WordPress .htaccess file examples

The .htaccess file is a configuration file that is used by the Apache web server to control various aspects of how the server functions. In WordPress, the .htaccess file is used to control various settings related to the permalinks of your website, as well as to protect your website from various types of attacks.

The default .htaccess file that is included with WordPress is shown below:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

This .htaccess file includes rules that are used to enable the WordPress permalink structure and redirect all requests to the index.php file. It is important to note that the .htaccess file is a hidden file, so you may need to adjust your operating system or file manager settings to be able to view it.

Here are some examples of common .htaccess file configurations that are used in WordPress:

Speed and Performance

Here are some examples of .htaccess configurations that can help improve the caching of your WordPress website:

Enabling Gzip Compression

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml
</IfModule>

Enabling Mod_Gzip

Copy code<IfModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

This configuration will enable Mod_Gzip on your website, which is a module that can improve the loading speed of your website by compressing the files that are served to users.

Enabling Mod_Cache

<IfModule mod_cache.c>
  CacheEnable disk /
  CacheIgnoreNoLastMod On
  CacheIgnoreCacheControl On
  CacheIgnoreHeaders Set-Cookie
  CacheMaxExpire 86400
</IfModule>

This configuration will enable Mod_Cache on your website, which is a module that can improve the caching of your website’s static files and improve the loading speed of your website.

Enabling Mod_Cache_Disk

<IfModule mod_cache_disk.c>
  CacheRoot "/var/cache/mod_cache_disk"
  CacheDirLevels 5
  CacheDirLength 3
  CacheIgnoreCacheControl On
  CacheIgnoreNoLastMod On
  CacheIgnoreQueryString Off
  CacheIgnoreURLSessionIdentifiers On
  CacheLastModifiedFactor 0.1
  CacheMaxFileSize 1000000
  CacheStoreNoStore On
  CacheStorePrivate On
  CacheStorePublic On
</IfModule>

This configuration will enable Mod_Cache_Disk on your website, which is a module that can improve the caching of your website’s static files and improve the loading speed of your website.

Enabling Compression for Text Files

<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/xml
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

This configuration will enable compression for text files on your website, which can help reduce the size of your website’s text files and improve the loading speed of your website.

Disabling ETags

FileETag None

This configuration will disable ETags on your website, which can help improve the caching of your website’s static files and improve the loading speed of your website.

Enabling Leverage Browser Caching

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpg "access 1 year"
  ExpiresByType image/jpeg "access 1 year"
  ExpiresByType image/gif "access 1 year"
  ExpiresByType image/png "access 1 year"
  ExpiresByType text/css "access 1 month"
  ExpiresByType text/html "access 1 month"
  ExpiresByType application/pdf "access 1 month"
  ExpiresByType text/x-javascript "access 1 month"
  ExpiresByType application/x-shockwave-flash "access 1 month"
  ExpiresByType image/x-icon "access 1 year"
  ExpiresDefault "access 1 month"
  <IfModule mod_headers.c>
    Header set Cache-Control "public"
  </IfModule>
</IfModule>

This configuration will enable leverage browser caching on your website, which can help improve the caching of your website’s static files and improve the loading speed of your website.

Enabling Cache-Control Headers

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpg "access 1 year"
  ExpiresByType image/jpeg "access 1 year"
  ExpiresByType image/gif "access 1 year"
  ExpiresByType image/png "access 1 year"
  ExpiresByType text/css "access 1 month"
  ExpiresByType text/html "access 1 month"
  ExpiresByType application/pdf "access 1 month"
  ExpiresByType text/x-javascript "access 1 month"
  ExpiresByType application/x-shockwave-flash "access 1 month"
  ExpiresByType image/x-icon "access 1 year"
  ExpiresDefault "access 1 month"
</IfModule>

This configuration will set cache-control headers for various file types, which can help improve the performance of your website by reducing the number of requests that need to be made to the server.

Enabling Keep-Alive

<IfModule mod_headers.c>
  Header set Connection keep-alive
</IfModule>

Enabling Mod_PageSpeed

<IfModule pagespeed_module>
  ModPagespeed on
  ModPagespeedRewriteLevel CoreFilters
</IfModule>

This configuration will enable Mod_PageSpeed on your website, which is a module that can optimize the loading speed of your website by applying various performance-enhancing filters to your website’s resources.

SEO and Redirects

Here are some examples of .htaccess configurations that can help improve the SEO performance of your WordPress website:

Enabling URL Rewriting

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>

This configuration will enable URL rewriting on your website, which can help make your URLs more user-friendly and easier to read.

Enabling Canonical URLs

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>

This configuration will enable canonical URLs on your website, which can help prevent duplicate content issues and improve your website’s ranking in search engines.

Enabling Automatic XML Sitemaps

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^sitemap\.xml$ index.php?sitemap=1 [L]
</IfModule>

This configuration will enable automatic XML sitemaps on your website, which can help search engines more easily discover and index your website’s pages.

Redirecting All Traffic to HTTPS

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

This configuration will redirect all traffic from the HTTP version of your website (e.g., http://example.com) to the HTTPS version (e.g., https://example.com).

Redirecting Old URLs to New URLs

<IfModule mod_rewrite.c>
  RewriteEngine On
  Redirect 301 /old-page https://www.example.com/new-page
</IfModule>

This configuration will redirect traffic from the old URL (e.g., /old-page) to the new URL (e.g., /new-page). This can be useful if you have changed the URL structure of your website and want to redirect traffic from the old URLs to the new URLs.

Redirecting non-www to www

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^www\.
  RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

This configuration will redirect all traffic from the non-www version of your website (e.g., example.com) to the www version (e.g., www.example.com).

Redirecting www to non-www

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP_HOST} ^www\.
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

This configuration will redirect all traffic from the www version of your website (e.g., www.example.com) to the non-www version (e.g., example.com).

Redirecting All Traffic to a Maintenance Page

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.012
RewriteCond %{REQUEST_URI} !/maintenance\.html$ [NC]
RewriteRule .* /maintenance.html [R=302,L]

This configuration will redirect all traffic to a maintenance page, except for traffic from the IP address 123.456.789.012.

Enabling PHP Settings

php_value display_errors 1
php_value log_errors 1
php_value error_log /path/to/error.log
php_value max_execution_time 300
php_value max_input_time 300
php_value memory_limit 128M

This configuration will enable various PHP settings, such as the display of errors, the logging of errors, and the maximum execution and input times.

Security .htaccess tweaks for WordPress

Here are some examples of .htaccess configurations that can help improve the security of your WordPress website:

Disabling Directory Listing

Options -Indexes

This configuration will disable directory listing, which means that users will not be able to see a list of the files and directories in a directory if there is no index file present.

<Files wp-login.php>
  Order Deny,Allow
  Deny from all
  Allow from 123.456.789.0
</Files>

This configuration will block access to the wp-login.php file from all IP addresses except for 123.456.789.0.

Protecting the wp-admin Directory

<Directory wp-admin>
  Order Deny,Allow
  Deny from all
  Allow from 123.456.789.0
</Directory>

This configuration will block access to the wp-admin directory from all IP addresses except for 123.456.789.0.

Enabling ModSecurity

<IfModule mod_security.c>
  SecRuleEngine On
  SecRequestBodyAccess On
  SecResponseBodyAccess On
  SecResponseBodyMimeType text/plain text/html text/xml
  SecResponseBodyLimit 524288
</IfModule>

This configuration will enable the ModSecurity module, which can help protect your website from various types of attacks.

Blocking PHP Execution in Certain Directories

<Files *.php>
  deny from all
</Files>

This configuration will block the execution of PHP files in the current directory and all subdirectories.

Protecting wp-config.php

<files wp-config.php>
order allow,deny
deny from all
</files>

This configuration will block all access to the wp-config.php file, which is a critical file that contains sensitive information such as database credentials.

Protecting wp-includes

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

This configuration will protect the wp-includes directory by blocking access to certain files and directories within it.

Blocking Access to wp-content/uploads

<Files ~ ".*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

This configuration will block access to any file with an extension of .hta within the wp-content/uploads directory.

Blocking XML-RPC

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

This configuration will block access to the xmlrpc.php file, which is used for remote access to WordPress.

Blocking IP Addresses

order allow,deny
deny from 1.2.3.4
deny from 5.6.7.8
allow from all

This configuration will block all traffic from the IP addresses 1.2.3.4 and 5.6.7.8, while allowing all other traffic.

Blocking Referers

RewriteEngine on
RewriteCond %{HTTP_REFERER} badsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherbadsite\.com
RewriteRule .* - [F]

This configuration will block all traffic that is referred from the websites badsite.com or anotherbadsite.com.

Enabling Server-Side Includes (SSI)

Options +Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

This configuration will enable Server-Side Includes (SSI) on your website, which allows you to include the contents of one file in another file using special tags.

Blocking Access to wp-content/plugins

<Files ~ ".*\.([Pp][Ll][Gg])">
order allow,deny
deny from all
satisfy all
</Files>

This configuration will block access to any file with an extension of .plg within the wp-content/plugins directory.

Blocking Access to wp-content/themes

<Files ~ ".*\.([Tt][Hh][Mm])">
order allow,deny
deny from all
satisfy all
</Files>

This configuration will block access to any file with an extension of .thm within the wp-content/themes directory.

Blocking Access to wp-content/cache

<Files ~ ".*\.([Hh][Tt][Mm][Ll])">
order allow,deny
deny from all
satisfy all
</Files>

This configuration will block access to any file with an extension of .html within the wp-content/cache directory.

Enabling Hotlink Protection

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_REFERER} !^$
  RewriteCond %{HTTP_REFERER} !^https://(www\.)?example\.com/.*$ [NC]
  RewriteRule \.(jpg|jpeg|png|gif)$ - [F]
</IfModule>

This configuration will enable hotlink protection on your website, which can help prevent other websites from linking to your images and using up your server resources.

Was this post helpful?

Let me know if you liked the post. That’s the only way I can improve. 🙂

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.