Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

9 Most Useful .htaccess Tricks for WordPress

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
9 Most Useful .htaccess Tricks for WordPress

Many WordPress users come across .htaccess file when fixing their permalinks. However you can do so much more. The .htaccess file is a powerful configuration file that allows you to improve your site’s security and performance. In this article, we will show you 9 most useful .htaccess tricks for WordPress that you can try on your site right away.

Getting Started

Before you make any changes, you need to backup your existing .htaccess file. Connect to your website using an FTP client and simply download the .htaccess file to your computer. If something goes wrong, then you can upload the backup file.

If you cannot see the .htaccess file, then make sure your FTP client is configured to show hidden files. Read our guide on why you can’t find .htaccess file on your WordPress site for more details.

If you do not have a .htaccess file in your website’s root folder, then you need to create one. Simply create a blank text file and save it as .htaccess. Make sure that the file name is .htaccess and not htaccess. Lastly, you need to upload the file to your website’s root folder.

1. Protect Your WordPress Admin Area

You can use .htaccess to protect your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste this code into your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist Syed's IP address
allow from
# whitelist David's IP address
allow from
# whitelist Amanda's IP address
allow from
# whitelist Muhammad's IP address
allow from
# whitelist Work IP address
allow from

Replace with your own IP addresses. If you use more than one IP address to access the internet, then make sure you add them as well. See our guide on how to protect your admin folder in WordPress using .htaccess

2. Password Protect WordPress Admin Folder

Password protect your WordPress admin directory using .htaccess file

First you need to create a .htpasswds file. You can easily create one by using this online generator.

Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:


Now you need to create a new .htaccess file and add this code:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any 

Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.

Upload this .htaccess file to your wp-admin folder. That’s all, your WordPress admin folder is now password protected and only you or the users you allow will be able to access it. For detailed instructions, take a look at how to password protect your WordPress admin (wp-admin) directory.

3. Disable Directory Browsing in WordPress

Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file. Learn more about why and how to disable directory browsing in WordPress.

Disable directory browsing using .htaccess file in WordPress

To disable directory browsing in WordPress all you need to do is add this single line in your .htaccess file:

Options -Indexes

4. Disable PHP Execution in Some WordPress Directories

Sometimes hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders. An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

Create a blank .htaccess file and paste this code inside it:

<Files *.php>
deny from all

Now upload this file to your /wp-content/uploads/ and /wp-includes/ directories. For more information check out this tutorial on how to disable PHP execution in certain WordPress directories.

5. Protect Your WordPress Configuration wp-config.php File

Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it. To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

6. Setting up 301 Redirects Through .htaccess File

Using 301 redirects is the most SEO friendly way to tell your users that a content has moved to a new location. If you want to properly manage your 301 Redirects on posts per post basis then check out how to do 301 redirects in WordPress with Quick Page/Post Redirect.

On the other hand if you just quickly want to redirect users from one URL to another, then all you need to do is paste this code in your .htaccess file

Redirect 301 /oldurl/
Redirect 301 /category/television/

7. Ban Suspicious IP Addresses

Seeing unusual requests from an IP address? Want to block an IP address from accessing your website? Add this code to your .htaccess file:

<Limit GET POST>
order allow,deny
deny from
allow from all

Replace xxx with the IP address you want to block.

8. Disable Image Hotlinking in WordPress Using .htaccess

Other people can slow down your website and steal your bandwidth by hotlinking images from your website. Normally, this doesn’t concern most users. However, if you run a popular site with lots of images and photos, then hotlinking can become a serious issue. You can prevent image hotlinking by adding this code in your .htaccess file:

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L] 

Don’t forget to replace with your own domain name.

9. Protect .htaccess From Unauthorized Access

As you have seen that there are so many things that can be done using .htaccess file. Due to the power and control it has on your web server, it is important that you protect it from unauthorized access by hackers. Simply add this code to your .htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

We hope this article helped you learn some of the most useful .htaccess tricks for WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. Feriman says:


    Could you tell me what is difference between this two lines?

    Options -Indexes


    Options All -Indexes

    Thank you!

  2. aurora says:

    Pretty darn cool yo! I could definitely use the disable hotlinking part.

  3. subramani says:

    Really useful post. Thanks

  4. caflux says:

    can some how we restrict ftp user to see, change, download functions.php file.

  5. Eric says:

    Hi, this is a very helpful post, thanks very much. I have a question please.

    My website used to be a HTML website with a WordPress blog attached in the /blog directory. Therefore I had two .htaccess files – one in the root directory to do some error redirects and to allow different versions of my URL to be recognised, and the WP one in the blog directory.

    I am now in the process of making my WP static homepage the main home page and making it a totally WP site. However it will be some time while I transfer all the HTML pages to WP pages.

    So I now have the WP .htaccess file in my root directory, and I have added the previous code to it. However the previous code doesn’t seem to work – e.g. the error redirects don’t work.

    Is there any trick to the order the code has to be in the .htaccess file? Thanks

  6. Diana says:

    Very helpful – thank you for sharing!

  7. okafor blaise says:

    so I edited the .htcasses on a site I am working on and right now I am unable to insert images into pages after upload! what the heck is wrong peeps?

  8. Steve Mark says:

    thanks for share can you post about some php to html convert extension trick please.

  9. Altan says:

    When I password protect wp-admin, I get the WordPress 404 error when trying to access the admin login.

    Any help is appreciated.

    • Mehmet says:

      Add this into .htaccess file on root

      errordocument 401 default

    • Greg says:

      Don’t do secure wp-admin with password. Never. Use write protection for it with chmod 444. That’s enough. If you secure the wp-admin folder with a password, you immidiately block AJAX call for non-authorized calls.

  10. Kev says:

    One of my clients websites has been hacked a couple of times now. The first result on google for the website homepage has been taken over by a ray ban sunglasses scam with changed title and meta description. When you click on the link it re-directs to a ray ban sunglasses website. What would be the best way to prevent the hacker and update the meta etc?

    Thanks in advance

  11. Leonard says:

    I have 2 .htaccess, one is in my root / and the other is in the directory where I have my wordpress. In my case, /wordpresssite

    In which I have to add these lines? In the root one /…? In the /wordpresssite…? Or in both?
    Thanks for your help. I´m new in this.

  12. Jason says:

    Great list, I use most of these for new projects now, thank you.

    One question though? I was struggling to get icons by “icomoon” to show after protecting wp-content folder with the above snippet so added svg|eot|ttf|woff to the list of allowed files would this be correct procedure?


  13. John Kerns says:

    Item number 4 is bad advice. If you put that .htaccess in wp-includes, the visual editor will not work in the admin.

  14. Karen says:

    Hi there, we’re using WP as an intranet and would like to be able to restrict categories to certain teams. Is it possible to restrict a category to a certain IP range within .htaccess? Any advice/other recommendations appreciated.

    • WPBeginner Staff says:

      It could be done with .htaccess but if users are required to log into your WordPress site to view it then you can create a custom user role and modify your WordPress theme files to hide category archives from users who are not assigned that category. We are assuming that you are talking about categories on the front-end of your site and not the categories menu in WordPress admin area.

  15. alex.a.mandl says:

    If you block *.php : as of the 4th trick, you’ll block all ajax callbacks, as they are going through admin-ajax.php

  16. wpokg says:

    Hi, some great tips here. Do we have to upload the same copy of the .htaccess file to a staging site (e.g. subdomain)?
    In this tutorial, you mentioned that the .htaccess file shd be uploaded to the root directory, but in another tutorial (, you mentioned NOT to upload to the root directory.
    So which is correct?

  17. WPBeginner Staff says:

    You can paste code at the end. For clarity’s sake you can paste it on a new line.

    • Petra says:

      Okay… but what kind of code??
      I don’t want to get trouble / mess up the .htaccess.
      A code just like {.} or //** or ### ??
      I’m not kidding you… just have no clue ;-)

    • misterj6 says:

      when you say at the end are do you mean after #END WordPress or before it?

  18. Petra says:

    Thanks for this great tipps :-)… I currently work on my website and just wondering about the position in the .htaccess.

    Probably this is a real beginner question, but when I want to place everything in my .htaccess – everything just one after the other? Or leave one column blank? Or one little, simple code in the lines between the different code? Or how??
    Thanks a lot in advance for your reply :-)

  19. WPBeginner Staff says:

    You can paste different code in the same .htaccess file

  20. Arif Ahmed says:

    So in each point discussed above you say that you have to add a code in .htaccess file this means that there are different .htaccess files for each point or we can paste all the codes in the same file ? Please guide ?

  21. Didier Martini says:

    very interesting tutorial thank you ! i’m searching to do something but i didn’t found how to do it yet with .htaccess. i’m doing a domain name redirection from one domain to an another one but i want that the first domain point to a specific page of my wordpress installation at the second domain. like when we click on, appears, any idea ? my hoster told me to find a way with .htaccess but for now, no luck yet. thx !

  22. WPBeginner Staff says:

    Yes you can use line breaks.

  23. WPBeginner Staff says:

    These tips will improve your WordPress security but they are not an alternative to security service like Sucuri.

  24. Faysal Shahi says:

    Please post an article about .htaccess for security :)

  25. Kristof Loyens says:

    Pretty neat overview!~The hotlinking images one will come in handy already.

  26. Manjesh Thomas says:

    Informative and comprehensive. Hope some of these tricks can use in non-wp sites too.

  27. David Ellison says:

    Great article! Would the above be considered a reasonable replacement or alternative to a WordPress security plugin?

  28. Louis says:

    great post.
    However, how can I do to setup all this in a htaccess file only?
    Is there an order? Break lines?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.