Do you want to make your WordPress website more secure or improve loading times? Then the htaccess file is your key. It gives you full control over important settings, from redirects to security.
In this article, you will learn what the htaccess file is, why it is important for WordPress and how to find or create it. We’ll show you step by step how to create the WordPress htaccess file, edit it securely and use helpful snippets to secure and speed up your website.
Want to get started right away? Jump to the sections Find file, Create file or Best practices.
What is the .htaccess file?
Definition
The .htaccess (HyperText Access) is a hidden configuration file for Apache web servers. It allows you to change server-side settings at the directory level without having access to the global server configuration. WordPress uses this file to generate permalinks, among other things, and therefore has a section with rules between # BEGIN WordPress and # END WordPress by default. Do not change this section, as WordPress automatically rewrites the rules when permalinks are customized.
Essential tasks of the .htaccess file:
- Redirects and rewrites: With RewriteEngine On and suitable RewriteRule directives, you can redirect old URLs to new ones or force HTTPS (more on this later).
- Security rules: You can block access, protect directories with passwords and hide sensitive files such as wp-config.php.
- Performance tweaks: GZIP compression, browser caching or blocking hotlinks can reduce the loading time
Important tasks of the htaccess file:
- Redirects & rewrites – redirect URLs, force HTTP to HTTPS
- Security – block access, set passwords, protect sensitive files
- Performance – GZIP compression, browser caching, blocking hotlinks
Important: The .htaccess file is only effective on Apache servers. Some managed hosts ignore .htaccess completely. In such cases, you make your settings directly on the server or in the hosting dashboard. Therefore, always check first whether your host supports the use of .htaccess.
How to find the standard WordPress htaccess file
The WordPress htaccess file is located in the root directory of your website, usually public_html, www or httpdocs. As files beginning with a dot are hidden, you must explicitly show them. This is how you proceed:
Access via FTP
- Connect to an FTP programme such as FileZilla.
- Navigate to the root directory of your WordPress installation.
- Activate the option to show hidden files (Server → Force showing hidden files). You should then see the .htaccess.
Access via cPanel or web hosting panel
- Log in to your hosting panel (e.g. cPanel).
- Open the File Manager and change to the public_html directory.
- You can activate “Show hidden files (dotfiles)” via the “Settings” in the file manager to show the .htaccess.
Plugin solutions
If you don’t have direct access to the server, you can use plugins that offer a graphical interface for the .htaccess. Examples are WP Htaccess Editor or All In One WP Security. These plugins create an .htaccess if required and create backups before saving. However, use them with caution and check your changes afterwards.
If you cannot find a .htaccess at all, it may not yet exist or be ignored by the server. In this case, you must create it again (next section).
Create Htaccess WordPress: Explained step by step
Before you make any changes, always make a backup copy of your current file. Even the smallest typo can paralyse your website!
Method 1: Via the WordPress dashboard
The quickest way to create the standard WordPress htaccess:
- Log in to the WordPress backend.
- Go to Settings → Permalinks and save the settings without changing anything.
- WordPress automatically writes the necessary rewrite rules in the .htaccess. If WordPress does not have write permissions, it will show you the required code, which you can insert manually.
Method 2: Manual creation via FTP
- Open a text editor (e.g. Notepad) and insert the following WordPress .htaccess default. These rules come from the official WordPress documentation and ensure that all requests are forwarded to index.php if no file or directory exists.
- Save the file as “.htaccess” (make sure that no .txt attachment remains) and upload it to your root directory via FTP.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Method 3: Manual creation via cPanel
- Open the File Manager of your hosting panel and select “+ File”.
- Name the file “.htaccess” and create it. You can then use the editor to fill it with the code shown above.
Tips for safe editing
- Create a backup: Download your current .htaccess or create a copy .htaccess.backup before making changes.
- Edit locally: Open the file with a plain text editor and add changes. Then upload it and test it immediately.
- Never edit between # BEGIN WordPress and # END WordPress: WordPress overwrites this area with every permalink change.
- Note the order: Apache processes rules from top to bottom. Specific rules should therefore come before more general rules.
Edit WordPress htaccess: Best practices & useful snippets
In the following section, you will find tried-and-tested code snippets for more security and better performance. Insert them before or after the WordPress block and test your site after each change. All examples use the official Apache syntax.
Security
Protectadmin area with password
To additionally secure access to the /wp-admin directory, create an.htpasswd file with user name and encrypted password and refer to it in the .htaccess :
AuthType Basic
AuthName “Protected Area”
AuthUserFile /path/to/.htpasswd
Require valid-user
This causes the server to request a user name and password when /wp-admin/ is called. Replace /path/to/.htpasswd with the actual path. Note that this protection applies in addition to the WordPress login.
Restrict directory access
By default, Apache lists the contents of a directory if no index.php is present. To prevent visitors or bots from seeing your folder structure, add the following command:
Options indexes
This one-liner deactivates the directory display and leads to a 403 Forbidden for direct calls. This prevents curious visitors from exploring your folders.
IP block for /wp-admin and wp-login.php
To allow access to the backend only to selected IP addresses, you can whitelist them in the .htaccess. The following example from the RunCloud documentation shows the implementation for modern Apache versions:
<IfModule mod_authz_core.c>
<Location /wp-admin>
Require ip 123.45.67.89
# Require ip 111.222.333.444 ← weitere IPs hinzufügen
</Location>
</IfModule>
<IfModule !mod_authz_core.c>
<Location /wp-admin>
Order deny,allow
Deny from all
Allow from 123.45.67.89
# Allow from 111.222.333.444
</Location>
</IfModule>
Replace the placeholders with your own IP address. If you are logging in from different locations or have several users, this method is impractical. It is better to use two-factor authentication or secure the login with a plugin.
Protect sensitive files
Attackers often try to access configuration files directly. To hide wp-config.php, for example, insert this block:
<Files wp-config.php>
Order Allow,Deny
Deny from All
</Files>
You can lock other sensitive file types (SQL backups, log files, scripts) using the following pattern:
<FilesMatch „\.(sql|log|conf|bak|ini)$“>
Order allow,deny
Deny from all
</FilesMatch>
Deactivate XML-RPC
The XML-RPC endpoint can be misused for DDoS attacks. If you don’t need it, block it with just a few lines:
<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>
Protect users from click jacking
The HTTP header X-Frame Options prevents your page from being loaded in a foreign frame (clickjacking). Set it via .htaccess as follows:
Header always set X-Frame-Options “SAMEORIGIN”
This command only allows frames from its own origin. To completely deactivate all frames, you can use DENY instead of SAMEORIGIN.
Prevent mixed content warnings
If your page is delivered via HTTPS but internal resources are integrated via HTTP, a security message appears in the browser. The Content Security Policy header with the value upgrade-insecure-requests ensures that all HTTP requests are automatically rewritten to HTTPS:
Header always set Content-Security-Policy “upgrade-insecure-requests;”
Password request via .htaccess for a folder
To protect any folder from unauthorised access, you can also use the above-mentioned authentication outside of /wp-admin. Create an .htpasswd file with user name and encrypted password and add the following block to the .htaccess of the directory to be protected:
AuthType Basic
AuthName “Protected area”
AuthUserFile /absolute/path/.htpasswd
Require valid-user
This will display a password prompt each time the folder is accessed. Combine this method with IP locks to further increase security.
Performance
Activate GZIP compression
GZIP reduces the file size of your scripts, styles and HTML documents before they are sent to the browser. To do this, add the following code to your .htaccess:
<IfModule mod_deflate.c>
# HTML, CSS, JS und Schriftarten komprimieren
AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/rss+xml application/x-font-ttf application/x-font-otf application/vnd.ms-fontobject image/svg+xml
# Browser‑Bugs ausgleichen (nur für alte Browser notwendig)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
These rules activate compression for common file types. Then use tools such as GTmetrix to check whether compression is active.
Browser caching for static content
Caching saves files in the visitor’s browser so that they are loaded directly the next time they are called up. You can control the cache duration with the cache control header. A simple example sets a lifespan of 30 days for common file types:
<FilesMatch „\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$“>
Header set Cache-Control „max-age=2592000, public“
</FilesMatch>
The number 2592000 corresponds to 30 days in seconds. Adjust the period to your needs. Alternatively, you can also use mod_expires to define separate time periods for each file extension.
Activate hotlink protection
Hotlinking means that other websites embed your images directly and thus consume your traffic. The following snippet prevents images from being displayed on other domains. Replace your-page.com with your domain:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?your-page\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
The condition checks whether the request originates from your domain. If this is not the case, the server issues a 403 error.
HTTP → HTTPS forwarding
If you have set up an SSL certificate, you should redirect all traffic to HTTPS. Hostinger describes the following pattern:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Insert this block directly after RewriteEngine On. All HTTP requests are then permanently forwarded to the HTTPS version.
Security through HTTP headers
For additional security, special HTTP headers can be set in the .htaccess:
- Strict Transport Security: Forces HTTPS for one year and prevents MitM attacks. Use header set Strict-Transport-Security “max-age=31536000;includeSubDomains;”.
- X-Content Type Options: Prevents MIME type sniffing in the browser: Header set X-Content-Type-Options “nosniff”.
- Referrer-Policy: Controls the transmission of the referrer header: Header set Referrer-Policy “strict-origin-when-cross-origin”.
Combined, these headers increase security considerably.
Our WordPress speed test
Check your loading time and receive the result by email! Together we’ll find the best solution for you and your company. Or test our WordPress hosting directly for several days free of charge!
How Raidboxes helps you with the WordPress htaccess file
Raidboxes is a managed hosting provider from Germany that specialises exclusively in WordPress. When you host your website with us, you can rest assured that performance, security and ease of use are our top priorities.
Our current infrastructure supports editing the WordPress htaccess file, while older boxes with NGINX ignore this file. In these cases, we automatically take over the tasks that would otherwise be handled via .htaccess.
For advanced customisations, you can find detailed instructions on how to use the .htaccess file in WordPress in our help centre.
We also provide you with automatic updates, server-side caching, free Let’s Encrypt certificates and a security shield with a web application firewall. This means you have to worry less about technology and have more time for content.
Test Raidboxes for 14 days free of charge and see the performance and support for yourself!
You want to switch to Raidboxes?
Talk to us! Together we’ll find the best solution for you and your company. Or test our WordPress hosting directly for several days free of charge!
Optimise WordPress htaccess for more security and performance
The .htaccess file is an inconspicuous but powerful tool. You have learnt how to find it, set it up and adapt it to your needs with just a few lines of code. Even the standard block ensures clean permalinks, but it’s the additional rules that turn your site into a fortress. Directory protection, IP filters and security headers make attacks more difficult; GZIP compression, browser caching and hotlink protection increase speed. You should test all customisations carefully and always have a backup to hand.
If you prefer to focus on content, managed hosting like Raidboxes can take care of many tasks. Whether you do it yourself or use support, now you know how to utilise the potential of the WordPress htaccess file.
Frequently asked questions about WordPress htaccess
How do I edit the .htaccess file in WordPress?
You can edit the WordPress htaccess file directly in the root directory of your web space using an FTP programme. Make sure you make backups to secure data and information. This allows you to adjust standard rules and optimise your website.
What are the advantages of an optimised .htaccess file?
An optimised htaccess file improves performance with GZIP compression, increases privacy with security headers and secures the WP-Admin folder. It also protects sensitive content and facilitates the processing of affiliate links and exceptions.
What belongs in the standard WordPress htaccess?
The standard WordPress htaccess contains rules for permalinks, redirects http to https and protects important elements. Typical entries such as RewriteCond and RewriteRule help when updating your website so that the system and content are loaded correctly.
Do I need an .htaccess file?
Yes, the htaccess file is indispensable for WordPress on Apache web servers. It controls important topics such as security, upload size and access to WP content folders. Without this configuration file, many standard rules and protection mechanisms are missing.
Where can I find .htaccess in WordPress?
The htaccess file is located in the root directory of your website. You can access it via FTP or cPanel. This is how you protect data and control access to third-party providers.
Subscribe to the Raidboxes newsletter!
We share the latest WordPress insights, business tips, and more with you once a month.
"*" indicates required fields
Leave a Reply