Home Wordpress htaccess File: What is it? And How to Use it?

htaccess File: What is it? And How to Use it?

by Mr. Geek Tips
0 comment

If you are a WordPress user or site owner, you have probably seen the .htaccess file among the various WordPress files and seen many explanations about it, notably because this file is not like the other default files in the dashboard and has many uses and benefits to improve the performance and security of your own site, such as controlling messages Error pages (Error 404), locking the login page, hiding some site folders, and other functions that we will learn about.

Where is the .htaccess file located and how can I modify it?

The .htaccess file is one of the files that are located inside the WordPress file folder. It’s not visible in the site’s frontend to visitors, but it may be accessed and managed by the site administrator via the cPanel or the FTP protocol.

You can simply access the file by going to your site’s file manager (using cPanel or FTP) and searching for it beside the WordPress files:

htaccess file location

When you open the file, you will see certain codes and characters that look like the picture below:

htaccess file 1

Note: Some hosting providers hide the .htaccess file inside the file manager; if it is hidden and you are unable to access it properly, you can access it by opening the file manager.
Then, at the top of the screen, you’ll see a settings button; click on it. On the settings page, you’ll see multiple options; select “Show hidden files,” then press Save.

Doing that, the .htaccess file will be visible in the file manager alongside the rest of the WordPress files on your site.

To access .htaccess files using FTP software, you can use FTP software such as Filezilla.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Functions that the .htaccess file can provide

Here is a complete list of the most important functions you may accomplish with the .htaccess file to improve the security of your website:

1- Create a redirect 301 for an old link on your site.

We’ll assume that one of your site’s links appears in Google search results, and you wish to change that link to another link inside your site or even another site for some reason. This is simple to accomplish with the .htaccess file.

The example URL that we want to change is: http://example.com/try/index.php

And the new redirect URL is: http://example.com/try/new/html

To redirect from the old link to the new link, we add the following code inside the .htaccess file:

Redirect 301 /try/index.php https://Example.com/try/new.html

The old link, on the other hand, just writes its extension after Redirect 301 (without writing the domain name), whereas the new link is written in full, as shown in the previous code.

You can also accomplish the following redirections:

When redirecting from Non-www to WWW, the redirection code is as follows:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
</IfModule>

For redirecting from www to non-www, you can use the following code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteRule (.*) http://example.com/$1 [R=301,L]
</IfModule>

Redirect HTTP to HTTPS, using the following code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Redirecting from one domain to another, using the following code:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]
</IfModule>

Redirect pages with extensions such as .html. To URL without extension, use the following code:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/?(.*).(html)$ /$1 [R=301,L]

</IfModule>

And if the extension of the pages you want to redirect is .php. use the following code:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^/?(.*).(php|html)$ /$1 [R=301,L]

</IfModule>

Redirecting a subdomain to a sub-page. In this case, we want to convert the sub-domain links to an internal page on the site, for example, we want to redirect the subdomain: 

Redirect subdomain: blog.example.com

To the following subpage: example.com/blog

The redirection code is as follows:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*)$ http://https://www.example.com/blog/$1 [L,NE,R=301]

</IfModule>

Note: It is important that the .htaccess file in this case must be located within the subdomain files.

2- Block IP address from accessing your website.

When you see a big number of visits to your site from the same IP address, it means that someone is trying to send a huge number of visits to your site in order to consume hosting resources, causing your site to crash. In this case, simply use the following code in the .htaccess file to block this IP:

Order Deny,Allow
Deny from 132.15.11.35

132.15.11.35 should be replaced with the real IP address you want to block.

3- Restrict access to the WordPress admin page (Wp-admin)

If you want to restrict anyone from accessing the wp-admin page and just allow one or a limited number of devices to access it, simply add the following code to the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from 20.20.22.22
</LIMIT>

Consider changing 20.20.22.22 with the IP address to which you want to restrict access to the WordPress site’s wp-admin area.

5- Disable PHP Execution in WordPress Directories.

Hackers use PHP commands to install programs that execute specific scripts inside site directories as one method of stealing or damaging site files.

To avoid this form of threat on your site, create a new .htaccess file and include the following code inside it:

<Files *.php>
deny from all
</Files>

This .htaccess file must be uploaded to the wp-content/uploads and wp-includes directories. This is due to the fact that these files are vulnerable to hacking tools of this type.

6- Restrict access to wp-config.php.

Because it contains a lot of information and sensitive data about your site, the wp-config file for WordPress is undoubtedly the most significant file within your site. To restrict access to this file, place the following code inside the .htaccess file, which disallows access to the wp-config file:

<files wp-config.php>
order allow,deny
deny from all
</files>

7- Disable other sites from calling images from within your site, also known as image hotlinking.

Some website owners obtain links to images on your site and so include them on their sites.
This increases the resource usage of your site and, as a result, may cause it to crash if the number of those links is much larger.

As a result, inserting the following code into the .htaccess file prevents you from instantly linking your site’s images to other sites:

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Consider replacing example.com with the link to your website. Also, keep google.com untouched, which means that only two sources are allowed to display image links within your site: the site itself and Google because Google archives link to those images in search results.

8- Block access to the .htaccess file.

Because the .htaccess file can contain a lot of sensitive information about your site, access to it may pose a significant risk to the site, so it must be completely restricted from any source, and the only way to access the file is by entering the file manager on your site only.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

9- Increase Maximum File Upload Size in WordPress

limit files upload

The above picture displays a message informing you that the maximum file upload limit is only 100MB per file. The .htaccess file comes into effect here. To manage that limit, add the following code to WordPress to set a specific limit on the size of uploaded files:

php_value upload_max_filesize 50M
php_value post_max_size 50M
php_value max_execution_time 300
php_value max_input_time 300

This code changes the maximum file size and increases the execution time necessary to upload the file.

Note: Even if the maximum size is specified in the .htaccess file, certain hosting companies, specifically shared hosts, prevent it from being increased.

10- Disable access to XML-RPC in WordPress

The XML-RPC file is one of the files in your site’s WordPress Files folder. It has a variety of unique uses, such as when third-party applications are used in conjunction with your website. Many WordPress experts recommend disabling access to it if you don’t need it.

To prevent access to the XML-RPC file, add the following code to the .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

11- Blocking attempts to access authors’ files in WordPress

Some of the most current strategies used by hackers include attempting to find the authors’ names on the WordPress site and then using tools and strategies to change their passwords using the authors’ usernames.

To prevent these attempts, add the following code to the .htaccess file:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

12- Creating error pages for the website

You’ve probably seen a 404 error page before, which informs you that the link you’re attempting to visit does not exist. This error, as well as other errors that appear to the user if something is wrong with the site or the link you visited, can be managed and customized using the .htaccess file.

You can create a specific error with any message, such as “Sorry, this page is not available on the site,” and then name it “error404.html” and save it within your WordPress files.

Then, in the .htaccess file, you can show this page to the user when he clicks a link or enters the name of a page that does not exist on the site, by adding the following code:

 ErrorDocument 500 /errors/serverr.html 

Similarly, ErrorDocument 500 is a static function that indicates the type of error, which in this example is 500, which is the error for a site server failure.

Also, /errors/serverr.html, which is the path in your site’s directories where the error page that you are expected to have created and placed there.

This function in the .htaccess file can be used to modify the error pages on the site, and below is a list of the most common problems that may occur:

400 Bad Request
401 Authorization Required
402 Payment Required (not used yet)
403 Forbidden
404 Not Found 
405 Method Not Allowed
406 Not Acceptable (encoding)
407 Proxy Authentication Required
408 Request Timed Out
409 Conflicting Request
410 Gone
411 Content Length Required
412 Precondition Failed
413 Request Entity Too Long
414 Request URI Too Long
415 Unsupported Media Type
400 – Bad Request 
401 – Authorization Required
403 – Forbidden 
404 – File not found
500 – Internal Server Error
503 – Service Unavailable

All of the above-mentioned errors can be customized using the ErrorDocument function, as mentioned above, by mentioning the name of the error next to it and then writing the page path of the expected error instructions, as shown in the two examples above.

Note: You do not have to create pages for all of the errors that appear, especially since the new WordPress updates create these error pages automatically.

Is it possible to have multiple .htaccess files?

Of course, you can create multiple .htaccess files, as each time you create a .htaccess file and upload it to a specific direction. However, the commands written inside the folder are only applied to other files in the same direction as the file. For example, if you create a .htaccess file and upload it to the wp-includes folder, the commands in it will only be applied to the wp-includes folder and all the files inside it, not to the rest of the site files.

Also, you cannot create more than one .htaccess file within the same directory, and the file manager will not enable you to create more than one file with the same htaccess name, but as we mentioned before, you can create many htaccess files, each in a different directory.

Although several .htaccess files are allowed, it is preferable to keep them to a minimum because they consume your site’s resources and put an additional stress on them.

Finally, this is the overall idea of the .htaccess file, which recommends you to be aware of the most significant functions that the file does while updating and editing it.

You may also like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Us

Mr-geek-tips-logo

Welcome to Mr. Geek the best WordPress and Shopify Tips and Tutorial for non-techy and beginners.

@Mr. Geek Tips 2022. All Right Reserved. Designed and Developed by Coders Xpress.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More