5 Ways to Use the WordPress .htaccess File to Improve Your Site

Every WordPress website, no matter how simple, is powered by dozens of files. One of the most important of these is called .htaccess and it enables you to add a lot of amazing features to your site. However, understanding how it works and what you can accomplish with it can be confusing without guidance.

The WordPress .htaccess file enables you to customize many aspects of your site’s security and privileges. For example, you can use it to ban specific IP addresses from accessing your website. It can also help you use passwords to protect particular pages, and that’s just for starters.

In this article, we’re going to talk more about the WordPress .htaccess file and where to find it. We’ll end by showing you five ways you can use it to improve your website. Let’s get started!

What the WordPress .htaccess File Is (And Where to Find It)

.htaccess is one of WordPress core files, which are the files that are responsible for the platform’s core functionality. This particular file includes settings that determine how WordPress renders URLs and how it interacts with your server.

There’s a lot more you can do if you edit your .htaccess file. This is particularly useful if you prefer to use a manual approach and not rely on plugins too much. It does require you to edit your WordPress core files, but this isn’t as scary as you might think. As long as you follow instructions and don’t add or delete code without knowing what it does, you should be fine. However, you should always create a backup of your website before making such changes, just in case.

To find and edit the WordPress .htaccess file, you’ll want to use an FTP client, such as FileZilla. Connect to your website using the client and then navigate to the public_html folder on your server and open it. The WordPress .htaccess file will be right inside:

The WordPress .htaccess file.

You can right-click on the file and choose the View/Edit option, which will open it using a text editor. This enables you to make changes to the file and save them.

5 Ways to Use the WordPress .htaccess File to Improve Your Site

If you followed our earlier advice, you should already have a backup in place of your entire WordPress site. However, it can also be a good idea to save a copy of your .htaccess file before you edit it. That way, if something goes wrong, you just need to restore a single file instead of a full backup.

Once you’ve done that, you can start editing your file. There’s a lot you can accomplish with .htaccess, so we’re going to show you five examples just to give you an idea of the possibilities this file offers.

1. Redirect Visitors to a Custom Error Page

One of .htaccess‘ most useful features is how it enables you to implement redirects in WordPress. This way, you can send users who try to visit specific URLs to other pages. It’s a particularly useful feature in cases where visitors try to access pages that don’t exist, instead of displaying an error message.

To implement this feature, open your WordPress .htaccess file and add the following code:

RewriteEngine On
Redirect 301 /original-url/ http://yourwebsiteurl.com

You will, of course, need to replace both placeholders in that code. For example, if you want to redirect people that visit http://yourwebsiteurl.com/test-page to your homepage, here’s what that would look like:

RewriteEngine On
Redirect 301 /test-page/ http://yourwebsiteurl.com

With this approach, you can redirect users to either a custom error page or to any other section of your website. However, for it to work, you’ll need to monitor the 404 errors your visitors are getting, which you can do either using plugins or through an analytics tool.

2. Ban Specific IP Addresses

In some cases, you’ll want to ban specific people from accessing your website. It could be because they’re trying to steal your content, hijack your site, or they’re acting abusive. If you ever run into one of those situations you can ban their IP addresses from your website just with a few lines of code.

Here’s the code you need to add to .htaccess to implement this feature:

Require all granted
Require not ip xxx.xxx.xxx.xxx

The IP address you want to block needs to replace the xxx.xxx.xx.x placeholder in that code. Just be sure to write the right one since otherwise, you might block the wrong person.

To put this feature in action, you might want to find a way to monitor which IP addresses are accessing your website. Using a security plugin can be a big help in these cases if you use one that includes logging features.

3. Password Protect Your WordPress Folders

One of the coolest things you can do with .htaccess is password protect specific directories. This way, you can ensure only the people you want have access to them. However, this process requires a little more work than just editing .htaccess.

The first thing you need to do is create a file called .htpasswds, which will contain your username and the password you want to use. To keep things easy, we recommend you use this online .htapsswds generator to do it and then download the resulting file to your computer:

Using an htpasswd generator.

Once you have your .htpasswds file ready to go, access your site via FTP and upload it to the directory you want to password protect. In this example, we put it within the wp-admin folder, to protect access to our dashboard.

Now you’re going to create a brand new .htaccess file within the wp-admin directory. To do it, right-click anywhere within the folder and choose the Create new file option, then name that file .htaccess:

Creating a new .htaccess file.

Go ahead and edit that file now. It will be empty since you just created it, so add the following code:

AuthName "Admins Only"
AuthUserFile /public_html/wp-admin/.htpasswds
AuthGroupFile /dev/null
AuthType basic
require user yourusername

There are two lines you’ll need to edit here. The first one is the path that goes after AuthUserFile, which needs to indicate where you placed your .htpasswds file. Then, type the username you set within your .htpasswds file where the yourusername placeholder goes.

Save the changes to your new .htaccess file, and you’re good to go. Next time you try to access your dashboard, you’ll see a password prompt come up!

4. Increase Your WordPress File Upload Size

By default, WordPress limits the size of the files you can upload to your website. That way, you won’t get stuck if there are any errors during the upload process. However, you might want to increase this limit to allow for larger files.

To increase it, you just need to add a few lines of code to .htaccess:

php_value upload_max_filesize 128M
php_value post_max_size 128M
php_value max_execution_time 300
php_value max_input_time 300

In this example, we’ve increased the max file size to 128 MB. It also gives your website 300 seconds to process uploads before timing out, so it can handle the increase in size. You can increase both settings even further, although 128 MB should be more than enough for most websites.

5. Disable Image Hotlinking

This is relevant for when other people link to your images directly, which puts additional strain on your servers.

That practice is called image hotlinking and you can disable it by adding this code to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://placeholder.png [NC,R,L]

This code checks if the website that’s trying to load your images corresponds to the URL on the third line (yoursite.com). If it doesn’t, and they’re trying to load an image file that uses one of the formats listed below, it’ll load placeholder.png instead.

In most cases, website owners come up with an image that says something to the effect of “Stop hotlinking our images!”. However, you can replace placeholder.png with any image you want, using whichever name you prefer.

Conclusion

When it comes to your WordPress core files, few of them are as versatile as .htaccess. This single file governs a lot of important aspects, such as your permalink structure. If you know how to locate and edit it, you can add a lot of useful features to your website.

In this article, we’ve shown you just a handful of these features. For example, with .htaccess you can:

  1. Redirect visitors to a custom error page.
  2. Ban specific IP addresses.
  3. Password protect your WordPress folders.
  4. Increase your WordPress file upload size.
  5. Disable image hotlinking.

Do you have any questions about how to use the WordPress .htaccess file to improve your website? Let’s talk about them in the comments section below!

13 Comments

  1. Smazzit
    Smazzit

    Thank you so much for this – I will be implementing these techniques tonight.

    Reply

    1. John Hughes
      John Hughes

      You’re welcome! I hope they come in handy. 🙂

  2. Jawad Khan
    Jawad Khan

    Awesome Article. Nice tips and tricks

    Reply

    1. John Hughes
      John Hughes

      Thank you, Jawad! That warms my heart. 🙂

  3. dimiter kirov
    dimiter kirov

    This article is in the part of “Order Allow,Deny,Deny from xxx.xxx.xxx.xxx is about Apache 2.2.Who is still on it?
    Everyone moved to Apache 2..4
    And the above mentioned lines should be replaced accordingly like that:

    Require all granted
    Require not ip xxx.xxx.xxx.xxx

    Reply

    1. John Hughes
      John Hughes

      Thank you for bringing that to our attention. We’ve spotted the error and will correct it as soon as possible. 🙂

  4. Jon Tornetta
    Jon Tornetta

    Great post John. It’s great to learn about all of the ways that you can get around bloating WordPress sites with plugins.

    Do you know if the custom redirect supports RegEx URLs? I’m looking for a way to redirect all traffic to subdomains that don’t exist on my Multisite instance to a custom error page. I am creating new subdomains all the time (eg new1.mysite.com, new2.mysite.com) and I want visitors of nonexistent.mysite.com to be redirected to a custom error page without having to update the htaccess file every time I create a new site. Thanks!

    Reply

    1. John Hughes
      John Hughes

      I’m very glad to hear you found the article useful, Jon. As for your query, I haven’t personally used RegEx URL, but as far as I’m aware it should be possible.

  5. David Thomson
    David Thomson

    How does one treat the htaccess issue(s) when several such files appear on the same site on differing levels (i.e., root and various sub-directories), having been inserted by various plugin configurations. What is the order of priority (e.g., root above all else, etc.)?

    Reply

    1. John Hughes
      John Hughes

      Each .htaccess file affects the directory where it’s placed and all its sub-directories, so it’s a matter of hierarchy. The .htaccess on the root directory should be at the top. 🙂

  6. Eric
    Eric

    I would like to point out that :
    “Increase Your WordPress File Upload Size” will not work in every case and could even break your site if it is put in the htaccess as is.
    To be safe It should be enclosed between or (depending oof the Php version in use on the server) else, if the server is using php-fpm instead of the apache module, where those php values are set at the php.ini level and not interpreted into the .htaccess the directives will fail and give a 500 error.
    Similarly, the Rewrite directives should be enclosed between (though the chance that mod_rewrite is not enabled on the server is rather low on any self respecting host :))

    Reply

    1. John Hughes
      John Hughes

      Thank you for your comment, Eric, as I’m sure it will be very useful for other readers. Definitely points worth considering, and we may expand on them in a future article. 🙂

  7. Arize
    Arize

    What if you are running a BP community? How do you know and block suspicious IP that try to hack or plant malicious content from FTP. Also I think hackers always change their IP, so they can’t switch to another one if you block an initial IP.

    Reply