What Is the .htaccess File and Why Is It Important for WordPress?
If you‘ve spent much time working with WordPress, you‘ve likely come across the .htaccess file. This unassuming file plays a crucial role behind the scenes of your WordPress site. When configured properly, .htaccess enables pretty permalinks, boosts performance, locks down sensitive directories, and much more.
In this comprehensive guide, we‘ll dive deep into what the .htaccess file is, how WordPress uses it, and powerful ways you can edit it to supercharge your site. Let‘s get started!
What Exactly Is the .htaccess File?
The .htaccess file, short for "hypertext access", is a special configuration file used by Apache web servers. When an .htaccess file is placed in a directory, the Apache web server will detect and execute the instructions contained in it on a per-directory basis.
A few key things to know about .htaccess:
- It‘s a plain text file with a name that starts with a dot (.)
- The file has no extension (not .txt, .html, etc.)
- It‘s placed in the root directory of a website or in specific directories you want to control access to
- The dot at the beginning of the file name (.htaccess) makes it a hidden file
.htaccess is incredibly powerful because it allows you to make configuration changes on a directory-by-directory basis without modifying server configuration files. This is especially useful for shared hosting environments where you don‘t have access to Apache‘s main configuration files.
How WordPress Uses the .htaccess File
Out of the box, WordPress relies on .htaccess for two primary functions:
- Enabling pretty permalinks
- Restricting access to sensitive files/directories
Pretty Permalinks
By default, WordPress post and page URLs use a query string format that‘s not very human-friendly or SEO-friendly, like:
When you navigate to Settings > Permalinks and select a pretty permalink structure, WordPress automatically adds mod_rewrite directives to your .htaccess file to rewrite those ugly URLs into clean, descriptive URLs like:
https://example.com/2023/01/01/my-post/
Here‘s an example of what those rewrite rules look like in .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>Restricting Access
WordPress also adds directives to .htaccess to restrict access to sensitive files and directories. For example, this code blocks access to the wp-config.php file which contains your database credentials:
<files wp-config.php>
order allow,deny
deny from all
</files>Similarly, this code prevents directory indexing and blocks access to files like .htaccess itself, readme.html, license.txt, wp-config-sample.php, etc.:
Options -Indexes
<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files readme.html>
order allow,deny
deny from all
</Files>
# More file rules here...Other Uses by Plugins/Themes
Many WordPress plugins also utilize .htaccess to make configuration changes. A few common examples:
- Caching plugins like WP Rocket and W3 Total Cache add expires headers, enable GZIP compression, and more.
- Security plugins like iThemes Security and Sucuri add rules to block malicious requests.
- Redirection plugins rely heavily on .htaccess to implement redirects.
Additionally, some themes use .htaccess to restrict access to certain files or enable specialized functionality.
Manually Editing .htaccess
Now that you have a basic understanding of what .htaccess is and how WordPress uses it, let‘s look at some powerful ways you can manually edit the file to enhance your site.
Always Download a Backup First
Before making any manual edits, always download a copy of your existing .htaccess file via FTP or your hosting control panel. If you make a syntax error or accidentally break something, you can re-upload the original file to restore it.
Enabling GZIP Compression
Enabling GZIP compression can dramatically reduce the size of your pages, resulting in faster load times. Add the following code to your .htaccess file:
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>Setting Expires Headers for Browser Caching
Browsers can cache static resources so repeat visitors don‘t have to re-download them on every page load. Setting far future expires headers tells browsers to cache those resources for a long time. Add this code to your .htaccess:
<IfModule mod_expires.c>
ExpiresActive On
# Images
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/webp "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType image/x-icon "access plus 1 year"
# Video
ExpiresByType video/webm "access plus 1 year"
ExpiresByType video/mp4 "access plus 1 year"
ExpiresByType video/mpeg "access plus 1 year"
# Fonts
ExpiresByType font/ttf "access plus 1 year"
ExpiresByType font/otf "access plus 1 year"
ExpiresByType font/woff "access plus 1 year"
ExpiresByType font/woff2 "access plus 1 year"
ExpiresByType application/font-woff "access plus 1 year"
# CSS, JavaScript
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
# Others
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType image/vnd.microsoft.icon "access plus 1 year"
</IfModule>Redirecting to HTTPS
If your WordPress site has an SSL certificate installed, you can force a redirect from HTTP to HTTPS by adding this simple snippet to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>Redirecting to www or non-www URLs
Some site owners prefer to use www (www.example.com) or non-www (example.com) URLs consistently across their site. You can implement either with these rewrite rules:
Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]Force non-www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]Restricting Access to wp-admin
For an extra layer of security, you can restrict access to your sensitive wp-admin area to only allow your IP address. This code requires a login for anyone not coming from your specified IP:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>Be sure to replace 123.123.123.123 with your actual public IP address.
Those are just a few examples of the many ways you can use .htaccess to enhance your WordPress site. I also highly recommend utilizing WordPress plugins to implement some of these features, as they often provide a user-friendly interface and help avoid potential syntactical errors.
How to Access and Edit .htaccess
To access your site‘s .htaccess file, you have two primary options:
Use an FTP client like FileZilla to connect to your site. Download the file to your computer, make edits using a text editor like Notepad or TextEdit, then re-upload the file.
Use the file manager in your hosting control panel. Most hosts offer a browser-based file manager that allows you to directly edit files on the server.
In either case:
Be sure your .htaccess file is in the root directory of your WordPress install. If it doesn‘t exist, you can create a new empty text file named .htaccess.
Your FTP program or file manager may not show .htaccess by default since it‘s a hidden file. Look for an option like "Show hidden files" or "Show dotfiles" to reveal it.
Tips for Editing .htaccess
Finally, a few tips to keep in mind when editing your .htaccess file:
Always make a backup copy first in case you need to revert your changes.
Place custom directives towards the top of the file. Don‘t modify the # BEGIN WordPress and # END WordPress sections unless you know what you‘re doing, as they contain WordPress‘s default rules.
If you‘re adding a lot of directives, consider organizing them using comment headers like # Redirects, # Security, etc. to keep things tidy.
After making changes, test your site thoroughly to ensure you haven‘t broken anything. If you experience issues, re-upload your backup .htaccess file.
Wrapping Up
We‘ve covered a lot of ground in this guide! You should now have a solid understanding of what the .htaccess file is, how WordPress uses it under the hood, and some powerful snippets you can add to extend and optimize your site.
Remember, with great power comes great responsibility. Always make a backup before editing .htaccess and don‘t be afraid to revert your changes if something goes wrong.
I hope this deep dive into .htaccess has been enlightening and empowering for you. Put your new knowledge into practice and make your WordPress site even more secure, performant, and scalable. Have fun!
