12 Most Useful .htaccess Tricks for WordPress

Are you looking for some useful .htaccess tricks for your WordPress site. The .htaccess file is a powerful configuration file that allows you to do a lot of neat things in your website. In this article, we’ll show you some of the most useful .htaccess tricks for WordPress you can try directly.

What and How to Edit .htaccess file it?

 

The .htaccess file is a configuration file server. It allows you to specify the rules for you to follow the server for your website.

 

WordPress using .htaccess files to generate SEO friendly URL structure. However, these files can do more.

 

.Htaccess file located in the root folder of your WordPress site. You will need to connect to your web site using FTP client to edit it.

htaccess File

If you can not find your .htaccess file, then see our guide on how to find your .htaccess file in WordPress.

 

Before you edit the .htaccess file, it is important to download a copy to your computer as a backup. You can use the files in case anything goes wrong.

 

Therefore, let’s look at some useful .htaccess tricks for WordPress that you can try.

1.Protect WordPress Admin Area

 

You can use .htaccess to protect your WordPress admin area by limiting access to selected IP address. Simply copy and paste this code to your .htaccess file:

1
2
3
4
5
6
7
8
9
10
11
12
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Remember to replace xx with the values ​​of your own IP address. If you use more than one IP address to access the Internet, then make sure you add them too.

For detailed instructions, see our guide on how to restrict access to your WordPress admin using .htaccess.

2.WordPress Admin Password Protect Folders

Password Protect WordPress Admin Folder

If you access your WordPress site from multiple locations including places of public internet, then restrict access to specific IP addresses may not work for you.

 

You can use the .htaccess file to add additional password protection to your WordPress admin area.

 

First, you need to generate .htpasswds file. You can easily create one by using this online generator.

 

Upload file this .htpasswds outside the publicly accessible web directory or / public_html / folder. A good way would be:

/home/user/.htpasswds/public_html/wp-admin/passwd/

Next, create a .htaccess file and upload / wp-admin / directory and then add the following code there:

1
2
3
4
5
6
7
8
9
10
AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Important: Do not forget to replace AuthUserFile path with the file path .htpasswds file and add your own user name.

 

For detailed instructions, see our guide on how to password protect your WordPress admin folder.

3.Disable Directory Browsing

Disable Directory Browsing.htaccess tricks

Many security experts recommend disabling directory browsing WordPress. With directory browsing is enabled, the hacker can see into the directory and file structure of your site to find files that are vulnerable.

 

To disable directory browsing on your website, you need to add the following line to your .htaccess file.

1
Options -Indexes

For more on this topic, see our guide on how to disable directory browsing on WordPress.

4.Disable WordPress PHP Execution Multiple Directories

 

Sometimes hackers breaking into the WordPress site and installs a backdoor. This backdoor file is often disguised as a core WordPress files and placed in the / wp-includes / or the / wp-content / uploads / folder.

 

An easier way to improve security is to disable the execution WordPress PHP to some WordPress directory.

 

You will need to create an empty .htaccess file in your computer and then paste the following code in it.

1
2
3
<Files *.php>
deny from all
</Files>

Save the file and then upload it to the / wp-content / uploads / and the / wp-includes / directory. For more information check out our tutorial on how to disable the execution of PHP in particular WordPress directory.

5.Protect your WordPress wp-config.php file Configuration

 

Perhaps most important files in the root directory of your WordPress site is the wp-config.php file. It contains information about your WordPress database and how to connect to it.

 

To protect your wp-config.php file from unauthorized access ,, simply add this code to your .htaccess file:

1
2
3
4
<files wp-config.php>
order allow,deny
deny from all
</files>

6.Set up a 301 redirect through .htaccess File

 

Using the 301 is the most SEO-friendly way to inform the user that the content has been moved to a new location. If you want to properly manage 301 redirects on posts per in the post, then see our guide on how to transfer the setup in WordPress.

 

On the other hand, if you want a quick diversion setup, then all you need to do is insert this code in the .htaccess file.

1
2
Redirect 301 /oldurl/ http://www.example.com/newurl
Redirect 301 /category/television/ http://www.example.com/category/tv/

7.Ban suspicious IP address

 

Do you see a very high demand to your website from a specific IP address? You can easily block the request by blocking IP addresses in your .htaccess file.

 

Add the following code to your .htaccess file:

1
2
3
4
5
<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>

Remember to replace xx with the IP address you want to block.

8.Disable Image Hotlinking WordPress Using .htaccess

 

other websites hotlinking images directly from your site can make your WordPress site is slow and exceed your bandwidth limit. This is not a big problem for most of the smaller sites. However, if you run a popular website or a website with lots of photos, then this could be a serious concern.

 

You can prevent image hotlinking by adding this code to your .htaccess file:

1
2
3
4
5
6
#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?webosu.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

This code only allows the image to be displayed if the request comes from webosu.com or Google.com. Do not forget to replace webosu.com with your own domain name.

 

For more ways to protect your images see our guide on ways to prevent the theft of pictures in WordPress.

9.Protect .htaccess From Unauthorized Access

 

As you can see that there are so many things that can be done by using .htaccess files. Because of the power and control have on your web server, it is important to protect it from unauthorized access by hackers. Simply add the following code to your .htaccess file:

1
2
3
4
5
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

10.Increase the Upload File Size in WordPress

 

There are various ways to increase the upload file size limit on WordPress. However, for users in shared hosting some of these methods do not work.

 

One method that has worked for many users is to add code to their .htaccess file follows:

1
2
3
4
php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300

This code simply tell your web server to use these values ​​to increase upload file size and the maximum execution time in WordPress.

11.Disable XML-RPC Access to Files Using .htaccess

 

Every WordPress install comes with a file called xmlrpc.php. This file allows third party applications to connect to your WordPress site. Most security experts WordPress suggests that if you do not use third-party applications, then you should disable this feature.

 

There are several ways to do it, one of which is to add the following code to your .htaccess file:

1
2
3
4
5
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

For more information, see our guide on how to disable the WordPress XML-RPC.

12.Block Scan Writer WordPress

 

A common technique used in a brute force attack is to run a scan of the author in the WordPress site and then attempt to crack the password to their username.

 

You can block a scan like to add the following code to your .htaccess file:

1
2
3
4
5
6
# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

For more information, see our article on how to prevent brute force attacks by blocking scans author of WordPress.

 

We hope this article helps you learn the most useful .htaccess tricks for WordPress. You also may want to look at our main step by step WordPress security guide for beginners.

0 CommentsClose Comments

Leave a comment

subscribe to newsletter

Get the latest posts and articles in your email

We promise not to send spam 

subscribe to newsletter

Get the latest posts and articles in your email

We promise not to send spam 

subscribe to newsletter

Get the latest posts and articles in your email

We promise not to send spam