28 December 2023

15 Awesome .htaccess Tips for Your WordPress Site

By Ronald Smith

Hey there! If you want to make your WordPress site more secure and protect it from hackers, having a properly configured .htaccess file is a must. But that’s not all! By using .htaccess, you can also manage redirects, handle cache-related tasks, and do so much more. Let me show you some super useful .htaccess code snippets that will level up your website!

.htaccess is a fancy configuration file that works magic on Apache web servers. Now, I know some techy stuff here, but hey, don’t worry – it’s nothing you can’t handle! Most WordPress sites use Apache servers (though a few fancy ones might be powered by Nginx), so these tips will definitely come in handy.

Before you dive into editing the .htaccess file, it’s crucial to make a backup. This way, if anything goes wrong, you can always revert to the previous version. Trust me, you don’t want to be left without a safety net!

Now, if you’re not keen on messing around with configuration files, I’ve got just the thing for you. Let me introduce you to the BulletProof Security plugin. It’s the real deal when it comes to .htaccess security plugins, and it’s been around the block for quite some time. Plus, it’s completely free!

Setting up the default WP .htaccess file

Each directory in your WordPress site can have its own .htaccess file. However, there’s a chance that your site might not have one yet. Don’t worry, creating a .htaccess file is a breeze. Simply follow these steps:

  1. Create a new empty text file
  2. Give it the name .htaccess

Below, you’ll find the default .htaccess that WordPress uses. Whenever you need this code, you can quickly find it in the WordPress Codex. Please note that there is a different .htaccess for WP Multisite.

“`html

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

“`

The lines that start with “#” are comments. It’s important not to edit anything between the lines “# BEGIN WordPress” and “# END WordPress.” If you want to add your own custom .htaccess rules, do so below these default rules.

All the code snippets you’ll find in this article should be added to the core .htaccess file in your root directory.

Now, let’s move on to the first tip.

**Tip 1: Deny access to all .htaccess files**

When you’re working on your WordPress website, it’s important to keep certain files and configurations protected from prying eyes. Let’s take a look at two ways you can safeguard your site.

# Prevent access to .htaccess files

Order Allow,Deny

Deny from all

Satisfy all

2. Keep your WP configuration safe

Your wp-config.php file holds important information about your WordPress setup, like your database login and password. To protect it, you have two options.

First, you can deny access to everyone. Simply leave the code as it is.

Alternatively, you can grant permission to specific users, such as admins, while keeping everyone else out. To do this, follow these steps:

  1. Look for the # Allow from xx.xx.xx.xxx line in the code.
  2. Remove the # from the beginning of the line to uncomment it.
  3. Replace xx.xx.xx.xxx with the IP address of the admin you want to grant access to.

By taking these precautions, you can ensure that your sensitive configurations remain safe and secure.

# Protects wp-config

Order Allow,Deny

# Allow from xx.xx.xx.xxx

# Allow from yy.yy.yy.yyy

Deny from all

3. Prevent XML-RPC DDoS attack

WordPress has a feature called XML-RPC, which allows for remote publishing. While this is convenient, it can also be a security vulnerability. Hackers may exploit XML-RPC for DDoS attacks.

If you don’t want to use this feature, it’s best to disable it. You can customize the exceptions by commenting out the “# Allow from xx.xx.xx.xxx” line and adding the IP addresses of your administrators.

#I will protect my XML-RPC to prevent a DDoS attack.

Order Deny,Allow

#I will allow access from specific IP addresses

#We should define these IP addresses

Allow from xx.xx.xx.xxx

Allow from yy.yy.yy.yyy

Deny from all

4. I will protect my admin area

I will be wise and careful to protect my admin area by allowing access only to administrators. I understand the importance of balancing security and convenience, so I will make sure to add at least one “Allow” exception. This way, I can access my admin without any issue.

#To protect my admin area, I will implement IP access control.

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “WordPress Admin Access Control”

AuthType Basic

#I will restrict GET requests to my admin area

Order Deny,Allow

Deny from all

#I will allow access from specific IP addresses

Allow from xx.xx.xx.xxx

Allow from yy.yy.yy.yyy

5. Let’s prevent directory listing

Did you know that many WordPress sites leave their folders and files open for anyone to see? Yeah, I know, it’s crazy right? This is a major security risk that can lead to all sorts of problems.

Take a look at what a regular listing of WordPress files and folders looks like.

15 Awesome .htaccess Tips for Your WordPress Site

Luckily, all it takes is a single, tiny piece of code to stop this feature from happening. This neat little code snippet will send an error message right back at anyone who tries to get into your directories.

Here’s the code:

# Prevents directory listing

Options -Indexes

Now, let’s move on to the next important point!

Number 6: We have to make sure that no one can snoop around and find out our usernames. If we have the fancy things called WP permalinks enabled, it can be pretty easy for people to figure out our usernames by looking at the author archives. And you know what happens next? They can use those usernames to launch those nasty brute force attacks on our site.

But don’t worry, I’ve got the solution for you! Just add this code to your .htaccess file to put an end to username enumeration once and for all:

# Prevents username enumeration

RewriteCond % author=d

RewriteRule ^ /? [L,R=301]

Okay, now brace yourself for the final tip we have for today!

Number 7: Say goodbye to those pesky spammers and bots. We need to find a way to keep them out of our site, and I’ll show you how.

Sometimes, you might want to stop certain IP addresses from accessing your website. This little piece of code makes it easy to block spammers and bots that you already know are troublemakers.

Here’s the code snippet:

“`

Order Allow,Deny

Deny from xx.xx.xx.xxx

Deny from yy.yy.yy.yyy

Allow from all

“`

Now, let’s move on to preventing image hotlinking. Though it’s not a big security threat, it can still be pretty annoying. People not only use your images without permission, but they also make you pay the price. But don’t worry, I’ve got you covered with this code snippet.

Here it is:

“`

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite2.com [NC]

RewriteRule \.(jpe?g|png|gif|ico|pdf|flv|swf|gz)$ – [NC,F,L]

“`

9. Prevent unauthorized access to plugin & theme PHP files

It can be risky if someone tries to directly access your plugin and theme files, whether it’s accidental or done maliciously. I found this useful piece of code from Acunetix, a company specializing in website security. They have a blog post explaining more about this vulnerability.

# Block access to PHP files in plugin and theme directories

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/

RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]

RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/

RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

10. Implement permanent redirects

When it comes to managing permanent redirects, it’s a breeze with .htaccess. Just follow these simple steps: First, specify the old URL that you want to redirect from. Then, indicate the new URL that you want to redirect to. It’s as easy as that!

Here’s an example of how you can set up permanent redirects using .htaccess:

# Permanent redirects

Redirect 301 /oldurl1/ http://yoursite.com/newurl1

Redirect 301 /oldurl2/ http://yoursite.com/newurl2

Now, let’s talk about another useful trick. Have you ever needed to direct visitors to a maintenance page? Well, we’ve got you covered. Here’s how you can do it with .htaccess:

You’ll need to create a separate maintenance page (let’s call it maintenance.html for now) for this rule to work. Once you have that, you can use the following code to put your WordPress site into maintenance mode:

11. Send visitors to a maintenance page

We wrote about this technique in detail here. You need a separate maintenance page ( maintenance.html in the example) for this .htaccess rule to work. This code puts your WordPress site into maintenance mode.

12. Safeguarding the Core: Protecting the /wp-includes/ Folder

Hey there! Did you know that the /wp-includes/ folder holds all the powerful core files of WordPress? These files are like the engine that makes WordPress run. They’re super important, but you don’t need to access them directly.

For security purposes, it’s best to keep everyone out of the /wp-includes/ folder. You might be wondering, “Why would anyone want to go there anyway?” Well, the truth is, there’s nothing interesting there for regular users like you and me. No cool plugins, no fancy themes, just essential files for the system to function.

So, let’s take a moment and put up a strong shield around the /wp-includes/ folder to keep it safe from prying eyes. This way, we can ensure the security of our WordPress site and keep everything running smoothly.

“`

I don’t know about you, but I sure do love some good website security! Today, I’m going to show you some nifty code snippets that will help protect your site and make it run like a well-oiled machine. Let’s dive right in!

First up, let’s block those pesky WP-includes folders and files. We don’t want any unauthorized access there! This code will do the trick:

“`

# Blocks all wp-includes folders and files

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]

“`

Next, we have a clever snippet that will protect your site against cross-site scripting attacks, also known as XSS attacks. These attacks can inject malicious scripts and mess with your global and request variables. But fear not, my friend, because this code has got your back:

“`

# Blocks some XSS attacks

RewriteCond %{REQUEST_URI} () [NC,OR]

RewriteCond %{GLOBALS}= [\%[0-9A-Z]) [OR]

RewriteCond %{_REQUEST}= [\%[0-9A-Z])

RewriteRule .* index.php [F,L]

“`

Last but not least, let’s talk about browser caching. Enabling browser caching means that certain files, like images and stylesheets, will be stored on the user’s device for a period of time. This can greatly improve the loading speed of your site. It’s like serving up a delicious dish in no time! Here’s what you need to do:

“`

# Enable browser caching

“`

Ah, sorry to leave you hanging there! Unfortunately, I don’t have the specific code snippet for browser caching. But fear not, intrepid webmaster! A quick search online will yield many resources and tutorials to help you enable browser caching for your website.

That’s all for today, folks! I hope you found these code snippets helpful in securing and optimizing your site. Until next time, happy coding!

“`

Hey there! So, like I said earlier, I wanna talk to you about something called .htaccess. It might sound fancy, but it’s actually pretty cool because it helps with security and redirecting stuff. But guess what? It can also help you out with managing the cache. Now, let me explain what that means.

See, when you visit a website, your browser has to download a bunch of files, like images and scripts, so that everything looks and works right. But sometimes, these files don’t change very often. So, it’s kinda wasteful for your browser to keep downloading them every time you visit the site again.

That’s where .htaccess comes in. It’s like a magical code snippet, and the one I’m about to show you is from Elegant Themes. When you use it, it lets your browser save certain kinds of files in its cache. So, the next time you visit the website, your browser already has those files stored, and it doesn’t need to download them again. Pretty neat, huh?

Enable Browser Caching

Hey there! Let’s make your WordPress site even faster by enabling browser caching. It’s a nifty trick that can significantly improve the loading speed for returning visitors. Here’s how you can set it up:

# Enables browser caching

ExpiresActive On

ExpiresByType image/jpg “access 1 year”

ExpiresByType image/jpeg “access 1 year”

ExpiresByType image/gif “access 1 year”

ExpiresByType image/png “access 1 year”

ExpiresByType text/css “access 1 month”

ExpiresByType application/pdf “access 1 month”

ExpiresByType text/x-javascript “access 1 month”

ExpiresByType application/x-shockwave-flash “access 1 month”

ExpiresByType image/x-icon “access 1 year”

ExpiresDefault “access 2 days”

Set up Custom Error Pages

Did you know you can create custom error pages for your WordPress site? It’s a great way to add a personal touch and ensure that your visitors see helpful messages when they encounter errors. Here’s what you need to do:

  1. Create the custom error pages: custom-403.html and custom-404.html (you can use these as examples).
  2. Upload the custom error pages to your root folder.

By following these steps, you’ll make sure that your visitors have a smooth and pleasant experience even when something goes wrong. Isn’t that great?

Setting up a custom error page is something you can do for any HTTP error status code, which includes 4XX and 5XX status codes. It’s a way to personalize the error message that users see when something goes wrong on your website. To create a custom error page, you’ll need to use some code. Let me show you an example:

# Sets up custom error pages

ErrorDocument 403 /custom-403.html

ErrorDocument 404 /custom-404.html

In the code above, we’re telling the server to show a custom error page when it encounters a 403 error or a 404 error. The “/custom-403.html” and “/custom-404.html” are the paths to the custom error pages you want to display.

By setting up custom error pages, you can provide a more user-friendly and informative experience for your visitors. It’s a great way to show them that you care about their experience and want to help them find what they’re looking for, even when things don’t go as planned.