Useful WordPress htaccess Rules And Snippets

The aim of the blog post is to provide you with some useful WordPress .htaccess rules and snippets which can help to secure and speed up your website. .htaccess rules included in this blog post are for use with Apache and WordPress they are not designed to be used with NGINX or other content management systems.

What Is a .htaccess File

.htaccess a is a configuration file that is used on servers running the Apache Web Server software which is a very popular web server platform used by a large number of web hosting companies around the world. When a .htaccess file is placed in a directory which is in turn ‘loaded via the Apache Web Server’, then the .htaccess file is read and executed by the Apache Web Server software. The .htaccess file can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features the Apache Web Server software has to offer. The .htaccess file is especially useful for WordPress websites as it allows you to improve the performance/speed of the website and also make it more secure using a couple of lines of code included in the .htacess file.

Default .htaccess File For WordPress

All WordPress installations come with a default .htaccess file which contains a default set of rules which can be found your root directory. Should anything go wrong when your making changes to the .htaccess file you can always restore the file back to its original state as shown below.  More information about the default file can be found at

Please note anything with a # is for comments and will not be executed by Apache.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Enable G-zip Compression

You can quickly speed up your WordPress website using this piece of code which basically compresses the output of the content generated by your website. As Apache is used by a large number of hosting companies this code should work for a lot of web hosting services out there.

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent

Disable Directory Browsing

To stop visitors from viewing all the files and directories on your website you need to disable directory browsing. This is a security issue which needs to be closed down using the code below which can be quickly added to the .htaccess file

# Disable directory browsing
Options All -Indexes

Protect The wp-config.php File

The wp-config.php file for your WordPress website contains a lot of sensitive information about your website including the database name, user name and password plus much more. It is very important that you protect this file and stop it from been accessed by people who won’t damage your website or business.

Use this code to block access to the wp-config.php file

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all

Protect The .htaccess

Another very important file is the .htaccess file itself, as you can imagine this file includes very sensitive information which you don’t want anyone to see. You secure this file by adding this code to the .htaccess file

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Disable Image Hotlinking

Image hotlinking refers to when other websites link to images, videos and other non-html assets hosted on your website. This may slow down your load use all the bandwidth allocated your website

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Increase PHP File Upload Size

Some hosting companies put restrictions in place on the size of files you can upload to a WordPress website. When you try and upload the file you may see the following  “warning post-content-length of bytes exceeds the limit” or “exceeds the maximum upload size for this site”. To increase the file upload size you can add this code to the .htaccess file

php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300

Disable XML-RPC Access

The XML-RPC file is included with every WordPress website. The file allows your website to utilize third-party apps or plugins such as Google Analytics for WordPress. Third-party apps get attacked by hackers, you can add this code to your .htaccess file to block the xmlrpc.php file

<Files xmlrpc.php>
order deny,allow
deny from all

Disable PHP Execution in Media Directories

Hackers may try to compromise your website by uploading/installing a PHP backdoor file to one of the directories on your WordPress website.  You can upload a .htaccess file to the  /wp-content/uploads/ or another directory including the following code which will stop any PHP scripts from been executed in the directory

<files *.php>
deny from all

Ban An IP Address

If someone or something is attacking your WordPress website you can use the .htaccess file to block the IP address using the following code

#You can add as many IP addresses as you like to this list

order allow,deny
deny from
deny from
allow from all

Force HTTPS SSL Redirect

HTTPS or SSL refers to “secure socket layer” which is designed to increase your website’s security. This protects your consumer’s data as well as helps avoid man in the middle attack on your website. You can add this code to the .htaccess file to force your website to use HTTPS SSL so all website traffic and visitors will use https://

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]