What is the .htaccess File?
The .htaccess
file is a server configuration file used by the Apache web server for your WordPress installation. If your WordPress site runs on Apache, it will contain a .htaccess file.
The .htaccess
file functions like a gatekeeper for your web server. In WordPress, it is primarily used to handle permalinks. With some custom configuration it can also block users, block image hotlinking, password protect directories, and handle URL redirects.
When you install WordPress on an Apache server, the .htaccess
file is installed in your root directory by default. In some instances, the file is not found or it not generated. Here are some common reasons:
Why Can’t I Find the .htaccess File?
There are three reasons the .htaccess
file does not appear in your website’s root folder:
1. Your Server is Not Running Apache
If your server runs on nginx, then it does not use .htaccess
files. Some hosts that use nginx are:
Here is a more comprehensive list. If you are not sure, contact your host’s support team for clarification.
2. Your FTP Client is Not Showing Hidden Files
The .htaccess
file is a hidden system file. Most FTP clients do not show hidden files by default, so you may need to enable the “show hidden files” option in your FTP client.
In FileZilla, you can enable the option under “Server » Force showing hidden files.
In Transmit, the option is found under “View » Show Invisible Files.”
3. The .htaccess File Doesn’t Exist
There are other times when the .htaccess
file simply does not exist, because your WordPress site has not generated it yet.
The easiest way to generate a .htaccess
file is to log in to your WordPress dashboard and go to Settings » Permalinks. When you click on the “Save Changes” button, WordPress will attempt to generate the file.
If you get an error while saving the Permalinks settings, it may due to permissions issues on your server. In this case, create a new file in a text editor and name it htaccess.txt
so it get hidden. Copy and paste this code into the file:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Upload the file to your root directory using your FTP client. Rename the file to .htaccess
.
Editing Your .htaccess file
You can edit your .htaccess file in a number of ways. In cPanel, you can go to File Manager and select the file for editing.
Most FTP clients also allow you to edit the file directly. In FileZilla, right-click the file and choose “View/Edit” to edit the file.
There are two things to note before editing your file.
First, be sure to backup your current file! It’s as simple as copy and pasting the contents to another text file.
Second, the code block that begins with # BEGIN WordPress
and ends with # END WordPress
are automatically generated. Do not add anything between those lines, as they will get overwritten when WordPress makes its changes. To ensure that your edits are preserved, add them before or after the code block.
Customizing Your .htaccess file
Now that you have your .htaccess
file, it’s time for the fun stuff. Here are some of the things you can do with .htaccess
:
Redirect Rules
Use Production Images in Local
If you develop WordPress sites locally, you might want to use production images on your local site to save space. In this case, you can use .htaccess
to redirect requests for files in the upload folder to the production server. Important: do this on your local machine, and not on your production server!
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/[^\\/]*/.*$
RewriteRule ^(.*)$ <https://example.com/$1> [QSA,L]
Force www URLs
This will force example.com
to use www.example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ <https://www.example.com/$1> [L,R=301,NC]
Force non-www URLs
This will force www.example.com
to use example.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ <https://example.com/$1> [L,R=301]
Force HTTPS
Force your site to load on https using the following rules.
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Security Rules
Protect .htaccess
Since .htaccess
is your gatekeeper, it’s a good idea to protect the gatekeeper itself:
<files ~ "^.*\\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
Protect wp-config.php
Your wp-config.php
file contains your database name and password. If a hacker can read this file, they can access your entire site. Use the following lines to prevent unauthorized access:
<files wp-config.php>
order allow,deny
deny from all
</files>
Restrict Access to the Admin
You can use .htaccess
to restrict access to the WordPress dashboard. The code below blocks access from all IP addresses except for the ones you specify. For this to work, put a new .htaccess
file in the wp-admin
directory.
<Limit GET POST PUT>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</Limit>
Prevent Directory Browsing
It’s possible to access your site directories via the browser. To prevent potential hackers from taking advantage of that, insert the following lines into your .htaccess
file.
Options All -Indexes
Prevent PHP File Execution
One common hacking tactic is to upload and execute PHP code into the /wp-content/uploads
folder. Create a .htaccess
file in the /wp-content/uploads
folder and insert the following code to prevent PHP execution.
<Files *.php>
deny from all
</Files>
Prevent Image Hot Linking
Image hotlinking eats up your bandwidth and can slow down your site. Prevent others from hotlinking to your images
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\\.)?example.com/.*$ [NC]
RewriteRule \\.(png|gif|jpg|jpeg)$ <https://www.example.com/wp-content/uploads/hotlink.gif> [R,L]
Block IP Addresses
If you know someone is trying to hack your site from a suspicious IP address, you can use the following code to block them.
<Limit GET POST>
order allow,deny
deny from 123.456.78.9
allow from all
</Limit>
Conclusion
The .htaccess file is a powerful tool that configures access to your web server. As such, use it carefully and always make sure you have a backup. A lot of the examples presented above can be done using plugins. Most of the time that is a better option.