Top 8 .htaccess Tricks Every WordPress User Should Know


WordPress has covered a lot of ground on the internet with its content management system (CMS) in the last few years.

Because of its popularity, it is also the platform that is vulnerable to cyber attacks. There are a lot of tricks to secure your website and improve the SEO. This article covers not only WordPress security and SEO but also some more tips using the .htaccess file in your WordPress site.

What is a .htaccess file in WordPress?

The .htaccess file is a setting or configuration file for Apache web server that enables you to interpret and control the files and folders in the current directory as well as sub-directories.

The .htaccess stands for hypertext access, and most of the servers support this file. This file is by default present in the base WordPress installation and root directory.

For editing the file, you have to connect to the website using FTP client. Make sure to download a copy of the file to your computer as a backup before editing it. It will help you restore in case something goes wrong.

Most common use of a .htaccess file is generating SEO-friendly URL structure. But there is a lot more than you can do using this file. Below are some of the most useful .htaccess tricks and tips you should know.

Limit access to WordPress admin area

WordPress admin area is another point for hackers to enter the website. If they enter this area, they gain access to the full site. Hence, while setting up a new website, you should use .htaccess to secure the admin area. All you need to do is create a new .htaccess file, copy the code below and paste into a new .htaccess file. It will limit the access to selected IP addresses.

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “WordPress Admin Access Control”

AuthType Basic


order deny,allow

deny from all

# whitelist Syed’s IP address

allow from

# whitelist David’s IP address

allow from


Make sure to change the xx values to the IP address. You can add more than one IP address by listing them in the main allow line separated using commas.

After pasting it into the .htaccess file, upload it to the wp-admin folder (

Disable directory browsing

When the web server doesn’t find an index file by default, it automatically shows an index page which displays the data in server directories. This can lead to website hacking, as the directory contains valuable information used to exploit vulnerabilities in themes, plugins, etc.

Hence, you should disable the directory browsing. Copy the below line and paste into your .htaccess file to disable it.

# disable directory browsing

Options All -Indexes

Limit wp-config.php file access

In the WordPress wp-config.php file, the confidential information about your website, like username, password, database name, etc. is stored. Hence, you need to limit the access to this file to strengthen WordPress website security.

Create a new .htaccess file and paste the code below into it.

<files wp-config.php>

order allow,deny

deny from all


After pasting the code, save the file and upload it to directories.

Set password for WordPress admin folder

Limiting the access to selected IP addresses will interrupt you if you access your WordPress site from multiple locations. In this case, you can go for adding the password protection to WordPress admin using the .htaccess file.

For this, create a .htpasswds file and upload it outside the publicly accessible web directory. You can also add the .htpasswds file to /public_html/ folder.

Now create a new .htaccess file and upload it to /wp-admin/ directory. Copy the following code inside the file.

AuthName “Admins Only”

AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd

AuthGroupFile /dev/null

AuthType basic

require user putyourusernamehere

<Files admin-ajax.php>

Order allow,deny

Allow from all

Satisfy any


Make sure to change the AuthUserFile path to the file path of .htpasswds file, and replace the putyourusernamehere with your own username.

URL redirection using .htaccess file

When you move a URL to a new location permanently, you need to use 301 redirects which inform the search engines about the URL migration. Using the 301 redirects, you can move a page, folder or even the complete website to a new URL.

The purpose of redirection can be changing a domain and making a new site using available website builders, or changing permalink structure, or merely changing page slug.

For redirecting a URL to the new location, use the following code in .htaccess file.

Redirect 301 /oldurl/

Redirect 301 /category/television/

Ban suspicious IP addresses

Many times, some users leave abusive or spam comments on your posts or pages, while some users attempt to access your admin area. You can completely ban such users by adding their IP addresses to the following code and pasting the code to .htaccess file.

<Limit GET POST>

order allow,deny

deny from 123.456.78.9

deny from 987.654.32.1

allow from all


Prevent image hotlinking

When other websites share any image from your site by directly linking to the image URL rather than uploading the image on their site, it is called hotlinking or bandwidth theft.

The hotlinking is a serious concern for many websites, especially if you have a popular site. The hotlinking consumes the bandwidth of your site, which not only slows down the site but also increases the bandwidth costs.

To disable image hotlinking on your site, add the following code to your .htaccess file:

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule\.(jpg|jpeg|png|gif)$ – [NC,F,L]

Increase file upload size in WordPress

There are limits to the file upload size in WordPress media library which you can increase using the .htaccess file. Just copy the code below and add to the .htaccess file.

php_valueupload_max_filesize 64M

php_valuepost_max_size 64M

php_valuemax_execution_time 300

php_valuemax_input_time 300

You can vary the file size as per your need.

Wrapping up:

This article will help you learn some of the most useful .htaccess tricks that you can use for your WordPress site for many significant purposes. If you have more to add or have any query, feel free to do so in the comment section below.

Author Bio: Catherrine Garcia is a professional writer and currently works at WPCodingDev Ltd., an ideal place to hire experienced WordPress developer from the team of 150 experts. She along with her group of freelance developers are experts at creating Web sites on CMS

Michael Pignataro
co-CEO - Operations at 'corePHP'
Michael spearheads ‘corePHP’s software solutions and service offerings. Focus on sales and marketing for the organization. A huge believer in family and has an amazing wife and 4 beautiful children. Loves camping and hiking.

Michael's philosophy is simple: "If you can dream it, we can do it."