header append Vary User-Agent



Restrict image hotlinking


The snippet of code shown below is going to prevent image hotlinking on your site.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]


Why is .htaccess file rather bad than the good solution?


Although .htaccess file is a very popular solution, it has a few quite significant downsides…

And these are the reasons why I think that the .htaccess file is a bad solution.

1. As you have noticed while reading this article, htaccess file is quite difficult to be understood and modified by the majority of bloggers and entrepreneurs.

2. It is a time-consuming process to adjust all your settings using .htaccess file.

3. Although there is a syntax for configuring HTTP/HTTPS/www redirects, there are many issues with this functionality (check this post for a few proofs).

4. It’s definitely not the only way (and not the best way) to increase your site’s speed and security.


How to get rid of .htaccess file for good and improve website’s speed and security without it?


After reviewing WordPress .htaccess file, I can finally reveal the secret about running any WordPress blog without that file.

As I mentioned before, .htacess file is a component of every WordPress site based on Apache server.

The thing is that there is another type of server that does not contain .htaccess file. This server type is called Nginx.

When it comes to server performance and security, they are two crucial features of each Nginx-based webserver! 🙂

So, in order to get rid of .htaccess file for good and improve your site’s security and performance, you should just switch to Kinsta. 🙂

Obviously, you can (and you should) speed up your WordPress site, but you don’t have to waste your time trying to modify .htaccess file and figuring out what would go wrong.

Some time ago, I published my own Kinsta review and a separate article comparing 4 best hosting providers in the world, but truth to tell, Kinsta is by far the best of the best! 🙂

If you’d like to check how it’s about my blog’s performance and security, feel free to use any online SEO checker and website speed tester with my domain name (alivebetter.com) as a URL.

And I’m fairly sure you’ll be impressed! 🙂