Master the .htaccess File in WordPress: Improve Your Site's Security and Performance

The .htaccess file is an essential component of any website hosted on VPS servers and is especially relevant for those using WordPress. But, what is it, and how do you create the WordPress .htaccess file? Let’s find out!

The main purpose of the .htaccess file in WordPress

The mysterious .htaccess file is an Apache server configurator used to create redirects and perform other critical functions. Thanks to this, you have absolute control over your website’s behavior, allowing you to optimize aspects such as security, performance, and user experience.

How to access the .htaccess file in WordPress

Manually

To access the .htaccess file, you must first connect to your server through an FTP client. Once connected, you can find the .htaccess file in the root directory of your WordPress installation. If you don’t see the file, it may be hidden, and you’ll need to configure your FTP client to show hidden files.

Plugins to modify the .htaccess file in WordPress

There are several plugins you can use to modify the .htaccess file directly from your WordPress administration panel, without having to access the server files via FTP. Some of the most popular ones are:

1. WP Htaccess Editor

WP Htaccess Editor is a plugin that provides a simple and secure interface to edit your .htaccess file directly in WordPress. This plugin also automatically creates backups of your .htaccess file before each save, allowing you to easily revert any changes.

2. Htaccess by WP Speed Matters

The Htaccess by WP Speed Matters plugin not only allows you to edit your .htaccess file but also includes a series of predefined settings you can use to improve your site’s performance and security.

3. All In One WP Security & Firewall

All In One WP Security & Firewall is a comprehensive security plugin that, among other features, allows you to edit and add custom rules to your .htaccess file to strengthen your WordPress site’s security.
Before using any plugin to edit the .htaccess file, make sure you understand the changes you are making, as an error in this file can make your site inaccessible.

Useful .htaccess codes in WordPress

The .htaccess file has great potential to optimize and secure your WordPress site. Here are some useful codes you can implement in your .htaccess file:

301 Redirects

301 redirects are useful when you have changed a page’s URL and want to ensure that visitors and search engines are sent to the new location. Here’s an example of how to set up a 301 redirect:

Redirect 301 /old-url/ http://www.yourdomain.com/new-url/

Hotlinking Protection

Hotlinking occurs when other websites directly link to your images or files, which can consume your bandwidth. To prevent this, you can add the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

This code will block all images (jpg, jpeg, png, gif) linked from a site other than yours.

IP Blocking

If you want to block access to your website from a specific IP address, you can use the following code:

order allow,deny
deny from 123.456.789.000
allow from all

Simply replace “123.456.789.000” with the IP address you want to block.

Protecting the wp-config.php file

The wp-config.php file is one of the most important files in your WordPress installation as it contains sensitive information. You can protect it by adding the following code to your .htaccess file:

order allow,deny
deny from all

Disable directory browsing

To prevent users from browsing through your website directories, you can disable this option with the following code:

Options -Indexes

Remember, always make a backup of your .htaccess file before making changes. If you make a mistake, you can restore the original version.

HTTP to HTTPS Redirection

To ensure that your site always serves via HTTPS, you can implement a redirection in your .htaccess file. This is crucial for maintaining secure connections for your visitors. Here’s the code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This code ensures that if someone tries to access your site using HTTP, they will be redirected to the HTTPS version.

URL Redirection from Non-Slash to Slash

If you want all URLs on your website to end with a “/”, you can implement a redirection in your .htaccess file. This can be useful for ensuring URL consistency and avoiding potential duplicate content issues. The code to add is:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*[^/])$ /$1/ [L,R=301]

This code will redirect all URLs that do not end with a “/” to the version that does. For example, “http://www.yourdomain.com/page” will be redirected to “http://www.yourdomain.com/page/”.

As before, remember to always make a backup of your .htaccess file before making any changes.

Adjusting .htaccess to increase security in WordPress

Optimizing your .htaccess file can significantly improve the security of your WordPress site. Here are some essential rules you can add:

Blocking access to the wp-config.php file

The wp-config.php file contains crucial information about your WordPress site, and blocking direct access to it can help prevent attacks. You can do this by adding the following code to your .htaccess file:

order allow,deny
deny from all

Limiting simultaneous connections

Limiting simultaneous connections can help prevent brute force attacks. Here’s how you can do it:

order deny,allow
deny from all
allow from your-ip-address

Replace “your-ip-address” with the IP address from which you’d like to allow access.

Disabling directory browsing

Disabling directory browsing can help prevent malicious users from viewing files on your server. You can do this by adding the following code to your .htaccess file:

Options -Indexes

Protection against SQL injection attacks

SQL injection is a commonly used technique by hackers to attack your database. Add the following code to protect your site against such attacks:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

These rules will help strengthen the security of your WordPress site. However, always remember to make a backup of your .htaccess file before making any changes.

While WordPress is a powerful and versatile platform, it’s also important to be aware of security vulnerabilities that can affect our website. It’s essential to protect our WordPress installation against potential attacks and security breaches. If you want to learn more about common vulnerabilities in WordPress and how to protect your site, we invite you to read our article on WordPress vulnerabilities, where you’ll find detailed information and practical tips to keep your site safe and protected from potential threats.

Creating the WordPress .htaccess with default values

To create an .htaccess file with the default WordPress values, you only need to open a new file in a text editor, add the default code, and save it as “.htaccess”. Then, you can upload this file to your server via FTP.

Conclusion

As you have seen, the .htaccess file is an extremely powerful tool when it comes to managing your WordPress site on a VPS server. It allows us to create redirects, optimize site performance, and significantly increase its security.
Always remember to make a backup of your .htaccess file before making any modifications. This will allow you to revert changes in case something doesn’t work as expected. Additionally, it’s always recommended to test changes in a development environment before applying them to your live site.

With careful handling and adequate knowledge, you can use .htaccess to make your WordPress site stronger, faster, and more secure, providing the best possible experience for your visitors.

We hope this article has helped you better understand the WordPress .htaccess file and how you can use it to improve your site. If you have more questions, feel free to leave them in the comments, and we’ll be happy to assist you.