WordPress has a plugin for literally anything. Want to redirect broken links to live pages? There’s a plugin for that. Want to secure your website? Also, there’s a plugin for that.

If you’re conscious about your WordPress speed performance, you’d want to install as few plugins as possible. Every plugin adds an additional kilobyte to the overall weight of your website. 

Besides, not everything can be done with a plugin. Some tasks require you to access your WordPress core files to modify and override specific functions in your server to change how your website works. 

For example, say you want to redirect your old domain to your new one and direct users and search engines to your new domain. 

The efficient way is by accessing your website’s .htaccess file, which can help you make the changes without altering the server configuration files.

So in this post, I’ll cover everything you need to know about WordPress .htaccess. In a nutshell, you’ll learn:

  • What is a .htacess file?
  • How to locate a .htacess file in WordPress.
  • How to create and edit a .htaccess file. 
  • Best WordPress .htaccess tips and tricks to boost your site security and performance.

Let’s geek out on this, shall we?

What Is the .htaccess File?

Hypertext Access (.htaccess) is a sensitive website configuration document that allows you to modify and change how your web server runs your website.

The .htaccess file allows you to set up rules and commands to control how your server behaves when users try to access your website.

Here’s what you can do with the .htaccess file.

  • Redirect your page URL to a new location.
  • Redirect an old domain to a new one.
  • Redirect all the HTTP versions to the secure HTTPS protocol.
  • Block particular IP addresses.
  • Prevent image hotlinking.

The. htaccess file, in particular, is only available on Apache web servers. Other web servers, such as NGINX,  don’t have an .htaccess file.

In fact, there are no directory-level configuration files on NGINX. Instead, NGINX offers a configuration file with options called directives which are arranged into groups called blocks.

How to Locate the .htaccess File

The .htaccess file in WordPress can often be found in the root directory of your website. 

Depending on your hosting company, your website’s root directory may be labeled public_html or htdocs.

Using the File Manager, you can find your .htaccess file in your host’s cPanel. Here’s how to locate your .htaccess file.

Login to your cPanel account and click on File Manager down in the Files section.

Login to your cPanel account and click on File Manager.

On the left-hand side of the screen navigate to the public_html folder.

Navigate to the public_html folder.

Now go to the right-hand side of your screen, scroll down and you’ll see a file labeled as  “.htaccess”.

On the right-hand side of your screen, you see a file labeled as .htaccess.

If you can’t locate the file, there’s a chance you haven’t enabled the settings to show hidden files

Remember, the .htaccess file is a hidden file, which is why it has a period at the beginning to indicate that.

Here’s how to enable the settings and reveal the hidden .htaccess file.

Navigate to the toolbar at the top, click on “Settings” and then check the “Show Hidden Files” check box.

Enable the settings to show hidden files.

Proceed and save the changes.

If you still can’t access the file, chances are the file doesn’t exist. 

And in that case, you need to create one.

This takes us to our next step—how to create a .htaccess file.

How to Create a .htaccess File in WordPress

WordPress automatically creates a .htaccess file for your website as soon as you install it.

However, the CMS may be unable to create one due to file permission issues.

But a simple process like updating or saving your permalink settings can sometimes fix the issue. 

Just log into your WordPress dashboard and navigate to “Settings” then “Permalinks” and without changing anything, click on “Save Changes”. 

Create a .htaccess file in WordPress

By doing so, WordPress will automatically generate a new .htaccess file. 

However, if the platform can’t, you’ll get the error message “.htaccess file not writable”.

And in that case, you’ll need to create the .htaccess file manually and upload it to your root directory.

Follow these steps to create a .htaccess file in WordPress manually.

Login to your File Manager in cPanel and navigate to your public_html folder.

At the top of your screen, click on + File icon.

create a .htaccess file in File Manager via cPanel.

Proceed and enter the new file name as “.htaccess”.

Once done, click on the file to edit and paste the following code on the text editor page.

# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Go ahead and click on the “Save Changes” button.

create a .htaccess file and Save Changes.

How to Edit the WordPress .htaccess File

Let me warn you first. Editing your .htaccess file is very risky. Inputting the wrong commands or making a typo in your code can break your entire WordPress site or create redirections you didn’t intend to.

The best way to prevent such things is to back up your website and download a copy of your .htaccess file to your computer before making the edits. 

In case something goes wrong, you can easily restore your site using the latest backup and upload the original .htaccess file to restore your site.

There are two ways to edit the WordPress .htaccess file

  1. Using a WordPress plugin.
  2. Via your host’s cPanel.

I will cover how to edit your .htaccess file using the two methods, step-by-step.

How to Edit the .htaccess File Using a WordPress Plugin

Editing a .htaccess file using a WordPress plugin is probably the safest method. The reason is, most plugins allow you to restore the previous version of the file in one click.

The WP Htaccess Editor plugin is among the best plugins for safely editing the WordPress .htaccess file.

Unlike modifying the file in the File Manager through cPanel, this plugin will automatically examine your .htaccess file for syntax issues that would result in a fatal error.

It also automatically creates a backup of your site every time you edit the file.

Login to your dashboard and install the WP Htaccess Editor plugin.

Install the WP Htaccess Editor plugin.

After activating the plugin go to your WordPress dashboard and click on Settings then WP Htaccess Editor.

Click on Settings then WP Htaccess Editor.

From there you can add any code you want to modify your .htaccess file.

Add any code you want to modify your .htaccess file.

The best thing about this plugin is that it allows you to test the file for syntactical correctness before making changes. And in case you’d like to restore the original backup, you can just hit on the “Restore Last Backup” button.

How to Modify .htaccess Using Cpanel

Follow the following steps to edit the .htaccess file in WordPress using the cPanel.

Login to your cPanel account and click to open the File Manager.

In the navigation menu on the left side of the screen, click on the public_html folder.

Navigate to the public_html folder.

At the right side of the screen, find your .htaccess file and right-click to edit it.

Find your .htaccess file and right-click to edit it.

From there you can edit your .htaccess file code to add new directives.

Edit your .htaccess file code to add new directives and click save.

Once done, hit on the “Save Changes” button.

How to Use the .htaccess file to Improve the Security and Performance of your WordPress site

There are a ton of things that you can do with your .htaccess file to boost your website security and performance.

For example, you can use the .htaccess file to redirect broken links on your site to live pages.

In this section, I’ll show you some WordPress .htaccess tips, and tricks you can implement to improve your site security and performance.

Adding 301 Redirects

301 redirect is used to permanently move the location of an old URL to a new one.

When someone tries to access an outdated URL, the server sends back a 301 status code, which indicates that the page has been permanently moved to a new URL. 

You use the .htaccess file to add a 301 redirect to your WordPress site URL or an entire domain.

To add a 301 redirect in WordPress for a single page just add the following code to your .htaccess file.

Redirect 301 /oldpage.html http://www.example.com/newpage.html

Remember to replace the “oldpage” with your actual page URL, the “example.com” with your site domain, and the “newpage” with the new page URL.

On the other hand, you can use the 301 redirect to redirect an old domain to a new one.

What you need is to add the following code to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(?:www\.)oldsite\.com$ [NC]
RewriteRule ^http://newsite.com%{REQUEST_URI} [L,R=301]

As always, remember to replace the “oldsite” and “newsite” with your actual site’s information. 

Use the .htaccess File to Block IP Addresses

You’d want to block a particular IP address from accessing your site for countless reasons. 

Maybe you have a forum website, and you noticed that one user is taking it to himself by trolling other users, leaving spiteful comments, or using the forum with bad intentions.

In that case, you can ban them forever from accessing your website by blocking their IP addresses using the .htaccess file.

Just copy the following code and paste it to your htaccess file.

# BEGIN WordPress
<Limit GET POST>
order allow,deny
deny from 123.456.78.9
allow from all
# END WordPress

Don’t forget to replace the default IP address with the one that you want to ban.

Disable PHP Execution

Generally, most folders in WordPress, such as WordPress themes and plugins, are writable. With this permission, anyone can install any theme or plugin on their website to build and customize it. 

However, high-level permission can create an opportunity to inject a backdoor code into your directories giving attackers control of your website.

Although you don’t want to remove writing permissions as you won’t be able to install a WordPress theme, a plugin, or upload images, you can reduce the chances of successful attacks by disabling the PHP execution.

Here’s how to do it.

Navigate to your public_html directory and under the “wp-content” locate the “uploads” folder.

Navigate to your public_html directory and under the wp-content locate the uploads folder.

Click to open the “Upload” folder, locate your .htaccess file and click to edit the file.

Click to open the “Upload” folder, locate your .htaccess file and click to edit the file.

After that paste the following code to your .htaccess file and save the changes. 

<FilesMatch “\.(php|php\.)$”> 
Order Allow,Deny 
Deny from all 

Adding the code ensures that any file with a “PHP” extension will be prevented from execution.

To solidify your security levels you can add the same code to the .htaccess files of your “Themes” and “Plugins” folders as well. 

Restrict Access to the WordPress Admin Page

One of the smartest ways to prevent attacks on your website is by protecting your WordPress admin area from unauthorized access.

And the best way of doing this is by only allowing particular IP addresses to access your admin login page and dashboard. That can be your IP address and a few from your team. 

In this case, even if the hacker has managed to get your password, they’ll not be able to log in to your wp-admin dashboard since their IP address is not authorized. 

You can achieve that level of security by using the following code template to modify your .htaccess file.

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]

Now, the first two lines of code prevent unauthorized IP addresses from accessing your admin login page. Every time they try to access it, they’ll be redirected to a 404 error page.

Then, you need to replace the IP Address One and the rest with the actual IP addresses that you want to give access to. 

Also, there’s no limit to the number of IP addresses you can have. You even add up to 10 IP  addresses all depending on the size of your team that you want to give access.

Protect Your Site Against SQL Injections

An SQL injection attack involves malicious code being inserted into data entry fields.

While WordPress has taken great measures to protect the core platform from such exploits, your site may still be at risk. 

Every element of your website where a user might input information or data may be vulnerable. Contact forms, discussion sections, and even quizzes are examples of this.

Add the following code to your root directory .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

Prevent Image Hotlinking

Other website owners can link to the media file if you have awesome graphics, infographics, or images

Although it’s such a kind gesture, there is some ugly truth behind it, which can affect your WordPress site performance.

Logically when a person has an image on their website, it’s supposed to be loaded from their server or CDN.

However, some users may link your image or any other media file from your website, and instead of it being loaded from their servers, it’s loaded from yours.

Whenever a user visits the website where your media file is hotlinked, your servers must respond to load the file. 

This is disadvantageous because, generally, users never visited your website. You’ll be recurring extra bandwidth costs because a particular moron who stole your image did not want to host it on their servers.

Since you can’t prevent anyone from linking to your website images, you can prevent the image from loading on your website server. 

And here’s how to do it using the .htaccess file.

Copy the following code and paste it at the end line of your .htaccess file.

/* Prevent image hotlinking in WordPress */
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?facebook.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?other-websites-go-here.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

Now, this code only allows your website, Facebook, Google, and Twitter to link to your images.

In case you want to give access to another website, you can add it by replacing the “other-websites-go-here.com” section.

Also, remember to replace “yourwebsite.com” with your site’s actual domain.


Creating and modifying an .htaccess file in WordPress may not be the simplest task for the technically savvy. 

However, following the instructions outlined in this blog post, you can quickly set up and customize your .htaccess file to improve the security and functionality of your WordPress website. 

Whether you’re looking to improve your website’s SEO, protect your site from malicious attacks, or customize your URL structure, an .htaccess file can be a powerful tool. 

Remember to always back up your .htaccess file before making any changes, and to test your changes thoroughly to ensure they are working as intended. 


James Njoya is a WordPress content writer who loves to explain technical WordPress topics.

James Njoya is a WordPress content writer who loves to explain technical WordPress topics in the simplest words that can be understood by an average reader. When he’s not writing for his clients, he’s writing helpful WordPress guides and publishing them on his blog.

About the Author

WP Webify

WP Webify

Editorial Staff at WP Webify is a team of WordPress experts led by Peter Nilsson. Peter Nilsson is the founder of WP Webify. He is a big fan of WordPress and loves to write about WordPress.

View All Articles