The Ultimate Guide to .htaccess for WordPress

What is the .htaccess File?

The .htaccess file is a server configuration file used by the Apache web server for your WordPress installation. If your WordPress site runs on Apache, it will contain a .htaccess file.

The .htaccess file functions like a gatekeeper for your web server. In WordPress, it is primarily used to handle permalinks. With some custom configuration it can also block users, block image hotlinking, password protect directories, and handle URL redirects.

When you install WordPress on an Apache server, the .htaccess file is installed in your root directory by default. In some instances, the file is not found or it not generated. Here are some common reasons:

Why Can’t I Find the .htaccess File?

There are three reasons the .htaccess file does not appear in your website’s root folder:

1. Your Server is Not Running Apache

If your server runs on nginx, then it does not use .htaccess files. Some hosts that use nginx are:

Here is a more comprehensive list. If you are not sure, contact your host’s support team for clarification.

2. Your FTP Client is Not Showing Hidden Files

The .htaccess file is a hidden system file. Most FTP clients do not show hidden files by default, so you may need to enable the “show hidden files” option in your FTP client.

In FileZilla, you can enable the option under “Server » Force showing hidden files.

In Transmit, the option is found under “View » Show Invisible Files.”

3. The .htaccess File Doesn’t Exist

There are other times when the .htaccess file simply does not exist, because your WordPress site has not generated it yet.

The easiest way to generate a .htaccess file is to log in to your WordPress dashboard and go to Settings » Permalinks. When you click on the “Save Changes” button, WordPress will attempt to generate the file.

If you get an error while saving the Permalinks settings, it may due to permissions issues on your server. In this case, create a new file in a text editor and name it htaccess.txt so it get hidden. Copy and paste this code into the file:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Upload the file to your root directory using your FTP client. Rename the file to .htaccess.

Editing Your .htaccess file

You can edit your .htaccess file in a number of ways. In cPanel, you can go to File Manager and select the file for editing.

Most FTP clients also allow you to edit the file directly. In FileZilla, right-click the file and choose “View/Edit” to edit the file.

There are two things to note before editing your file.

First, be sure to backup your current file! It’s as simple as copy and pasting the contents to another text file.

Second, the code block that begins with # BEGIN WordPress and ends with # END WordPress are automatically generated. Do not add anything between those lines, as they will get overwritten when WordPress makes its changes. To ensure that your edits are preserved, add them before or after the code block.

Customizing Your .htaccess file

Now that you have your .htaccess file, it’s time for the fun stuff. Here are some of the things you can do with .htaccess:

Redirect Rules

Use Production Images in Local

If you develop WordPress sites locally, you might want to use production images on your local site to save space. In this case, you can use .htaccess to redirect requests for files in the upload folder to the production server. Important: do this on your local machine, and not on your production server!

RewriteCond %{REQUEST_URI} ^/wp-content/uploads/[^\\/]*/.*$
RewriteRule ^(.*)$ <https://example.com/$1> [QSA,L]

Force www URLs

This will force example.com to use www.example.com

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ <https://www.example.com/$1> [L,R=301,NC]

Force non-www URLs

This will force www.example.com to use example.com

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ <https://example.com/$1> [L,R=301]

Force HTTPS

Force your site to load on https using the following rules.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Security Rules

Protect .htaccess

Since .htaccess is your gatekeeper, it’s a good idea to protect the gatekeeper itself:

<files ~ "^.*\\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Protect wp-config.php

Your wp-config.php file contains your database name and password. If a hacker can read this file, they can access your entire site. Use the following lines to prevent unauthorized access:

<files wp-config.php>
order allow,deny
deny from all
</files>

Restrict Access to the Admin

You can use .htaccess to restrict access to the WordPress dashboard. The code below blocks access from all IP addresses except for the ones you specify. For this to work, put a new .htaccess file in the wp-admin directory.

<Limit GET POST PUT>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</Limit>

Prevent Directory Browsing

It’s possible to access your site directories via the browser. To prevent potential hackers from taking advantage of that, insert the following lines into your .htaccess file.

Options All -Indexes

Prevent PHP File Execution

One common hacking tactic is to upload and execute PHP code into the /wp-content/uploads folder. Create a .htaccess file in the /wp-content/uploads folder and insert the following code to prevent PHP execution.

<Files *.php>
deny from all
</Files>

Prevent Image Hot Linking

Image hotlinking eats up your bandwidth and can slow down your site. Prevent others from hotlinking to your images

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\\.)?example.com/.*$ [NC]
RewriteRule \\.(png|gif|jpg|jpeg)$ <https://www.example.com/wp-content/uploads/hotlink.gif> [R,L]

Block IP Addresses

If you know someone is trying to hack your site from a suspicious IP address, you can use the following code to block them.

<Limit GET POST>
order allow,deny
deny from 123.456.78.9
allow from all
</Limit>

Conclusion

The .htaccess file is a powerful tool that configures access to your web server. As such, use it carefully and always make sure you have a backup. A lot of the examples presented above can be done using plugins. Most of the time that is a better option.