{"id":3204,"date":"2020-04-28T12:08:49","date_gmt":"2020-04-28T12:08:49","guid":{"rendered":"https:\/\/rengga.dev\/blog\/?p=3204"},"modified":"2023-03-02T10:04:34","modified_gmt":"2023-03-02T10:04:34","slug":"12-most-useful-htaccess-tricks-for-wordpress","status":"publish","type":"post","link":"https:\/\/rengga.dev\/blog\/12-most-useful-htaccess-tricks-for-wordpress\/","title":{"rendered":"WordPress : 12 Most Useful htaccess Tricks for WordPress"},"content":{"rendered":"

Rengga Dev<\/strong><\/a> – Are you looking for some useful .htaccess tricks for your WordPress site. The .htaccess file is a powerful configuration file which allows you to do a lot of neat things on your website. In this article, we will show you some of the most useful .htaccess tricks for WordPress that you can try right away.<\/p>\n

What is .htaccess File and How to Edit it?<\/h4>\n

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow for your website.<\/p>\n

WordPress uses .htaccess file to generate\u00a0SEO friendly URL\u00a0structure. However, this file can do a lot more.<\/p>\n

The .htaccess file is located in your WordPress site\u2019s root folder. You will need to connect to your website using an\u00a0FTP client\u00a0to edit it.<\/p>\n

\".htaccess<\/p>\n

If you cannot find your .htaccess file, then see our guide on\u00a0how to find .htaccess file in WordPress.<\/p>\n

Before editing your .htaccess file, it is important to download a copy of it to your computer as backup. You can use that file in case anything goes wrong.<\/p>\n

Having said that, let\u2019s take a look at some useful .htaccess tricks for WordPress that you can try.<\/p>\n

1. Protect Your WordPress Admin Area<\/h4>\n

You can use .htaccess to protect your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste this code into your .htaccess file:<\/p>\n

AuthUserFile \/dev\/null\r\nAuthGroupFile \/dev\/null\r\nAuthName \"WordPress Admin Access Control\"\r\nAuthType Basic\r\n<LIMIT GET>\r\norder deny,allow\r\ndeny from all\r\n# whitelist Syed's IP address\r\nallow from xx.xx.xx.xxx\r\n# whitelist David's IP address\r\nallow from xx.xx.xx.xxx\r\n<\/LIMIT><\/pre>\n
Don\u2019t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.<\/p>\n
2. Password Protect WordPress Admin Folder<\/h4>\n
\"Password<\/p>\n
If you access your WordPress site from multiple locations including public internet spots, then limiting access to specific IP addresses may not work for you.<\/p>\n
You can use .htaccess file to add an additional password protection to your WordPress admin area.<\/p>\n
First, you need to generate a .htpasswds file. You can easily create one by using this\u00a0online generator<\/a>.<\/p>\n
Upload this .htpasswds file outside your publicly accessible web directory or \/public_html\/ folder. A good path would be:<\/p>\n
\/home\/user\/.htpasswds\/public_html\/wp-admin\/passwd\/<\/code><\/p>\n
Next, create a .htaccess file and upload it in \/wp-admin\/ directory and then add the following codes in there:<\/p>\n
AuthName \"Admins Only\"\r\nAuthUserFile \/home\/yourdirectory\/.htpasswds\/public_html\/wp-admin\/passwd\r\nAuthGroupFile \/dev\/null\r\nAuthType basic\r\nrequire user putyourusernamehere\r\n<Files admin-ajax.php>\r\nOrder allow,deny\r\nAllow from all\r\nSatisfy any \r\n<\/Files><\/pre>\n
\n
<\/div>\n
Important:<\/strong>\u00a0Don\u2019t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.<\/div>\n<\/div>\n
For detailed instructions, see our guide on how to\u00a0password protect WordPress admin folder.<\/p>\n
 <\/p>\n
3. Disable Directory Browsing<\/h4>\n
\"Disable<\/p>\n
Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site\u2019s directory and file structure to find a vulnerable file.<\/p>\n
To disable directory browsing on your website, you need to add the following line to your .htaccess file.<\/p>\n
Options -Indexes<\/pre>\n
\n
<\/div>\n
For more on this topic, see our guide on how to disable directory browsing in WordPress.<\/div>\n<\/div>\n
<\/div>\n
<\/div>\n
4. Disable PHP Execution in Some WordPress Directories<\/h4>\n
Sometimes hackers break into a WordPress site and install a\u00a0backdoor. These backdoor files are often disguised as core WordPress files and are placed in \/wp-includes\/ or \/wp-content\/uploads\/ folders.<\/p>\n
An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.<\/p>\n
You will need to create a blank .htaccess file on your computer and then paste the following code inside it.<\/p>\n
<Files *.php>\r\ndeny from all\r\n<\/Files><\/pre>\n
\n
<\/div>\n
Save the file and then upload it to your \/wp-content\/uploads\/ and \/wp-includes\/ directories. For more information check out our tutorial on how to disable PHP execution in certain WordPress directories.<\/div>\n<\/div>\n
<\/div>\n
<\/div>\n
5. Protect Your WordPress Configuration wp-config.php File<\/h4>\n
Probably the most important file in your WordPress website\u2019s root directory is\u00a0wp-config.php file. It contains information about your WordPress database and how to connect to it.<\/p>\n
To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:<\/p>\n
<files wp-config.php>\r\norder allow,deny\r\ndeny from all\r\n<\/files><\/pre>\n
<\/h4>\n
6. Setting up 301 Redirects Through .htaccess File<\/h4>\n
Using 301 redirects is the most SEO friendly way to tell your users that a content has moved to a new location. If you want to properly manage your 301 redirects on posts per post basis, then check out our guide on\u00a0how to setup redirects in WordPress.<\/p>\n
On the other hand, if you want to quickly setup redirects, then all you need to do is paste this code in your .htaccess file.<\/p>\n
Redirect 301 \/oldurl\/ http:\/\/www.example.com\/newurl\r\nRedirect 301 \/category\/television\/ http:\/\/www.example.com\/category\/tv\/<\/pre>\n
<\/h4>\n
7. Ban Suspicious IP Addresses<\/h4>\n
Are you seeing unusually high requests to your website from a specific IP address? You can easily block those requests by blocking the IP address in your .htaccess file.<\/p>\n
Add the following code to your .htaccess file:<\/p>\n
<Limit GET POST>\r\norder allow,deny\r\ndeny from xxx.xxx.xx.x\r\nallow from all\r\n<\/Limit><\/pre>\n
\n
Don\u2019t forget to replace xx with the IP address you want to block.<\/div>\n<\/div>\n
<\/div>\n
<\/div>\n
8. Disable Image Hotlinking in WordPress Using .htaccess<\/h4>\n
Other websites directly hotlinking images from your site can make your WordPress site slow and exceed your bandwidth limit. This isn\u2019t a big issue for most smaller websites. However, if you run a popular website or a website with lots of photos, then this could become a serious concern.<\/p>\n
You can prevent image hotlinking by adding this code to your .htaccess file:<\/p>\n
#disable hotlinking of images with forbidden or custom image option\r\nRewriteEngine on\r\nRewriteCond %{HTTP_REFERER} !^$\r\nRewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(www\\.)?wpbeginner.com [NC]\r\nRewriteCond %{HTTP_REFERER} !^http(s)?:\/\/(www\\.)?google.com [NC]\r\nRewriteRule \\.(jpg|jpeg|png|gif)$ \u2013 [NC,F,L]<\/pre>\n
\n
This code only allows images to be displayed if the request is originating from wpbeginner.com or Google.com. Don\u2019t forget to replace wpbeginner.com with your own domain name.<\/div>\n<\/div>\n
For more ways to protect your images see our guide on\u00a0ways to prevent image theft in WordPress.<\/p>\n
 <\/p>\n
9. Protect .htaccess From Unauthorized Access<\/h4>\n
As you have seen that there are so many things that can be done using the .htaccess file. Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers. Simply add following code to your .htaccess file:<\/p>\n
<files ~ \"^.*\\.([Hh][Tt][Aa])\">\r\norder allow,deny\r\ndeny from all\r\nsatisfy all\r\n<\/files><\/pre>\n
\n
<\/div>\n<\/div>\n
10. Increase File Upload Size in WordPress<\/h4>\n
There are different ways to\u00a0increase the file upload size limit in WordPress. However, for users on\u00a0shared hosting\u00a0some of these methods do not work.<\/p>\n
One of the methods that has worked for many users is by adding following code to their .htaccess file:<\/p>\n
php_value upload_max_filesize 64M\r\nphp_value post_max_size 64M\r\nphp_value max_execution_time 300\r\nphp_value max_input_time 300<\/pre>\n
\n
This code simply tells your web server to use these values to increase file upload size as well as maximum execution time in WordPress.<\/div>\n<\/div>\n
<\/div>\n
<\/div>\n
11. Disable Access to XML-RPC File Using .htaccess<\/h4>\n
Each WordPress install comes with a file called xmlrpc.php. This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third party apps, then you should disable this feature.<\/p>\n
There are multiple ways to do that, one of them is by adding the following code to your .htaccess file:<\/p>\n
# Block WordPress xmlrpc.php requests\r\n<Files xmlrpc.php>\r\norder deny,allow\r\ndeny from all\r\n<\/Files><\/pre>\n
\n
For more information, see our guide on how to disable XML-RPC in WordPress.<\/div>\n<\/div>\n
<\/div>\n
<\/div>\n
12. Blocking Author Scans in WordPress<\/h4>\n
A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.<\/p>\n
You can block such scans by adding the following code to your .htaccess file:<\/p>\n
# BEGIN block author scans\r\nRewriteEngine On\r\nRewriteBase \/\r\nRewriteCond %{QUERY_STRING} (author=\\d+) [NC]\r\nRewriteRule .* - [F]\r\n# END block author scans<\/pre>\n
\n
For more information, see our article on how to discourage brute force attacks by blocking author scans in WordPress.<\/div>\n<\/div>\n
We hope this article helped you learn the most useful .htaccess tricks for WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.<\/p>\n","protected":false},"excerpt":{"rendered":"
Rengga Dev – Are you looking for some useful .htaccess tricks for <\/a><\/p>\n","protected":false},"author":1,"featured_media":3951,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17],"tags":[311,312,310,313,136],"newstopic":[],"class_list":{"0":"post-3204","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-wordpress","8":"tag-htaccess","9":"tag-htaccess-wordpress","10":"tag-wordpress","11":"tag-wordpress-htaccess","12":"tag-wordpress-plugin"},"_links":{"self":[{"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/posts\/3204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/comments?post=3204"}],"version-history":[{"count":7,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/posts\/3204\/revisions"}],"predecessor-version":[{"id":3212,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/posts\/3204\/revisions\/3212"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/media\/3951"}],"wp:attachment":[{"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/media?parent=3204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/categories?post=3204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/tags?post=3204"},{"taxonomy":"newstopic","embeddable":true,"href":"https:\/\/rengga.dev\/blog\/wp-json\/wp\/v2\/newstopic?post=3204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}