What is the .htaccess file on WordPress?

It's an essential and very powerful file. On WordPress, the .htaccess file can help you strengthen your site's security, perform redirects, or improve your page load speed. 

To reach its full potential, this valuable tool must be handled with the utmost care. Because if there's a syntax error in the code it contains, your website will crash. 

To prevent this from happening to you, this article will reveal everything about this file. By the end of your reading, you will know how to create, edit and modify it thanks to our practical and illustrated advice.

You will finally have around fifteen configuration rules to copy and paste directly into your .htaccess file. 

What is the WordPress .htaccess file?

Definition of .htaccess

An .htaccess file is a text file used by Apache web servers. It controls how a server functions and runs, and allows for modify its configuration at the level of each directory.
By adding directives to this file, you can, in particular, strengthen the security of your site, improve its performance, perform redirections, etc.

Here are several things to know about the .htaccess file: 

• .htaccess is the abbreviation for hypertext access (hypertext access).
• One of the peculiarities of a .htaccess file (on WordPress or another) CMS(Content Management System) lies in its syntax. It begins with a point, like many files dedicated to configuration.
  In computer jargon, these are also called dot files (files with a dot). Files containing a dot in their extension are often hidden (we'll come back to that).
• An .htaccess file is an Apache web server software configuration fileIt will not be supported by all web servers. This will be the case for LiteSpeed, for example, but not for Nginx. If your WordPress site runs on Nginx, you will not have an .htaccess file. 
• WordPress modifies the .htaccess file to manage the structure of your permalinks. (addresses of your website pages). Furthermore, the CMS takes this opportunity to create your .htaccess file as soon as you customize your permalinks (and it updates automatically as soon as you modify their structure).
• Some types of plugins, particularly those dedicated to security and caching, use the WordPress .htaccess file to... add their own configuration rules. 

An example of a .htaccess file on WordPress

To give you a better idea of ​​what this unique file looks like, here is an example of a .htaccess file for a basic WordPress installation:

The screenshot above may seem abstract, even incomprehensible. Let's break it down to make it clearer: 

• Lines preceded by a hash symbol (#) are comment lines.e (e.g., # BEGIN WordPress and # END WordPress). Each comment must begin with a hash symbol and is not considered a directive.
• Between the two lines of comment, you'll find a piece of code that tells your server a rule to follow.Each directive applies to a given directory and its subdirectories. Therefore, it's possible to have multiple .htaccess files on WordPress, in different directories such as wp-content, wp-admin, or wp-includes.
• The initial letters in brackets (e.g., ) correspond to instructions given to the server.

Each line of code necessarily has a meaning and its own syntax that Apache can understand.

For example, “f” designates a file and “d” a directory. The exclamation mark indicates a negation: the files in question must not follow the stated directive.

The idea here is not to confuse you with complex code and technical details. However, if you want to delve deeper into the subject and better understand how to declare directives, Consult the official Apache documentation..

If you have activated the multisite on your WordPress installationThe generated .htaccess files will be different compared to a single-site installation. Here's an example for a multi-site installation in a subdirectory:

What can you do with an .htaccess file?

As you have just seen, one of the advantages of the .htaccess file on WordPress is that it is editable and customizable as desired.

You can therefore add directives of your choice, in the form of code snippets. These tell your web server how to behave and allow it to perform the following actions, in three main categories (security, redirects, and performance): 

• Set up redirects, whether they are temporary (302 redirects) or permanent (301 redirects). You can use the .htaccess file on WordPress to redirect your site from HTTP to the HTTPSEg.
• Block access to your website from certain IP addressesor make certain files inaccessible.
• Rewriting URLs in order to facilitate the work of exploration and indexing by search engines like Google.
• Increase the maximum file upload size allowed by WordPress. 
• Customize the content that appears on your 404 error pages. 
• Protect certain directories with a password.
• Enable hotlinking protectionThis technique involves using the URL of a photo hosted on your site to redirect to another site, without hosting the photo on a server to save bandwidth. 

To begin implementing your chosen rules, there's a prerequisite: locating your .htaccess file on WordPress. Detailed instructions are provided in the following section. 

Where is the .htaccess file located in WordPress?

As a general rule, WordPress creates a .htaccess file when you install the CMS on your hosting server.

You will find this .htaccess file in the root folder of your site.

The root directory is the base folder of your website's directory structure. It contains all your directories and files.

It has a different name depending on the hosting provider you use, as in the examples below:

• At OVH, it is called www.
• At KinstaThe hosting provider we recommend is called public.
• At o2switch, it is called public_html.

Note that you may also locate .htaccess files inside other directories of your site, and not just in the root directory.

To access the root directory of your WordPress site, you can either go through an FTP client (File Transfer Protocol), either by the interface provided by your hosting provider (e.g., cPanel). 

In the screenshot below, taken from the FTP client FileZilla, you can see the presence of an .htaccess file:

Once logged in, you can edit your .htaccess file. In the next section, you will discover three methods to do this. 

How to edit a .htaccess file on WordPress?

Prerequisites

Before diving in, it's important to follow certain usage guidelines. The WordPress .htaccess file is very powerful, so you must handle it with care. 

For example, the slightest syntax error in the code will crash your site, displaying a beautiful mistake 500. 

To avoid this unfortunate situation, here are some tips to follow: 

• Back up your site (files + database) before configuring your .htaccess file. To do this, use a plugin like UpdraftPlus or a maintenance tool such as WP Umbrella.
• Copy your site's current .htaccess file to wherever you want. (e.g., on your Desktop) before handling it. In case of a problem, you will be able to restore it very quickly. 
• Do not conduct your tests on a live websiteIf possible, work first in a test environment. Either on a local installation using a free tool. DevKinsta ou Local NewsThis can be done in a pre-production environment. If all your instructions are followed correctly, you can then upload your .htaccess file online with complete peace of mind.
• Get yourself a text editor type brackets ou Sublime TextIt is thanks to him that you will edit the .htaccess file.
• Add your instructions after the comment line # END WordPressbecause the CMS may need to modify the code generated just above. 

Method 1: Use cPanel

One way to access your .htaccess file on WordPress is through the interface provided by your hosting provider. 

cPanel is one of the most popular, which is why we'll start with it. For the procedure, follow the steps below: 

1. Login to your cPanel using the login details provided by your hosting provider. You should have received these by email after subscribing to their hosting service.
2. In the “Files” section, click on “File Manager”. Locate your root folder and double-click on it..
3. Locate your .htaccess file in the list. To edit it, Right-click and click on “Edit”Please bear with us a little longer for the guidelines to be added; we will dedicate a whole section to them a little later.

Your .htaccess file might not be visible. Don't panic; remember, it's often a hidden file. You can still display it by clicking the "Settings" button in the top right corner of your page. In the highlighted window that opens, click "Show hidden files (dot files)". Your .htaccess file should then appear.

Method 2: Using an FTP client

Your hosting provider doesn't offer cPanel? Or you don't want to use that method?

A second way to modify your .htaccess file is to use an FTP client. 

We briefly mentioned this earlier; here's the technical method to help you manage on your own: 

1. Connect to your favorite FTP client (Filezilla, Cyberduck, Transmit etc.) using the credentials provided by your hosting provider. You will need 4 pieces of information: the connection host, the port, a username and a password.
2. Head to the root of your site and double click on it.
3. Locate your .htaccess file. Once you have found it, click on it to highlight it, then right-click. Select View/Edit to open it.

Method 3: Using a dedicated plugin

Finally, accessing and modifying your .htaccess file on WordPress is possible thanks to the use of a plugin. The advantage here is that you don't have to leave your WordPress dashboard to make your changes. 

Several solutions are available to you for this: 

• Choose a specific extensionas an .htaccess File Editor.
• Take advantage of an option offered by your SEO plugin. Yoast SEO, Rank Math or, SEOPress Pro They allow you, for example, to edit your .htaccess file. 

The procedure to follow with the Htaccess File Editor extension is as follows: 

1. Install and activate the extension via the Extensions > Add menu.
2. Go to the Settings menu > WP Htaccess Editor.
3. Enter your configuration rules. You can test them before saving to avoid any problems (SEOPress Pro also allows this) by clicking the “Test Before Saving” button. If everything works, finish by saving your changes (click the “Save Changes” button).

You now know several methods to find and modify your .htaccess file on WordPress. 

In some rarer cases, you may not have a .htaccess file (including if you force the display of hidden files, as we have seen).

If you are faced with this situation, you will need to create your .htaccess file from scratch. 

How do I create an .htaccess file? 

To create a new .htaccess file, Start by regenerating your permalinks.

To do this, in your WordPress back office (administration interface), go to Settings > Permalinks. And save your permalinks by clicking the “Save changes” button:

Go back to your FTP client or your cPanel interface and check if the .htaccess file has appeared (don't forget to force the display of hidden files if you don't see it).

Still can't find it? It's time to create your .htaccess from scratch. 

Once again, back up your website (files + database) before starting and conduct your tests in a test environment (not directly in production).

To do this, follow the following steps:

1. Connect to your FTP client.
2. In your site's root folder, right-click and select "Create a new file". Name it .htaccess.
3. Open this file with your code editor and add the configuration rules contained in a basic WordPress installation:

# BEGIN WordPress
RewriteEngine On
RewriteRule .* -
RewriteBase /
RewriteRule ^index\.php$ -
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php
# END WordPress

If an error message appears on your screen, Delete all the additions made and save again.In principle, everything should return to normal. 

In principle, the way the .htaccess file works should no longer hold any secrets for you. Finally, you will see how to configure it to your liking, by adding the directives of your choice.

How to configure the WordPress .htaccess file: 13 rules to optimize it

Before you start editing your .htaccess file, here's a final reminder of a few basic rules (they can never be too many): 

• Back up your site before making any changes to your .htaccess file.
• Copy the contents of your current .htaccess file in a text file on your computer.
• Add your configuration rules below the existing directives. in your current file.

.htaccess rules on WordPress related to security

Prevent access to .htaccess

With the code snippet below, you will strengthen the security of your WordPress .htaccess file. 

Anyone attempting to access it will see a 403 error message: 

# Sécuriser le fichier .htaccess
<Files .htaccess>
Order allow,deny
Deny from all
</Files>

Prevent access to a specific file

You can restrict access to a specific file with this directive. Replace the filename shown in the snippet (yourfile.jpg) with the filename and extension of your choice. 

# Restreindre l’accès à un fichier
<files votrefichier.jpg>
Order allow,deny
Deny from all
</files>

Restrict access to the wp-admin folder

To prevent someone from logging into your administration interface, create a new .htaccess file and add it to the wp-admin directory of your WordPress website.

Then add the following directive to the .htaccess file (replace the crosses for the dummy IP address with the IP address authorized to connect to your site):

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from xx.xx.xx.xx
</Limit>

Block an IP address

If you are being spammed from a specific IP address, you can prevent it from accessing your site with this piece of code. 

Replace the dummy IP address provided in the snippet with the one of your choice:

<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>

Disable the display of directory contents

By default, your WordPress site's directories (and their contents) are accessible by simply typing a URL into your browser. This poses a significant security problem, as anyone can view and copy information from your site, not to mention hack it.

To avoid this, copy and paste the following code into your .htaccess file:

# Désactiver l’affichage du contenu des répertoires
Options All -Indexes

Block the display of the wp-config.php file

# Protéger le fichier wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Avoid comment spam

Are you being bombarded with spam comments praising dubious products and websites? Copy and paste this code snippet into your .htaccess file to get rid of them.

Replace yoursite.com with the name of your site:

# Éviter le spam de commentaires
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.votresite.com.*
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$
</IfModule>

A good tip to limit spam is also – and above all – to activate a plugin like Akismet, which is present by default on every new WordPress installation. 

Hide server information

This directive will prevent certain pages from displaying information that could identify your server. 

# Masquer les informations relatives au serveur
ServerSignature Off

Guidelines for creating redirects

Create a 301 redirect

A permanent redirection (301 redirection) redirects a URL A (e.g., mapage.fr) to a URL B (tapage.fr). 

# Rediriger une page vers une autre
Redirect 301 /mapage.html https://www.yourwebsite.com/nouvellepage.html

To create redirects, you can also use the eponymous plugin: Redirection.

Redirecting a www domain to a non-www domain

Use this code to redirect a www site (e.g., www.maintenancewp.fr) to a non-www site (e.g., maintenancewp.fr).

Replace supersite.com with the domain name of your choice:

# Rediriger vers un nom de domaine sans www
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.supersite\.com
RewriteRule ^(.*)$ http://supersite.com/$1

Redirecting a domain without www to a domain with www

Conversely, it is possible to redirect a domain name without www to a domain name with www.

Always remember to replace supersite.com with your domain name:

# Redirection du site sans www vers www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^supersite.com
RewriteRule ^(.*)$ http://www.supersite.com/$1

Redirect to HTTPS

The following directive will force your visitors to browse the HTTPS version of your site.

First, you must have activated an SSL certificate, which is usually offered free of charge by your hosting provider:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

Rules for improving performance

Prevent your images from being hotlinked

When you are a victim of hotlinking, a malicious person copies the URL of an image from your site to display it on their own site without having to download the image into their Media Library (among other things).

The problem? Displaying this image relies on your hosting server. As a result, you're using more bandwidth, which can slow down the page load speed of your website(s). 

To avoid this problem, enter this code in your .htaccess file (replace yoursite.com with your domain name):

# Empêcher le hotlinking de vos images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?votresite.com
RewriteRule \.(jpg|jpeg|png|gif)$ -

To learn more and discover other guidelines, we recommend the following resources and websites:

• The official WordPress documentation.
• The resource Stupid things about .htaccess by American developer Jeff Starr, a specialist in WordPress and the .htaccess file.
• The site .htaccess Generatorto automatically generate directives for your .htaccess file.

Summary

When used correctly, the WordPress .htaccess file is a very powerful tool for strengthening security, creating redirects, or improving the performance of your site.

Throughout these lines, you have discovered the following elements: 

• What is an .htaccess file and what is its purpose?
• How to locate and edit this file.
• How to create a .htaccess file from scratch.
• Best practices for manipulating the .htaccess file.
• Rules for configuring additional features on your server.

On WordPress, Configuring an .htaccess file is not without risksYou must pay attention to the syntax, and above all protect yourself by taking the usual precautions before acting (e.g., backing up your site). 

Despite all this, you're still getting an error after editing your file at home? Or do you simply want guidance on configuring this key file? 

Fast, professional and efficient, The WP Maintenance team of experts is available 7 days a week to provide you with tailored support.. Contact us for more information.