Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Use .htaccess to Optimize Your WordPress Website

September 17, 2018

5 Min Read
wordpress htaccess file
Reading Time: 5 minutes

The .htaccess is an important core file in WordPress installation. It is often used to add, modify and override server level configurations and the website’s security and performance. In many cases, many people are not aware of the full potential of this file. In this article, I will highlight several interesting things you could accomplish by using optimize .htaccess file with secure WordPress hosting for better site performance.

How Does .htaccess File Work in WordPress?

WordPress default .htaccess file comes with the WordPress installation and is located inside the root directory. It is possible that the file is hidden as it does not have any file extension and due to security reasons, it might be kept hidden by your file manager.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L
# END WordPress

default code in a typical single-site

This file can easily be created from the WordPress dashboard -> Settings -> Permalinks and click ‘Save Changes’.

This will generate a new .htaccess WordPress file inside your root directory.

WordPress default .htaccess file only handles permalinks inside your WordPress site. However, this can be changed and additional controls can be added to control Apache server. These changes include security, performance and other tasks such as redirects from www to http URLs and vice versa.

Security fatigue. Feeling overwhelmed?

Try Cloudways to harden the security of your WordPress website.

How to Edit .htaccess WordPress File?

In order to edit the .htaccess file, first we need to locate it inside our WordPress root directory. This can be done using FTP.

Log into your root directory ‘public_html’ and search for .htaccess file.

Right click and click on ‘View/Edit’ option to open it inside your preferred text editor.

Make the required changes and save it. Another way of editing this is to make a copy inside your local folder and replace it with the live version using FTP. In case the file is missing and can not be located then follow the above method to re-create the .htaccess file from WordPress admin panel.

How To Optimize WordPress With .htaccess File?

The .htaccess file can be utilized in many ways to configure Apache server as per your requirements. These instructions are hard coded inside .htaccess files and have direct impact on your server behavior.

Let’s see what can be configured using .htaccess file.

  • Protect WordPress Admin Area.
  • Redirects.
  • Secure Important Files
  • Password Protected Folders.
  • Restrict wp-admin Access.
  • Disable PHP Execution.
  • File Access Restriction.
  • Control/Restrict Image Hotlinking
  • Script Injection Protection.
  • SSL Certificates.

Protect WordPress Admin Area

One of the great ways of protecting the admin area of a WordPress website is to limit access only to a selected pool of IP. Here is how you could use WordPress .htaccess to accomplish this:

AuthUserFile /Custom Folder/null
AuthGroupFile /Custom Folder/null
AuthType Basic
order deny,allow
deny from all
# whitelist Saud's IP address
allow from
# whitelist Mustaasam's IP address
allow from

Remember to replace xx values with your own IP address.

WWW Redirection

WordPress .htaccess file can be used to set rules for redirects from www to non-www and vice versa. Code below sets these rules so your server can redirect users accordingly.

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L

Protect Important Files

You could use .htaccess to protect important files including error logs, wp-config.php and php.ini:

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

Password Protected Folder

First, generate a .htpasswds file using the online generator.

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

Next, upload this .htpasswds file to a folder with the structure /public_html/ folder. The /home/directory/.htpasswds/public_html/wp-admin/protected_password/ is a good location.

Now create .htaccess file, add the following code and upload it in /wp-admin/ directory:

AuthName " Only Admin"
AuthUserFile /home/directory/.htpasswds/public_html/wp-admin/ protected_password
AuthType basic
require user username
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any

Do not forget to replace the AuthUserFile path with the file path of your .htpasswds file and add your own username.

Restrict Access To WordPress Admin

WordPress admin is a sensitive area as it serves as a control room for WordPress site. Unwanted access to this area can cause data loss and theft as well as partial to complete loss of control to WordPress site.

The WordPress .htaccess could also be used to restrict access to WordPress Admin Area and the login page. Add the following code to the file:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address$
RewriteRule ^(.*)$ - [R=403,L]
If you or any of your other users have dynamic IP addresses
ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)? [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

Disable PHP Execution

Restricting execution of PHP code for all or selected directories of the WordPress website is an important way of improving the security of the website. Here is how you could use .htaccess  for restricting PHP execution:

<Files *.php>
deny from all

File Access Restriction

Restricting wp-admin access is not suitable all the time especially when other team members are managing the site and adding content to your website. But it should not mean that they also get access to sensitive files such as plugins, themes and assets folder.

.htaccess is a great way of protecting the source code of the plugins and themes installed on your WordPress website. Just add the following lines to the file:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Control/Restrict Image Hotlinking

Image hotlinking can add up to hosting cost as everytime external resource display the image it drains your bandwidth. Therefore, it is important to disable hotlinking via .htaccess file.

.htaccess could be easily used to restrict image hotlinking. Use the following code for this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Script Injection Protection

This a type of security vulnerability in which hacker injects malicious piece of code to extract data or to take over your website. Adding following code inside WordPress .htaccess file can protect your site from such attack.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Require SSL Certificates

.htaccess could be used to force the use of SSL certificate(s) installed on your website:

SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq ""
ErrorDocument 403

Final Thoughts

WordPress .htaccess file is one of the most important file in terms of configuring your web server. We learned various important commands in this article which can be used to secure WordPress. Share if you know more commands which can help fellow WordPressers.

Frequently Asked Questions

Q1. What Is the .htaccess File in WordPress?

Ans. .htaccess file in WordPress is a server configuration file which can be used to set commands such as www redirects, restrict files and define rules for file access.

Q2. How to Edit WordPress htaccess file

Ans. WordPress .htaccess file can be edited using FTP. Use FileZilla, and access the root directory. Open the .htaccess file inside text editor for adding changes.

Q3. Does wordpress create an htaccess file?

Ans. Yes, .htaccess file can be created from WordPress dashboard. Settings -> Permalinks click on ‘Save Changes’ button to create new .htaccess file.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Owais Alam

is the WordPress Community Manager at Cloudways - A Managed WooCommerce Hosting Platform and a seasoned PHP developer. He loves to develop all sorts of websites on WordPress and is in love with WooCommerce in particular. You can email him at

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!