WordPress .htaccess File

You are currently viewing WordPress .htaccess File

The .htaccess file is used to add, modify, and override the server-level configurations. It is often used for securing various areas of your website.

Note: This rules and configurations only work with Apache 2.4.

Default WordPress .htaccess file

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

WordPress htaccess Redirects

301 (Permanent) Redirect

Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html

302 (Temporary) Redirect

Redirect 302 /oldpage.html http://www.yourwebsite.com/newpage.html

Force URL to WWW

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]

Force URL to non-WWW

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

Force HTTPS

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Force HTTP

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^https$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}</IfModule>

WordPress htaccess Security Tips

Protect .htaccess

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Restrict access to WordPress admin Page

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from xx.xx.xx.xx
</Limit>

Note: Don’t forget to replace “xx.xx.xx.xx” with your allowed IP address.

Protect wp-config.php

<files wp-config.php>
order allow,deny
deny from all
</files>

Disable Directory Browsing

# disable directory browsing
Options All -Indexes

Prevent Hotlinking

# Prevent Hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yandex.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?facebook.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?linkedin.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?pinterest.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?other-website.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]