WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Tutorials» 12 Most Useful .htaccess Tricks for WordPress

12 Most Useful .htaccess Tricks for WordPress

Last updated on May 23rd, 2017 by Editorial Staff
744 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
12 Most Useful .htaccess Tricks for WordPress

Are you looking for some useful .htaccess tricks for your WordPress site. The .htaccess file is a powerful configuration file which allows you to do a lot of neat things on your website. In this article, we will show you some of the most useful .htaccess tricks for WordPress that you can try right away.

Most Useful .htaccess Tricks for WordPress

What is .htaccess File and How to Edit it?

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow for your website.

WordPress uses .htaccess file to generate SEO friendly URL structure. However, this file can do a lot more.

The .htaccess file is located in your WordPress site’s root folder. You will need to connect to your website using an FTP client to edit it.

.htaccess file on a WordPress site

If you cannot find your .htaccess file, then see our guide on how to find .htaccess file in WordPress.

Before editing your .htaccess file, it is important to download a copy of it to your computer as backup. You can use that file in case anything goes wrong.

Having said that, let’s take a look at some useful .htaccess tricks for WordPress that you can try.

1. Protect Your WordPress Admin Area

You can use .htaccess to protect your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste this code into your .htaccess file:


AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

2. Password Protect WordPress Admin Folder

Password protect WordPress admin directory

If you access your WordPress site from multiple locations including public internet spots, then limiting access to specific IP addresses may not work for you.

You can use .htaccess file to add an additional password protection to your WordPress admin area.

First, you need to generate a .htpasswds file. You can easily create one by using this online generator.

Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:

/home/user/.htpasswds/public_html/wp-admin/passwd/

Next, create a .htaccess file and upload it in /wp-admin/ directory and then add the following codes in there:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any 
</Files>

Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.

For detailed instructions, see our guide on how to password protect WordPress admin folder.

3. Disable Directory Browsing

Disable directory browsing

Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file.

To disable directory browsing on your website, you need to add the following line to your .htaccess file.

Options -Indexes

For more on this topic, see our guide on how to disable directory browsing in WordPress.

4. Disable PHP Execution in Some WordPress Directories

Sometimes hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.

An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

You will need to create a blank .htaccess file on your computer and then paste the following code inside it.

<Files *.php>
deny from all
</Files>

Save the file and then upload it to your /wp-content/uploads/ and /wp-includes/ directories. For more information check out our tutorial on how to disable PHP execution in certain WordPress directories.

5. Protect Your WordPress Configuration wp-config.php File

Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it.

To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

6. Setting up 301 Redirects Through .htaccess File

Using 301 redirects is the most SEO friendly way to tell your users that a content has moved to a new location. If you want to properly manage your 301 redirects on posts per post basis, then check out our guide on how to setup redirects in WordPress.

On the other hand, if you want to quickly setup redirects, then all you need to do is paste this code in your .htaccess file.

Redirect 301 /oldurl/ http://www.example.com/newurl
Redirect 301 /category/television/ http://www.example.com/category/tv/

7. Ban Suspicious IP Addresses

Are you seeing unusually high requests to your website from a specific IP address? You can easily block those requests by blocking the IP address in your .htaccess file.

Add the following code to your .htaccess file:

<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>

Don’t forget to replace xx with the IP address you want to block.

8. Disable Image Hotlinking in WordPress Using .htaccess

Other websites directly hotlinking images from your site can make your WordPress site slow and exceed your bandwidth limit. This isn’t a big issue for most smaller websites. However, if you run a popular website or a website with lots of photos, then this could become a serious concern.

You can prevent image hotlinking by adding this code to your .htaccess file:

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wpbeginner.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L] 

This code only allows images to be displayed if the request is originating from wpbeginner.com or Google.com. Don’t forget to replace wpbeginner.com with your own domain name.

For more ways to protect your images see our guide on ways to prevent image theft in WordPress.

9. Protect .htaccess From Unauthorized Access

As you have seen that there are so many things that can be done using the .htaccess file. Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers. Simply add following code to your .htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

10. Increase File Upload Size in WordPress

There are different ways to increase the file upload size limit in WordPress. However, for users on shared hosting some of these methods do not work.

One of the methods that has worked for many users is by adding following code to their .htaccess file:

php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300

This code simply tells your web server to use these values to increase file upload size as well as maximum execution time in WordPress.

11. Disable Access to XML-RPC File Using .htaccess

Each WordPress install comes with a file called xmlrpc.php. This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third party apps, then you should disable this feature.

There are multiple ways to do that, one of them is by adding the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

For more information, see our guide on how to disable XML-RPC in WordPress.

12. Blocking Author Scans in WordPress

A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.

You can block such scans by adding the following code to your .htaccess file:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans 

For more information, see our article on how to discourage brute force attacks by blocking author scans in WordPress.

We hope this article helped you learn the most useful .htaccess tricks for WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

744 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

32 Comments

Leave a Reply
  1. HtaccessGuy says:
    Oct 6, 2020 at 3:17 am

    Don’t password protect wpadmin if you use AJAX else it’l break stuff.

    Reply
    • WPBeginner Support says:
      Oct 6, 2020 at 10:13 am

      If you mean for 2 in this list, we’ve added code to allow ajax to continue to work.

      Reply
      • Ana says:
        Nov 2, 2020 at 10:26 am

        This resolved my issue with above code. Thanks.

        Reply
  2. Abhi says:
    Jul 27, 2019 at 1:15 am

    Please Help Me.
    when I paste the following code in .htaccess file it shows an error that is..

    It appears you don’t have
    permission to access this page.
    403 Error. Forbidden.

    Reply
    • WPBeginner Support says:
      Jul 29, 2019 at 11:29 am

      For resolving the 403 error, you would want to take a look at our guide here: https://www.wpbeginner.com/wp-tutorials/how-to-fix-the-403-forbidden-error-in-wordpress/

      Reply
  3. Ben says:
    May 10, 2019 at 12:28 pm

    Great article!
    Do I need to do this if I already have installed WordFence plugin?
    Some people don’t recommend messing with .htaccess file.
    Regards.

    Reply
    • WPBeginner Support says:
      May 13, 2019 at 12:55 pm

      None of these tricks are required if you don’t want to use them, they are only helpful tools that you can use.

      Reply
  4. Sebastian says:
    Apr 12, 2019 at 6:14 pm

    I am not sure what does “Protect .htaccess From Unauthorized Access” mean exactly. Will I be able to access it if I make changes from point 9?

    Reply
    • WPBeginner Support says:
      Apr 15, 2019 at 12:20 pm

      It means if someone knows where your htaccess is located and tries to view the file by putting that address in the url, the browser will not be able to view it.

      Reply
  5. reus says:
    Feb 14, 2019 at 4:03 am

    how to use wp login user name and password (registered user) to access in your no. 2 topic (Password Protect WordPress Admin Folder).

    hope to to find answer here.

    thank you

    Reply
    • WPBeginner Support says:
      Feb 14, 2019 at 11:42 am

      If you wanted to use that, you would need to set the information in the htpasswds file

      Reply
      • reus says:
        Feb 14, 2019 at 5:03 pm

        thank you for your response, how to set that information in the htpasswds? thank you

        Reply
        • WPBeginner Support says:
          Feb 15, 2019 at 10:12 am

          We show the tool to use under tip 2 in the article :)

  6. Selvakumaran Krishnan says:
    Aug 19, 2018 at 4:00 am

    Hai Syed Balkhi,

    I have to open a URL which has query parameters and strings like this.

    something.example.com/pagename.php?query1=string1&query2=string2&redirecturl=http%3A%2F%2Fsomething.example2.com/something&query3=string3

    In the above URL, the problem is %3A%2F%2F. It shows 403 forbidden error. If I remove that part, the URL works fine.

    I have searched and tried all the methods like mod rewrite, redirect, etc,. but nothing works.

    Is there any way to remove (or) rewrite (or) redirect that encoded part using .htaccess file. That part is in the middle of so many parameters. There are a lot of query parameters before and after that part.

    Please share your idea.

    Reply
  7. Kathrine says:
    Aug 3, 2018 at 12:44 pm

    This is a great article!! I followed your instructions and everything works fine. I tried to open my admin site using the different IP address and it works great. Thank you for sharing your knowledge.

    Reply
  8. Mohamed Adel says:
    Jul 13, 2018 at 10:23 am

    When Protecting the directory to wp-admin (as explained in 2. Password Protect WordPress Admin Folder), wen I go to any page on the site the massage appears to put password.. How to fix that?
    I tried from Cpanel and the same problem happens

    Reply
  9. Tony says:
    Mar 29, 2018 at 5:46 am

    The tip in point 4 for disabling php execution has started to cause issues with the tinymce editor in pages & posts. A php file is included in the tinymce folder that loads the relevant js files. I’ve just removed the htaccess code from the wp-include folder to stop the issue. Maybe there’s another way around this?

    Reply
  10. Pankaj says:
    Mar 5, 2018 at 3:29 am

    Point 5 is not working
    (5. Protect Your WordPress Configuration wp-config.php File)

    [05-Mar-2018 08:20:03 Etc/GMT] PHP Parse error: syntax error, unexpected ‘<' in /home/—–/public_html/xyz.com/wp-config.php on line 91

    Reply
    • WPBeginner Support says:
      Mar 5, 2018 at 9:17 am

      Hi Pankaj,

      The code in the 5th trick needs to be pasted in .htaccess file and not in wp-config.php file.

      Reply
  11. Maximilian says:
    Jan 5, 2018 at 3:25 am

    Hi there, thank you!
    Is ist possible to see the whole .htaccess somewhere? Yes, i could read: “put one line after the other” but still I am not sure.

    Is then “# END WordPress° sill the last line or is it somewhere on the top then?

    And what do you think about putting “Options -Indexes” on the very end?

    Thank you for your answer!

    Reply
    • WPBeginner Support says:
      Jan 5, 2018 at 10:13 pm

      Hi Maximilian,

      You can add new lines after the #END WordPress line.

      Reply
  12. yudi cahyadi says:
    Nov 10, 2017 at 9:38 pm

    good article..i have a question, after implementing the code in htaccess. Do I need to install a security plugin or not..??

    yudi cb(beginner)

    Reply
    • WPBeginner Support says:
      Nov 12, 2017 at 3:46 pm

      Hi Yudi Cahyadi,

      Yes, you still need to install a security plugin. Please see our WordPress security guide for more information.

      Reply
  13. Mario von Gollaz says:
    Jul 24, 2017 at 8:17 am

    Hi there, nice article. Is there a way to bulk redirect?

    Mario

    Reply
  14. Kevin says:
    Jun 11, 2017 at 11:52 am

    Hi,
    Great article and just one question!
    Should you place the extra code (especially speed opimisations) before or after the # BEGIN WordPress part?

    Regards
    Kevin

    Reply
  15. Brian Wohn says:
    Jun 1, 2017 at 5:40 am

    Hi, my theme developer told me this might be in the htaccess, but I don’t know why my wordpress is adding this at the end of all my pages:

    Any idea why its adding the “/?v=8f2564d40946”? I’ve checked my PermaLinks, Slugs, etc and nothing there?

    Thanks for your help!

    Reply
    • WPBeginner Support says:
      Jun 1, 2017 at 9:08 am

      Hi Brian,

      It lools like GeoLocation tag added by WooCommerce.

      If you are using WooCommerce, then you can turn it off. Go to WooCommerce General Options page and uncheck option ‘Geolocate with page caching support’ option.

      Reply
  16. Adrienne Warden says:
    May 25, 2017 at 11:31 am

    Another wonderful post from WP Beginner…Just one tip for all us newbies…While WP Beginner has some of the best tips and trick for WordPress, when it comes to protecting your site, if you are on a shared server, search “support” first. I’ve learned a lot about the backend from reading post on WP Beginner, but the truth of the matter is – I’m no backender and most shared hosting already have a fix in place for these sorts of things…I’m with InMotion and they actual have set up one click solutions for many issues that effect site security. I turned off the file Index right from CPanel…

    Still WP Beginner is my go to for WordPress knowledge…You guys are awesome!

    Reply
  17. Fien says:
    May 24, 2017 at 10:48 am

    That is a nice article about htaccess. But how to implement this in one file? Can I put all lines after another?

    Reply
    • WPBeginner Support says:
      May 24, 2017 at 4:03 pm

      Hi Fien,

      You can add them one after another.

      Reply
  18. Liew CheonFong says:
    May 24, 2017 at 9:51 am

    Great list. Bookmarked!

    Do you have same list for NGINX web server (which does not read .htaccess file) ?

    Reply
  19. Pattye says:
    May 23, 2017 at 12:02 pm

    There is a way to ban bots from crawling your site the this file. Any suggestions in doing that, besides banning the IP?

    Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
Smash Balloon
Smash Balloon
Add Custom Social Media Feeds in WordPress. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
LiveChat logo
LiveChat Inc Coupon
Get a 30 day free trial and 30% OFF LiveChat, one of the best live chat service providers for WordPress users.
LearnDash
LearnDash Coupon
Get the lowest price on the best learning management system (LMS) plugin for WordPress.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.