WordPress htaccess: what it is, what it is for, how to change it

Avatar photo
The WordPress .htaccess file is one of the building blocks of your website. In this short guide we will see everything you need to know about this very important file: what it is, what it is for, how to edit it and what to do. Are you ready? Let's begin! What we talk about1 What is the .htaccess file? 2 What is the .htaccess file for … WordPress htaccess: what it is, what is it for, how to modify it READ MORE

The WordPress .htaccess file is one of the building blocks of your website. In this short guide we will see everything you need to know about this very important file: what it is, what it is for, how to edit it and what to do.

Are you ready? Let’s begin!

What is the .htaccess file?

.htaccess is a configuration file that allows the Apache Web Server software to run. The file, uploaded to the site’s root directory, is automatically detected and executed.

Htacess stands for “hypertext access” . As you may have noticed, the filename includes a leading dot (.htaccess). This causes the file to be hidden, so it can only be viewed and edited via file manager or FTP if the option to show hidden files is enabled.

What is the .htaccess file for?
for WordPress?

The .htaccess file can be used to modify to enable / disable additional functionality and features that the Apache Web Server software has to offer . These features include: redirects, some security features (IP blocking, username protection, etc.) and caching instructions.

Where is the .htaccess file

Through the file manager of your hosting or via FTP access the site folders. The .htaccess file is located in the root , the main directory of the site, the one where the wp-admin, wp-includes, wp-content directories are also present. The .htaccess file is hidden , so make sure you have enabled the option to show hidden files.

The basic configuration of the
.htaccess file for WordPress

It is very important to keep in mind the basic configuration of the file . In this case, you can always go back in case of incorrect changes.

 # BEGIN WordPress 
RewriteEngine On 
RewriteBase / 
RewriteRule ^ index  .php $ - [L] 
RewriteCond% {REQUEST_FILENAME}! -F 
RewriteCond% {REQUEST_FILENAME}! -D 
RewriteRule. /index.php [L] 
# END WordPress

Before going to modify it,
make a backup. It is very important, because an incorrect configuration of the file could
“Break” your site.

Edit the .htaccess file

Protect important files

.htaccess is a valid ally to increase the security of your site . You can use it to prevent access to some files such as wp-config.php, php.ini and error log .

Order deny, allow
Deny from all

Restrict access to the area

You can also restrict access to the control panel by adding the following rules (if you are using a static IP address):

 ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

RewriteEngine on
RewriteCond% {REQUEST_URI} ^ (. *)? Wp-login  .php (. *) $ [OR]
RewriteCond% {REQUEST_URI} ^ (. *)? Wp-admin $
RewriteCond% {REMOTE_ADDR}! ^ IP Address One $
RewriteCond% {REMOTE_ADDR}! ^ IP Address Two $
RewriteCond% {REMOTE_ADDR}! ^ IP Address Three $
RewriteRule ^ (. *) $ - [R = 403, L]

That way, the IPs don’t
Authorized are redirected to a 404 error page. Replace the
/ path-to-your-site / with the path to your website. In place of IP
Address One, IP Address Two and IP Address Three enter the IP addresses that
you want to enable. You can also enable just one (if so, delete the two
subsequent lines).

If you have a dynamic IP address , you can use this code:

 ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

RewriteEngine on
RewriteCond% {HTTP_REFERER}! ^ Http: // (. *)? Your-site.com [NC]
RewriteCond% {REQUEST_URI} ^ (. *)? Wp-login  .php (. *) $ [OR]
RewriteCond% {REQUEST_URI} ^ (. *)? Wp-admin $
RewriteRule ^ (. *) $ - [F]

Many hackers use bots for
try logging into the WordPress control panel or to log in
externally. By adding this code snippet to your .htaccess file, you will allow
access only to people who manually log into your site through the
address bar of their browser.

Protect your site from
malicious code

Many hackers try to change the GLOBALS and _REQUEST WordPress variables in an attempt to inject malicious code. To prevent this, you can edit the .htaccess file like this:

 Options + FollowSymLinks
RewriteEngine On
RewriteCond% {QUERY_STRING} ( |% 3E) [NC, OR]
RewriteCond% {QUERY_STRING} GLOBALS (= | [|% [0-9A-Z] {0,2}) [OR]
RewriteCond% {QUERY_STRING} _REQUEST (= | [|% [0-9A-Z] {0,2})
RewriteRule ^ (. *) $ Index.php [F, L]

Protect your username

When a visitor enters your-site.com/?author=1 in the address bar, they are taken to the author page that has a user ID of 1. The author page includes the username associated with the ID. A hacker would only have to find the password to access your site.

To prevent username enumeration , enter this code:

 RewriteCond% {QUERY_STRING} author = d
RewriteRule ^ /? [L, R = 301]

Secure the wp-include s directory

The wp-includes directory hosts some core WordPress files. By blocking all unauthorized access , you can protect all important ones from tampering by hackers.

RewriteEngine On
RewriteBase /
RewriteRule ^ wp-admin / includes / - [F, L]
RewriteRule! ^ Wp-includes / - [S = 3]
RewriteRule ^ wp-includes / [^ /] + . Php $ - [F, L]
RewriteRule ^ wp-includes / js / tinymce / langs /.+ . Php - [F, L]
RewriteRule ^ wp-includes / theme-compat / - [F, L]

Force use of the certificate

You can use the following code to force the use of an SSL certificate , unless you enter the exact fully qualified domain name (FQDN) listed on line three:

 SSLOptions + StrictRequire
SSLRequire% {HTTP_HOST} eq "www.you-site.com"
ErrorDocument 403 https://www.your-site.com

Prevent hotlinking

Hotlinking occurs when you place an image on your website not by uploading it directly but by copying and pasting the code. If someone were to do something like this with your image, you risk losing bandwidth and slowing down your site . Here’s how to avoid it:

 RewriteEngine On RewriteCond% {HTTP_REFERER}! ^ $ RewriteCond% {HTTP_REFERER} 
! ^ http: // (www .)? your-site.com /.*$ [NC] RewriteRule . (gif | jpg) $ 
http://www.your-site.com/hotlink.gif [R, L]

As always, edit
your-site.com with your domain and replace http://www.your-site.com/hotlink.gif
with the path of the image you want to protect.

Create redirects

In the .htaccess file you can put the redirects , which are very useful for seo . When you remove content you can redirect the old url to the new one by writing a simple line:

 Redirect 301 / old-page-here / http://www.your-site.com/new-page-here/

Edit the htaccess with Yoast

The changes we have seen above must be made with a text editor directly on the .htaccess file. It is possible to edit the same file from the WordPress control panel via Yoast SEO , the hugely popular plugin. How?

Log into your WordPress control panel, go to SEO> Tools> Edit Files . In the screen that opens you can edit the robots.txt files (if you have one) and the.htaccess.

I hope this article was useful to you. If you need more information, check out my guide to WordPress . Do you need a professional? I am an expert in building websites . Request a free quote!

Previous Post

10 Best CDN Services for WordPress Websites

Next Post

The # 1 Best Digital Marketing Guide for Online Businesses