In many cases, you can resolve many server-level operational issues and challenges by simply updating/changing rules in the WordPress htaccess file. However, many website owners are not aware of the full potential of .htaccess for WordPress and thus miss out on optimizing their server (and website) to the fullest.
Default .htaccess file
Before we get to the actual code snippets, I recommend that you backup the current .htaccess file just in case that something goes wrong. Also, here is an example of the default WordPress .htaccess file:
301 (Permanent) Redirect
A 301 Redirect tells search engines that a URL has been permanently moved to another location. This is not limited to URLs only and you can redirect a folder, page or even a complete website. Below snippet will redirect the oldpage.html to newpage.html:
Redirect 301 /oldpage.html http//www.yourwebsite.com/newpage.html
302 (Temporary) Redirect
Unlike 301, the 302 Redirect tells search engines that this redirection is temporary. This is a great way of slowing down (or even preventing) SERP shuffles. Add the following line to .htaccess file:
Redirect 302 /oldpage.html http://www.yourwebsite.com/newpage.html
The .htaccess file can potentially control the entire website. Given this, It is paramount that .htaccess should be protected from unauthorized users. By using the below-mentioned snippet, you can restrict access for all unauthorized users.
Restrict Access to wp-admin
Imagine the (horrible) scenario where someone gains access to your WordPress admin panel? Such an attack can wreak your website.
To prevent this, you should restrict access to the WordPress admin panel to a specific IP(s) only.
For this, create another .htaccess file, and paste the below snippet in it. Next, upload it to “www.yourwebsite.com/wp-admin/” folder.
Now if anyone who is not on the approved IP list, he will not be able to login to your site. Instead, the following error would be displayed:
Note: Don’t forget to replace “xx.xx.xx.xx” with your allowed IP address.
You can easily get your IP by visiting What is my IP. If you’ve got more than one moderator, you can also add multiple IP’s by using the following variation:
allow from 188.8.131.52 184.108.40.206 220.127.116.11
Secure Important Files
For this, simply copy and paste the following lines in the WordPress htaccess file.
wp-content is the folder that contains all the important files of your themes, plugins, media and cached files. That’s why this directory is the main target for hackers and spammers. To protect this folder from unauthorized access, create a separate .htaccess file in the wp-content folder. Next, copy and paste the below-mentioned snippet in the file:
Protect Include-Only files
Some areas of the WordPress installation should never be accessible by the average users. It is always a good practice to block all access to these files. You can set up the access restrictions by adding the snippet to the .htaccess file.
Disable PHP Execution
Restricting the execution of PHP code for all or selected directories of the WordPress website is an important WordPress website security practice. Create an htaccess file inside a folder where you don’t want to run PHP scripts, and add the below snippet in it.
Certain WordPress folders such as /wp-includes/ and /wp-content/uploads/ are writable by default. This type of permission allows users to upload media or different file types. It is always recommended to disable PHP execution on these directories.
File Access Restriction
Restricting access to wp-admin is an important requirement, particularly when several team members are involved in website management and updates.
In practical terms, this means that the users cannot access sensitive files such as plugins, themes, and assets folder.
Script Injection Protection
Script Injection is a notorious technique in which the attacker “injects” a malicious piece of code in the website code to extract data or to take over the website. Adding the following snippet in the WordPress .htaccess file can protect your site from such attacks.
Block IP Address
If someone is abusing your website, continuously spamming or launching hacking attempts, their IP is visible in the WordPress admin panel. To block the IP, simply use the .htaccess file to control access to your website. Simply copy & paste the below-mentioned snippet into the WordPress htaccess file and this particular problem will go away. Remember to replace the sample IP with that of the spammer’s.
Once the snippet is in place, the spammer would see the following error message on your site:
Password protect wp-admin folder
If you access your WordPress site from multiple locations including public internet spots, then limiting access to specific IP addresses may not work for you.
You can use .htaccess file to add an additional password protection to your WordPress admin area.
First, you need to generate a .htpasswds file. You can easily create one by using this online generator.
Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:
Next, create a .htaccess file and upload it in /wp-admin/ directory and then add the following codes in there:
NOTE: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.
Deny Access To Certain Files
Disable Directory Browsing
Unauthorized access to website files and folders is a major security risk that can potentially bring down the entire site.
By adding the below-mentioned snippet to your WordPress .htaccess file, access to website directories can be controlled/disabled for all users.
# disable directory browsing Options All -Indexes
Control/Restrict Image Hotlinking
Image hotlinking can significantly affect the bandwidth usage numbers of your server because every time an external resource requests for an image, your server bandwidth is utilized for delivering the image.
To reduce bandwidth consumption because of image hotlinking, you can add the following code snippet to .htaccess file:
Block Author Scans
A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.
Block Bad bots
Bad blocks not only look for vulnerability on your site but also cost you money by consuming sever resources. Below is the 6G firewall directives for blocking all known bad blocks through .htaccess.
Block Brute Force Attacks
With WordPress being such a common content management system (CMS) or website platform, it has naturally become a target for hackers to crack. The most common effort is running a script which attempts logins over and over. This causes your server to overload and the hacker may find out your password. You may add the following lines of code to prevent these brute force attacks:
n the above example you will need to update the third line from example\.com to your domain (without www). In the above scenario a hacker is attempting logins without ever visiting your website. This script prevents anyone from direct access and requires that the user submitted the login form on your website.
Disable XML-RPC Access
XML-RPC files are installed by default on every WordPress website. These files allow your website to utilize third-party apps or plugins such as Google Analytics for WordPress. Third-party apps are a common method for hackers to use when infiltrating a website. You may remove this function from your WordPress website with the following code implemented onto your .htaccess file:
With all of the above information clearly the .htaccess file has quite a bit of functionality to customize your WordPress website. If you are having difficulty implementing a more custom solution just leave us a note and we would be happy to assist!
Special thanks to Mustaasam Saleem and Syed Balkhi for some of this code snippets.
Do you have a htaccess tips you like to share with other people to improve their WordPress website? Feel free to let us know below!