Home

Many WordPress users come across .htaccess file when fixing their permalinks. However you can do so much more. The .htaccess file is a powerful configuration file that allows you to improve your site’s security and performance. In this article, we will show you 9 most useful .htaccess tricks for WordPress that you can try on your site right away.

Getting Started

Before you make any changes, you need to backup your existing .htaccess file. Connect to your website using an FTP client and simply download the .htaccess file to your computer. If something goes wrong, then you can upload the backup file.

If you cannot see the .htaccess file, then make sure your FTP client is configured to show hidden files. Read our guide on why you can’t find .htaccess fileon your WordPress site for more details.

If you do not have a .htaccess file in your website’s root folder, then you need to create one. Simply create a blank text file and save it as .htaccess. Make sure that the file name is .htaccess and not htaccess. Lastly, you need to upload the file to your website’s root folder.

1. Protect Your WordPress Admin Area

You can use .htaccess to protect your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste this code into your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
# whitelist Amanda's IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>

Replace xx.xx.xx.xxx with your own IP addresses. If you use more than one IP address to access the internet, then make sure you add them as well. See our guide on how to protect your admin folder in WordPress using .htaccess

2. Password Protect WordPress Admin Folder

Password protect your WordPress admin directory using .htaccess file

First you need to create a .htpasswds file. You can easily create one by using this online generator.

Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:

home/user/.htpasswds/public_html/wp-admin/passwd/

Now you need to create a new .htaccess file and add this code:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any 
</Files>

Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.

Upload this .htaccess file to your wp-admin folder. That’s all, your WordPress admin folder is now password protected and only you or the users you allow will be able to access it. For detailed instructions, take a look at how to password protect your WordPress admin (wp-admin) directory.

3. Disable Directory Browsing in WordPress

Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file. Learn more about why and how to disable directory browsing in WordPress.

Disable directory browsing using .htaccess file in WordPress

To disable directory browsing in WordPress all you need to do is add this single line in your .htaccess file:

Options -Indexes

4. Disable PHP Execution in Some WordPress Directories

Sometimes hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders. An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

Create a blank .htaccess file and paste this code inside it:

<Files *.php>
deny from all
</Files>

Now upload this file to your /wp-content/uploads/ and /wp-includes/ directories. For more information check out this tutorial on how todisable PHP execution in certain WordPress directories.

5. Protect Your WordPress Configuration wp-config.php File

Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it. To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

6. Setting up 301 Redirects Through .htaccess File

Using 301 redirects is the most SEO friendly way to tell your users that a content has moved to a new location. If you want to properly manage your 301 Redirects on posts per post basis then check out how to do 301 redirects in WordPress with Quick Page/Post Redirect.

On the other hand if you just quickly want to redirect users from one URL to another, then all you need to do is paste this code in your .htaccess file

Redirect 301 /oldurl/ http://www.example.com/newurl
Redirect 301 /category/television/ http://www.example.com/category/tv/

7. Ban Suspicious IP Addresses

Seeing unusual requests from an IP address? Want to block an IP address from accessing your website? Add this code to your .htaccess file:

<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>

Replace xxx with the IP address you want to block.

8. Disable Image Hotlinking in WordPress Using .htaccess

Other people can slow down your website and steal your bandwidth by hotlinking images from your website. Normally, this doesn’t concern most users. However, if you run a popular site with lots of images and photos, then hotlinking can become a serious issue. You can prevent image hotlinking by adding this code in your .htaccess file:

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wpbeginner.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/wpbeginner [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L] 

Don’t forget to replace wpbeginner.com with your own domain name.

9. Protect .htaccess From Unauthorized Access

As you have seen that there are so many things that can be done using .htaccess file. Due to the power and control it has on your web server, it is important that you protect it from unauthorized access by hackers. Simply add this code to your .htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

We hope this article helped you learn some of the most useful .htaccess tricks for WordPress.

Publicités

Laisser un commentaire

Choisissez une méthode de connexion pour poster votre commentaire:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s