Like Quertime on Facebook!

20 Most Wanted .htaccess Snippets for WordPress Sites

Posted on by in WordPress

For the WordPress newbie, .htaccess may be a new or unknown. But, let me tell you, it is a heart of the server. The .htaccess file is a powerful configuration file to control the Web Server of the website. This file centralises the security of all directories and sub-directories. Thus, it is used to secure the file from the hackers and different vulnerabilities. The popular use of .htaccess includes authorization, blocking, MIME types, set Charset, page redirect, and others.


So, we’re going to reveal the crucial .htaccess snippets for WordPress sites in this article.

Where can I find my .htaccess file?

The default location of the .htaccess file is the root directory of the website. However, if you find the absence of this file, then you can create a text file named .htaccess. And upload this file into your root directory. You can also create your .htaccess file via WordPress dashboard. Just go to Settings>Permalinks and click on Save Changes. You’ll get your new .htaccess file in your root directory.

Since any changes in .htaccess file affect your entire website, so I’d recommend you to keep the backup of the file before editing it.

You have to make sure the inclusion of the following code as a default in your .htaccess file.
For a single WordPress install:


If your website handles Multisite Network, then you can also write code for it which is available in WordPress Codex documentation.

Now, let’s begin our tour by exploring the core of WordPress server configuration file i.e. .htaccess file and code to edit it.

1. Hide Your WP Configuration File

As we all know, the wp-config.php file of WordPress handles database connection and overall credentials of the website. So, it is very important to keep it away from the unauthorised access. The following codes will help to secure the heart of WordPress website.


2. Secure Admin Area

By default, WordPress sets admin as a username and as a login URL. So, restriction of the unauthorised access is crucial to saving the website from Brute attack.

The following codes in .htaccess file will help you to secure the admin area from the specific IP address. It is important to specify the admin IP address to access the site.


3. Prevent Directory Browsing

Generally, if your user enters your domain name and browses your directory, they can easily get into it. This will increase the chance of hacker to hack your website. And I am sure nobody wants to face this type of scenario. So, it is important to prevent external browsing of your directory.

To prevent your directory from external access, you can add one-line code in your .htaccess file.


4. Allow Access to Specific IP Address

For the multi-user site, you have to give authority to various users. However, you cannot risk your site to be requested by unknown user/IP address.

To secure the site from unknown access, you can grant the user access to the limited number of users by specifying the IP address as shown in the following section.


5. Disable Image HotLinking

If the image of your website is loaded onto others site using your bandwidth, then the speed of your site lowers down resulting the degrading performance of the website. This is known as image hotlinking. This is not an issue for the small website. However, it can cause a serious issue to the popular website with large data.

To prevent this problem, it is better to disable image hotlinking using the following codes.


6. Secure Unauthorised access to .htaccess file

I’ve been telling that .htaccess file is a heart of the server. So, preventing the unauthorised access to this file should be taken care of. This is possible by these codes in your .htaccess file.


7. Prevent Direct Access to Themes and Plugins file

Sometimes, you may wonder the sudden change in theme file or plugins file of your website. This can happen either intentionally or unintentionally. Either way, your website will suffer. To prevent this situation, you can simply add these lines of code in .htaccess file.


8. Redirect Old URL to New

In the situation where you want to change the URL/domain of your site with the new one, you may suffer a lot. This situation can be easily handled by this one line code in .htaccess file.


9. Set default Directory Index, Charset and Language

Whenever a request is made in the browser, a server will serve the default directory with default charset and language. You can change this element by simply tweaking the following codes in the .htaccess file.


10. Redirect to Maintenance Page

If you want to inform your end user about maintenance mode of your website, you can use these few lines code. However, you have to create a separate Maintenance HTML file in order to make the use of these codes.


11. Prevent from XSS Attack

Most hackers try to get into your website through script injection and attempt to modify GLOBAL and REQUEST variables. But using the following lines of codes will prevent the entire site from XSS attack.


12. Set up Custom Error Page

In the case where you want to set up a Custom error page for your WordPress website, you can use the following codes. It is crucial to creating an individual custom error page to handle different errors.


13. Enable Browser Caching

Caching is critical components to increase the performance of the website. Using the following snippets in your .htaccess file will enable the browser caching feature.


14. Secure WP-Includes file Access

The wp-includes folder of WordPress the core files which is necessary to run WordPress website. Thus, to harden the security of your WordPress website, you have to insert these codes in the .htaccess file.


15. Force To Download Files or Prevent Downloading

Sometimes you prefer to make a direct download of your content by the user rather than granting the user access. Or you want to prevent direct download of the content. This problem can be solved by adding these following codes in the .htaccess file.


16. Prevent Username Enumeration

If a hacker can access the user account with id=5 using, then he can easily hack the number of username and their associated post through the brute attack. This is known as username enumeration. To rescue the website from this issue, you can add this .htaccess snippet in your .htaccess file.


17. Prevent from DDoS Attack

WordPress provides a feature to support the remote location access. From the security point of view, it is a great cause for vulnerabilities. So, you can disable this feature and prevent the site from DDoS attack by using these .htaccess snippets.


18. Allow Only Selected WP Content Files

In WordPress, wp-content folder holds all the files for themes and plugins of any website. So, loss or any critical situation of this folder led to the loss of the website.

To provide a solid security to wp-content folder, you can add these codes in the .htaccess file.


19. Enable Cross-Domain Font

In some cases, the web- font supports by Chrome might not be supported by other browsers like Firefox, IE. In such case, you just have to enable cross-domain font by adding the following codes.


20. Block Referrer Browsing

If you want to prevent/block access to your website from the users of the specific IP address, you can use this sort of codes in your .htaccess file.


Wrap Up

These .htaccess tricks are important in the aspect to keep your website more secure from intruders. Meanwhile, any negligence or any misplaced code makes you and your website suffer from fatal issues. So, careful coding of the .htaccess file is as important as editing your wp-config.php file on any WordPress website.

Author: Amin Ghale

Amin is web developer and digital marketing head in WP Creative. In his leisure time, he loves to write on topics related to Entrepreneurship, Web Design, Online Marketing and WordPress related phrases.

Tags: , , ,

Comments are closed.