5 Ways to Use the WordPress .htaccess File to Improve Your Site

Web servers use configuration files to enable or disable functionality. One of the most important of these files for WordPress users is the .htaccess file.

The WordPress .htaccess file enables you to customize aspects of your site’s functionality. For example, you can use it to ban specific IP addresses from accessing your website or password protect specific webpages, and that’s just for starters.

Understanding how it works and what you can accomplish with it can be confusing without guidance. In this article, we’re going to talk more about the WordPress .htaccess file, where to find it, and what it can do for you. We’ll cover five ways you can use it to improve your WordPress website. Let’s get started!

What the WordPress .htaccess File Is (And Where to Find It)

.htaccess is one of WordPress’s core files — the default WordPress installation files that are responsible for the platform’s core functionality. This particular file includes settings that determine how WordPress renders URLs and how it interacts with your server.

Modifying the .htaccess file isn’t as scary as you might think. As long as you follow instructions and don’t add or delete code without knowing what it does, you should be fine. However, you should always create a backup of your website before making such changes, just in case.

To find and edit the WordPress .htaccess file, you’ll want to use an FTP client, such as FileZilla, or the file manager provided by Cpanel and similar solutions. Connect to your website using the client and then navigate to the root folder (a.k.a. root directory) of your web directory (often the public_html folder) on your server and open it. You’ll see a list of php files. The WordPress .htaccess file will be right inside:

The WordPress .htaccess file.

If you do not see the .htaccess file, it may be because your file browser has hidden files that start with a period because these important configuration files don’t need to be edited often. To show hidden files, there is a setting you’ll need to check or uncheck. You may need to Google instructions on “how to display hidden files with <name of your FTP client or file browser>.”

You can right-click on the file and choose the View/Edit option, which will open it using a text editor. This enables you to make changes to the file and save them.

After opening the file, you should see code very similar to this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

5 Ways to Use the WordPress .htaccess File to Improve Your Site

If you followed our earlier advice, you should already have a backup in place of your entire WordPress site. However, it can also be a good idea to save a copy of your .htaccess file before you edit it. That way, if something goes wrong, you just need to restore a single file instead of a full backup.

Once you’ve done that, you can start editing your file. There’s a lot you can accomplish with .htaccess, so we’re going to show you five examples just to give you an idea of the possibilities this file offers.

1. Redirect Visitors to a Custom Error Page

One of .htaccess‘ most useful features is how it enables you to implement redirects in WordPress. This way, you can send users who try to visit specific URLs to other pages. It’s a particularly useful feature in cases where visitors try to access pages that don’t exist, instead of displaying a 404 error message. Redirects also have important SEO benefits.

To implement this feature, open your WordPress .htaccess file and add the following code:

RewriteEngine On
Redirect 301 /original-url/ http://example.com

You will, of course, need to replace both placeholders in that code. For example, if you want to redirect people that visit http://yourwebsiteurl.com/test-page to your homepage, here’s what that would look like:

RewriteEngine On
Redirect 301 /test-page/ http://example.com

With this approach, you can redirect users to either a custom error page or to any other section of your website. However, for it to work, you’ll need to monitor the 404 errors your visitors are getting, which you can do either using plugins, like Redirection, or through an analytics tool.

2. Ban Specific IP Addresses

In some cases, you’ll want to ban specific people from accessing your website. It could be because they’re trying to steal your content, hijack your site, or they’re acting abusive. If you run into one of those situations you can quickly ban their IP address from your website just with a few lines of code.

Here’s the code you need to add to .htaccess to implement this feature:

Require all granted
Require not ip xxx.xxx.xxx.xxx

The IP address you want to block needs to replace the xxx.xxx.xx.x placeholder in that code. Just be sure to use the correct IP address so you don’t block the wrong person.

To put this feature in action, you might want to find a way to monitor which IP addresses are accessing your website. You can use a security plugin with activity logging features to keep an eye on suspicious activity.

3. Password Protect Your WordPress Folders

One of the coolest things you can do with .htaccess is password protect specific directories. This way, you can ensure only the people you allow have access to them. However, this process requires a little more work than just editing .htaccess.

The first thing you need to do is create a txt file called .htpasswds, which will contain your username and the password you want to use. To keep things easy, we recommend you use this online .htapsswds generator and then download the resulting file to your computer:

Using an htpasswd generator.

Once you have your .htpasswds file ready to go, access your site via FTP and upload it to the directory you want to password protect. In this example, we put it within the wp-admin folder, to protect access to our dashboard.

Now you’re going to create a brand new .htaccess file within the wp-admin directory. To do it, right-click anywhere within the folder and choose the Create new file option, then name that file .htaccess:

Creating a new .htaccess file.

Go ahead and edit that file now. It will be empty since you just created it, so add the following code:

AuthName "Admins Only"
AuthUserFile /public_html/wp-admin/.htpasswds
AuthGroupFile /dev/null
AuthType basic
require user yourusername

There are two lines you’ll need to edit here. The first one is the path that goes after AuthUserFile, which needs to indicate where you placed your .htpasswds file. Then, type the username you set within your .htpasswds file where the yourusername placeholder goes.

Save the changes to your new .htaccess file, and you’re good to go. Next time you try to access your dashboard, you’ll see a password prompt come up!

4. Increase Your WordPress File Upload Size

By default, WordPress limits the size of the files you can upload to your website. That way, you won’t get stuck if there are any errors during the upload process. However, you might want to increase this limit to allow for larger files.

Note that you should check with your hosting provider before implementing this change. Some managed hosts, like us here at Pagely, manage these server settings for you and adjusting them could cause issues.

Once you’ve checked with your host, you just need to add a few lines of code to .htaccess:

php_value upload_max_filesize 128M
php_value post_max_size 128M
php_value max_execution_time 300
php_value max_input_time 300

In this example, we’ve increased the max file size to 128 MB. It also gives your website 300 seconds to process uploads before timing out, so it can handle the increase in size. You can increase both settings even further, although 128 MB should be more than enough for most websites.

5. Disable Image Hotlinking

This is relevant for when other people link to your images directly, which puts additional strain on your servers.

That practice is called image hotlinking and you can disable it by adding this code to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?example.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ http://placeholder.png [NC,R,L]

This code checks if the website that’s trying to load your images corresponds to the URL on the third line (yoursite.com). If it doesn’t, and they’re trying to load an image file that uses one of the formats listed below, it will load placeholder.png instead.

In most cases, website owners come up with an image that says something to the effect of “Stop hotlinking our images!” However, you can replace placeholder.png with any image you want, using whichever name you prefer.


When it comes to your WordPress core files, few of them are as versatile and powerful as .htaccess. This single file governs a lot of important aspects, such as your permalink structure.

In this article, we’ve shown you just a handful of these features. For example, with .htaccess you can:

  1. Redirect visitors to a custom error page.
  2. Ban specific IP addresses.
  3. Password protect your WordPress folders.
  4. Increase your WordPress file upload size.
  5. Disable image hotlinking.

Do you have any questions about how to use the WordPress .htaccess file to improve your website? Let’s talk about them in the comments section below!

New Posts in your inbox

  1. This article is in the part of “Order Allow,Deny,Deny from xxx.xxx.xxx.xxx is about Apache 2.2.Who is still on it?
    Everyone moved to Apache 2..4
    And the above mentioned lines should be replaced accordingly like that:

    Require all granted
    Require not ip xxx.xxx.xxx.xxx

  2. Great post John. It’s great to learn about all of the ways that you can get around bloating WordPress sites with plugins.

    Do you know if the custom redirect supports RegEx URLs? I’m looking for a way to redirect all traffic to subdomains that don’t exist on my Multisite instance to a custom error page. I am creating new subdomains all the time (eg new1.mysite.com, new2.mysite.com) and I want visitors of nonexistent.mysite.com to be redirected to a custom error page without having to update the htaccess file every time I create a new site. Thanks!

  3. How does one treat the htaccess issue(s) when several such files appear on the same site on differing levels (i.e., root and various sub-directories), having been inserted by various plugin configurations. What is the order of priority (e.g., root above all else, etc.)?

  4. I would like to point out that :
    “Increase Your WordPress File Upload Size” will not work in every case and could even break your site if it is put in the htaccess as is.
    To be safe It should be enclosed between or (depending oof the Php version in use on the server) else, if the server is using php-fpm instead of the apache module, where those php values are set at the php.ini level and not interpreted into the .htaccess the directives will fail and give a 500 error.
    Similarly, the Rewrite directives should be enclosed between (though the chance that mod_rewrite is not enabled on the server is rather low on any self respecting host :))

  5. What if you are running a BP community? How do you know and block suspicious IP that try to hack or plant malicious content from FTP. Also I think hackers always change their IP, so they can’t switch to another one if you block an initial IP.