A well-configured .htaccess help to increase the security of your WordPress site. Apart from security you can handle redirects and WordPress speed optimization tasks like managing cache and gzip with it.
The Most common use of .htaccess file to alter the configuration of the Apache web server’s software. WordPress uses the .htaccess file to manipulate how Apache serves files from the root directory and subdirectories.
Default WordPress .htaccess
This default WP .htaccess code. You can use this code to restore corrupted .htaccess file.
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPressDon’t forget to take a backup of your .htaccess file before you edit it. With the backup, you can always restore the previous version of the file if something goes wrong.
Here is the small collection of .httacess snippets for WordPress sites. I have personally used and tested these codes on many WordPress sites hosted on Hostgator, Siteground, and Bluehost.
Speed Up WordPress Site
It’s impossible to ignore the importance of a website’s speed for SEO rankings and conversion rates. A slow website means a frustrated user and that is something that should be avoided at all costs, so it’s worth investing in this feature.
1. Enable gZIP Compression
GZIP compression allows web servers to compress and reduce the size of files before sending them to the browser.
Enabling gZIP compression can lead to a reduction in data transfer time and this is one of the most common ways to enhance website performance.
Did you know? Enabling gZIP Compression on a website can increase the loading speeds of a website by around 60%.
Enabling gZIP compression is very easy. It can be enabled by adding few lines of code to the .htaccess file.
Here is code snippet which you can directly use add in your WordPress htaccess file
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript 2. Leverage Browser Caching
<IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/gif "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType text/css "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType application/x-javascript "access 1 month" ExpiresByType application/javascript "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresByType image/x-icon "access 1 year" ExpiresDefault "access 2 days" </IfModule>
3. Prevent Hotlinking
To prevent your website from hotlinking you can add following code to your .htaccess file. Do not forget to replace example.com with your your domain name.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]
Improve WordPress Security
1. Block access to wp-config.php
This code will deny access to the wp-config.php file. You can also secure the wp-config.php file with secrete keys and moving it to the unpredictable location on your web hosting server.
# BLOCK ACCESS TO WP-CONFIG <files wp-config.php> order allow,deny deny from all </files>
2. Block access to .htaccess
By default, most of the popular hosting servers protect the .htaccess file from all external access. If you are not sure about it, you can add an extra layer of security by using the following code.
# BLOCK ACCESSS TO HTACCESS <files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
3. Block directory browsing
This code will disable directory browsing on your WordPress site. If someone trying to locate a directory index on your WordPress site will be redirected to the 404 pages.
# DISABLE DIRECTORY BROWSING Options All -Indexes
4. Block “includes” directories and files
# BLOCK INCLUDE FILES AND DIRECTORIES <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
5. Block framing
Please note that the blocking frame may cause the theme customizer site preview to blank or may not work. If you face such a problem then delete the line ‘Header set X-Frame-Options DENY’.
# BLOCK FRAMING <IfModule mod_headers.c> Header always set X-FRAME-OPTIONS "DENY" </IfModule>
6. Configure an “X-XSS-Protection” HTTP header
Recent versions of the browsers have integrated protection against XSS attacks. On the other hand, the protection can be disabled to inject content into the page. We advise you to force the activation of XSS protection.
# ACTIVATE XSS PROTECTION <IfModule mod_headers.c> Header always set X-XSS-Protection "1; mode=block" </IfModule>
7. Disable the auto-detection of resource type
Internet Explorer and Chrome browsers’ ‘MIME-Type Sniffing’ feature can be exploited by a hacker to send a file to your website to inject malicious code. We recommend disabling the MIME-Type sniffling to limit the damage caused by this loophole.
# DISABLE MIME-TYPE SNIFFING <IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" </IfModule>
8. Disable xmlrpc.php
Disabling the xmlrpc.php file in WordPress is a recommended security measure. It helps protect against brute force attacks, where hackers try to guess usernames and passwords. It also prevents potential DDoS attacks and reduces the risk of pingback spam. Disabling xmlrpc.php can improve website performance by eliminating unnecessary requests and reducing server overhead. However, it’s important to ensure that no plugins or services rely on xmlrpc.php before disabling it. Taking this precaution can enhance the security of your WordPress website and contribute to a smoother, safer online experience.
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
9. Set Content Security Policy
You can protect your website from cross-site scripting attacks by configuring a content security policy HTTP header. You can restrict execution to code portions by setting this. The following code will allow executing only scripts coming from the current host or google.com.
# SET CONTENT SECURITY POLICY <IfModule mod_headers.c> Header set Content-Security-Policy "script-src 'self' https://www.google.com" </IfModule>
Please note that before deploying this code in your production server, thoroughly check different types of pages of your website.
