11 Useful htaccess Snippet Codes for the WordPress Sites

A well-configured .htaccess help to increase the security of your WordPress site. Apart from security you can handle redirects and WordPress speed optimization tasks like managing cache and gzip with it.

The Most common use of .htaccess file to alter the configuration of the Apache web server’s software. WordPress uses the .htaccess file to manipulate how Apache serves files from the root directory and subdirectories.

Default WordPress .htaccess

This default WP .htaccess code. You can use this code to restore corrupted .htaccess file.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Don’t forget to take a backup of your .htaccess file before you edit it. With the backup, you can always restore the previous version of the file if something goes wrong.

Here is the small collection of .httacess snippets for WordPress sites. I have personally used and tested these codes on many WordPress sites hosted on Hostgator, Siteground, and Bluehost.

Speed Up WordPress Site

It’s impossible to ignore the importance of a website’s speed for SEO rankings and conversion rates. A slow website means a frustrated user and that is something that should be avoided at all costs, so it’s worth investing in this feature.

1. Enable gZIP Compression

GZIP compression allows web servers to compress and reduce the size of files before sending them to the browser.

Enabling gZIP compression can lead to a reduction in data transfer time and this is one of the most common ways to enhance website performance.

Did you know? Enabling gZIP Compression on a website can increase the loading speeds of a website by around 60%.

Enabling gZIP compression is very easy. It can be enabled by adding few lines of code to the .htaccess file.

Here is code snippet which you can directly use add in your WordPress htaccess file

AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

2. Leverage Browser Caching

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/x-javascript "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"

3. Prevent Hotlinking

To prevent your website from hotlinking you can add following code to your .htaccess file. Do not forget to replace example.com with your your domain name.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]

Improve WordPress Security

1. Block access to wp-config.php

This code will deny access to the wp-config.php file. You can also secure the wp-config.php file with secrete keys and moving it to the unpredictable location on your web hosting server.

<files wp-config.php>
order allow,deny
deny from all

2. Block access to .htaccess

By default, most of the popular hosting servers protect the .htaccess file from all external access. If you are not sure about it, you can add an extra layer of security by using the following code.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

3. Block directory browsing

This code will disable directory browsing on your WordPress site. If someone trying to locate a directory index on your WordPress site will be redirected to the 404 pages.

Options All -Indexes

4. Block “includes” directories and files

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

5. Block framing

Please note that the blocking frame may cause the theme customizer site preview to blank or may not work. If you face such a problem then delete the line ‘Header set X-Frame-Options DENY’.

<IfModule mod_headers.c>
Header always set X-FRAME-OPTIONS "DENY"

6. Configure an “X-XSS-Protection” HTTP header

Recent versions of the browsers have integrated protection against XSS attacks. On the other hand, the protection can be disabled to inject content into the page. We advise you to force the activation of XSS protection.

<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"

7. Disable the auto-detection of resource type

Internet Explorer and Chrome browsers’ ‘MIME-Type Sniffing’ feature can be exploited by a hacker to send a file to your website to inject malicious code. We recommend disabling the MIME-Type sniffling to limit the damage caused by this loophole.

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"

8. Disable xmlrpc.php

Disabling the xmlrpc.php file in WordPress is a recommended security measure. It helps protect against brute force attacks, where hackers try to guess usernames and passwords. It also prevents potential DDoS attacks and reduces the risk of pingback spam. Disabling xmlrpc.php can improve website performance by eliminating unnecessary requests and reducing server overhead. However, it’s important to ensure that no plugins or services rely on xmlrpc.php before disabling it. Taking this precaution can enhance the security of your WordPress website and contribute to a smoother, safer online experience.

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

9. Set Content Security Policy

You can protect your website from cross-site scripting attacks by configuring a content security policy HTTP header. You can restrict execution to code portions by setting this. The following code will allow executing only scripts coming from the current host or google.com.

<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' https://www.google.com"

Please note that before deploying this code in your production server, thoroughly check different types of pages of your website.

Leave a Reply

Your email address will not be published. Required fields are marked *