What is a .htaccess File?

This WordPress .htaccess Basics article coverts basic topics such as what is an .htaccess file to how to better secure your site with your .htaccess along with a few code

.htaccess is a file that doesn’t install with WordPress by default. It is however a very powerful file that can create “pretty links”, regulate who can access your site if you choose, redirect pages and serves many other functions. The .htaccess file only works on the Apache web servers, however most web servers do use Apache, so in most cases (especially with shared web hosts), this will be applicable.

When you first install WordPress, it doesn’t come with a .htaccess file, however, if you set your Permalinks (and you should), from within your WordPress Admin, go to SETTINGS > PERMALINKS and choose the option best suited for your needs. When you save this settings, it will create a .htaccess file in the root of your account.

Default WordPress .htaccess Permalink Code

If you download the .htaccess file now and open it in a text editor, it will look like this.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Let’s add some additional rules to help us out

Now that our file is created, let’s add some more rules that will serve to keep our website safer and even give it a speed boost. Warning: The .htaccess file is particularly sensitive and can break your entire site. It’s always a good idea to make a back-up of your working .htaccess file before many ANY modifications so that if it does break anything, you can restore your original version. Lines beginning with a # are human-readable comments and don’t actually do anything. They are only there for you to remember what the following code is doing. There is one manual change that you will need to make to this code when you paste it into your .htaccess file. Search for the line that has example.com and replace it with your actual domain name. For example, if this were for this site, we’d replace example.com with wpdoityourself.com.

# FIX CLICKJACKING
Header set X-Frame-Options DENY
## BLOCK SENSITIVE FILES ##
# PROTECT .HTACCESS FILES
order allow,deny
deny from all
satisfy all
# PROTECT LICENSE FILE
Order allow,deny
Deny from all
# PROTECT INSTALLATION FILE
Order allow,deny
Deny from all
# PROTECT ERROR_LOG
Order allow,deny
Deny from all
# PROTECT OTHER FILES
<FilesMatch "^(wp-config.php|php.ini|php5.ini|readme.html|bb-config.php)">
Order allow,deny
Deny from all
#Allow from 69.12.202.73
# DISABLE DIRECTORY BROWSING
Options All -Indexes
# PREVENT USERNAME ENUMERATION
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]
# BLOCK THE INCLUDE-ONLY FILES.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# PROTECT XMLRPC
Order Deny,Allow
Deny from all
#allow from 123.123.123.123
# PROTECT FROM SPAM BOTS (Prevent bots with no user agent from hitting the site)
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
## INCREASE SITE SPEED ##
#  ENABLE OUTPUT COMPRESSION
# Insert filters
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE image/svg+xml
# CACHE IMAGES AND FLASH CONTENT FOR ONE MONTH
<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|)$">
Header set Cache-Control "max-age=2592000"
# CACHE TEXT, CSS, AND JAVASCRIPT FILES FOR ONE MONTH
<FilesMatch ".(js|css|pdf|txt)$">
Header set Cache-Control "max-age=2592000"

As previously stated in this WordPress .htaccess Basics article, there are MANY things that the .htaccess file can do, but we’ve found that these rules are a strong foundation for nearly every website for both additional security and an easy speed-boost.