10 Astounding .htaccess Tricks Which You Should Know About

WordPress is one of the most widely used and prominent web development platforms being used by the web developers and bloggers across the globe. One of the cardinal reasons behind the huge popularity of WordPress is that it allows the users to customize the website in multiple ways without requiring to know coding in detail.

The WordPress users can enhance their website’s appearance, structure, content and SEO friendliness in many ways without being too tech savvy. You can use a plethora of plugins and even tweak the configuration files in various ways to make your website neat and attractive.

One of the ways in which you can enhance the neatness of your WordPress website is by making changes in “.htaccess” file, which is a strong and powerful configuration file for the website.

Why .htacess is Considered A Vital Configuration File in WordPress?

The .htaccess is a primarily a server configuration file which allows you to define the rules that should be followed by the server for your WordPress website.

The .htaccess file is located in the root folder of the WordPress website and in order to edit this file, you need to use an FTP client to connect to your website.

Cardinally, WordPress leverages the .htaccess for generating an SEO friendly URL structure for the website, but, there are a lot of tasks which are accomplished by the imperative file apart from this. These include:

  • Improving the performance of the website
  • Boosting the security of the website
  • Enhancing the WordPress website’s usability
  • Preserving the website’s SEO rankings wherever URL redirection is involved
  • Enable file caching
  • Prevent the access to specific files on the site
  • Block certain IPs and bots, and much more

While the .htaccess file can easily be edited through FTP and any text editor, but, a vital point to consider is that even a small error in this file can cause big troubles for the website.

.htaccess Tricks That You Should Know About

  1. Disabling PHP Execution In Certain WordPress Directories

Most often the hacking attacks on a website occur when hackers break into the site and use some files as the backdoor. Sometimes these backdoor files are disguised by hackers as the core WordPress files, and are placed in /wp-content/uploads/ or /wp-includes/ folders.

One can minimize such hacking attacks and enhance the security of the website by disabling the PHP execution for some particular WordPress directories.

To disable the PHP execution in this way, you have to create a clean and blank .htaccess file and then paste the following code in it.

<Files *.php>

deny from all


Upload this file to your /wp-content/uploads/ or /wp-includes/ directories. This will disable the PHP execution in these directories.

  1. Banning the Suspicious IP Addresses

One of the best ways to enhance the security of the WordPress website is by keeping the eye on the IP addresses from which requests to your website are coming.

If there are an unusually high number of requests from a particular IP address, it is recommended to block that address to ensure the security of the website and preventing any unauthorized accesses to it. The IP addresses sending requests to website can be blocked through the .htaccess file.

Add the following piece of code to your .htaccess file and replace the * with the suspicious IP address which you want to block.

<Limit GET POST>

order allow,deny

Deny from **.**.**.**

allow from all



  1. Protecting Your WordPress Admin Area

The WordPress admin area can easily be protected by limiting its access to only a specific number of selected IP addresses, and this can be done through the .htaccess file.

Copy the below-given code to your .htaccess file to protect your WordPress admin area. Replace the ** with the IP addresses to which you want to give access. If you use more than one IP addresses to access the admin account, enter all those in the following code.

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "WordPress Admin Access Control"

AuthType Basic


order deny,allow

deny from all

# whitelist Sandra's IP address

allow from **.**.**.**

# whitelist Jason's IP address

allow from **.**.**.**



  1. Prevent Unauthorized Access to.htaccess

Since .htaccess is one of the cardinal configuration files and contains the codes for securing the website, if it gets into the wrong hands, the site can be hacked. .htaccess has immense power and control on your web server and thus, it is vital to protect the site from any unauthorized access.

To prevent the unauthorized access to .htaccess file, add the following line of code to the file.

<files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all



  1. Using .htaccess File To Set Up 301 Redirects

If you have moved your content to a new location, and want your viewers to inform about it, then the best way to do so is by setting up a 301 redirect.

.htaccess file can be leveraged to set up the 301 redirects. To do this, paste the following code into your .htaccess file.

Redirect 301 /oldurl/

Redirect 301 /category/SEOblogs/
  1. Disable Directory Browsing

Disabling the “Directory Browsing” is recommended by the WordPress security experts, because when this browsing is enabled, the hackers can access the “directory and file structure” of your website to find out a vulnerable file through which they can access your website.


The directory browsing can be disabled on a WordPress website by adding the following lines of code to your .htaccess file.


Options -Indexes

  1. Blocking Author Scans Using .htaccess

Most often, the hackers try to run the author scans on a WordPress website before trying to crack the passwords for those author usernames.

These scans can be blocked using the  .htaccess file to secure the WordPress website. Simply add the following line of code to the file.

# BEGIN block author scans

RewriteEngine On

RewriteBase /

RewriteCond %{QUERY_STRING} (author=\d+) [NC]

RewriteRule .* - [F]

# END block author scans


  1. Disabling Access to XML-RPC File

Every time a new WordPress website is installed, by default a file named “xmlrpc.php” is added. This file helps the third party apps to connect with your WordPress website. But, if you aren’t using any third party apps, then from the security’s perspective, it is advised that you should disable the access to the XML – RPC file.

It can be done by adding the following lines to your .htaccess file


# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

  1. Increasing The File Upload Size in WordPress

By default, there is a restriction on the upload size of the file in WordPress. While there are many ways to increase the limit for the file upload size in WordPress.

All of these methods don’t work for the web users using shared hosting for their website, but, one method that has the highest probability of working is the one using the .htaccess file. Write the following code to the file:

php_value upload_max_filesize 128M

php_value post_max_size 128M

php_value max_execution_time 360

php_value max_input_time 360


These lines of code tell your web server about the increased file size and execution time. You can replace the values 128M and 360 with the desired values.

  1. Protect The WordPress Admin Folder Using A Password

If you are the admin of your WordPress website and access the site from various locations or internet spots, then limiting the IP addresses won’t work, because every time you would access the site from a new location, you would be denied the access as its IP address would not be listed in the file.

However, you can use another methodology to protect your WordPress account and that is by setting a password for the Admin folder.

Using .htaccess, an additional password protection can be added to the WordPress admin area. For this, first of all, you need to generate a new file named “.htpasswds”. An online generator or a text editor can be used to generate this file.

Now, upload this newly generated file outside the /public_html/ folder or outside the publicly accessible web directory of the website.

One of the good paths for this file is:


Now, create a .htaccess file and upload it to the /wp-admin/ directory. Now, add the following lines of code to this .htacess file.


AuthName "Admins Only"

AuthUserFile /home/yrdirectory/.htpasswds/public_html/wp-admin/passwd

AuthGroupFile /dev/null

AuthType basic

require user username

<Files admin-ajax.php>

Order allow,deny

Allow from all

Satisfy any



These are some of the tips and tricks for the .htaccess file in WordPress. Using these tricks, you can be used to make your WordPress website more secure and optimized from SEO perspective.

Leave a Comment

5 × 2 =

Hurry Up !!!

BIG Discounts &
Great Savings on

Popular WordPress Themes of Top Developers
* Terms & Conditions Apply