Menu Close

27 WordPress Htaccess Tips for Better Security and Performance

For Detail htaccess file Usages and how to create it, please check htaccess file knowledge base  Millions of WordPress users use the .htaccess file to protect their websites from spammers, hackers, other known threats and increase their WordPress Website Performance. I will list some Useful Tips of  htaccess file used for WordPress Security and Performance.

Normally your control panel can install a WordPress website easily by just several click and configuration.  After  you have installed WordPress and configured  your website’s permalink settings to meet the requirement of SEO, your htaccess file will be installed in your root folder. When you change instead of, your htaccess file will look like:

# BEGIN WordPress
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress

If no .htaccess file exists in your root directory, you can create one yourself and upload it.  Above htaccess file is useful for Search Engine finding your web pages. Search Engine Optimization is a very import task of webmasters.

2.  Protect Your WordPress Admin Area

Normally you need use itheme plugin to change your WordPress admin folder wp-admin to any other name folder so the hackers can not find your admin area. You also need protect it using htaccess file:

AuthUserFile /dev/null
 AuthGroupFile /dev/null
 AuthName "WordPress Admin Access Control"
 AuthType Basic
  order deny,allow
 deny from all
 # whitelist yourown's IP address
 allow from xx.xx.xx.xx
 # whitelist yourpartner's IP address
 allow from

xx.xx.xx.xx is your own IP address and Your partner’s IP address. You can whitelist as many IP address as you want. For more information to secure your admin area, you can also check here.

3.Ban Suspicious IP Addresses

If you find some IP addresses are suspicious, you can safely block them by your htaccess file in your root directory.

order allow,deny
 deny from
 allow from all

Replace xxx with the IP address you want to block.

4.  Protect .htaccess From Unauthorized Access

htaccess file is very powerful. It is as strong as your server’s apache configuration file. It is your duty to protect your htaccess file from accessing from outside of your website and hackers. If your htaccess file is hackered, your web hosting provier may suspend your website. Put folling code into your htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

5. Protect your wp-config.php

wp-config.php file is very important in your WordPress website. This file includes your database login information which is vital to your WordPress website. If you lose your control to your database file, you will lose all your WordPress website. Put following code to your htaccess file in your root directory and you will protect your wp-config.php file.

<files wp-config.php>
order allow,deny
deny from all

6.Protect your WP-Content Directory

Your wp-content directory is also very important for your WordPress website. The bad guy can upload some files into your wp-content directory and change your WorPress Website and do some illegal things. You will  lose your domains and your websites if the hackers have taken your WordPress wp-content folder. put following code into your htaccess file in your WordPress wp-content directory and you will be OK.

Order deny,allow
 Deny from all
 <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
 Allow from all

7. Block Include-Only Files From Accessing by Others

All the include files in your WordPress website can only be accessed by your WordPress Website not by other websites or users. Please put following codes into your htaccess file in your root directory.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

8. Enable Browser Caching

There are several plugins such as Super Cache plugins and wp-3-total plugins to help you to create cache files in your WordPress website, but you can also anable browser caching by using following codes in your htaccess file:

# Setup browser caching
 ExpiresActive On
 ExpiresByType image/jpg "access 1 year"
 ExpiresByType image/jpeg "access 1 year"
 ExpiresByType image/gif "access 1 year"
 ExpiresByType image/png "access 1 year"
 ExpiresByType text/css "access 1 month"
 ExpiresByType application/pdf "access 1 month"
 ExpiresByType text/x-javascript "access 1 month"
 ExpiresByType application/x-shockwave-flash "access 1 month"
 ExpiresByType image/x-icon "access 1 year"
 ExpiresDefault "access 2 days"

9. How to Specify File Size Limit and Max Execution Time Limit for PHP using htaccess file

10. How to Implement a Caching Scheme with htaccess file

11. How to make 301 Redirect Using htaccess File

12. How to Prevent Access to Your php.ini file or any other risky files by htaccess file

13. How to Prevent Access to Your php includes files by htaccess file ?

14. How to Disable Server Signature by htaccess file ?

15. How to Set Your Website Timezone by htacess file

16. How to Prevent Dir Listings or Show FancyIndex by htaccess file

17. How to Change Your Website Root Directory with .htaccess file

18. How to Prevent PHP, Perl Executable scripts Run in your Image Folder with .htaccess file

19. How to redirect Http to Https Using .htaccess file

20.How to Change the default Directory Index in Apache Server by .htaccess file ?

21. How to Block Bad Bots, Site Rippers, Crawlers, Scrapers and Malwares by .htaccess file

22. How to Hot Link Protect Your image Files by .htaccess File

23. How to Block Visitors from Spam Referrers By .htaccess file

24.Custom Error Responses by .htaccess ErrorDocuments following HTTP response status codes

25. How to Redirect By .htaccess File ?

26.How to Instruct Browser to Download Media Files Instead of Display Them Using htaccess file

27. How to Prevent Requests with Invalid Characters Using htaccess file