Essential WordPress htaccess Tips Tricks and Hacks for Beginners and Pro

Essential WordPress .htaccess Tips, Tricks and Hacks for Beginners and Pro: Collection #1

If you are maintaining a WordPress site, here are some essential WordPress .htaccess Tips, Tricks and Hacks for you. .htaccess is a configuration file used on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn ‘loaded via the Apache Web Server’, then the .htaccess file is detected and executed by the Apache Web Server software. Let’s get started with the WordPress .htaccess Tips and Tricks:

#1 How do I force a website to use SSL?

To force all web traffic to use HTTPS, insert the following lines of code in the .htaccess file in your website’s root folder:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} !^/[0-9]+..+.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/.well-known/pki-validation/[A-F0-9]{32}.txt(?:\ Comodo\ DCV)?$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

#2 How to disable directory listing?

It is not safe when someone able to explore your server files just by entering the dir path URL like

To disable the directory listing for a specific directory, add the following settings in the .htaccess file:

Options -Indexes

#3 How to redirect a dynamic URL to a static file?

Most of the time dynamic URLs are not cached and sometimes they are targeted by attackers. Also, sometime you may have to change URL parameters for the same services, like, affiliate referral. In such a case, you may need to point the old dynamic URL to a static file showing a notice with proper instructions, when there are too many requests in such an old expired dynamic URL, such redirection is required to reduce server load and keep your web page load and services seamless.

You need to add the following code in .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond "%{QUERY_STRING}" "(.*(?:^|&))?key=value&?(.*)&?$"
RewriteRule "(.*)" "static-file.html" [PT]

The code above will monitor any request with key and value and if they match, the request will be pointed to a static HTML file static-file.html

#4 How to block HTTP access to all files in a directory?

So, what if you need to keep some files in a web directory for your private use from your script, and you don’t want any direct HTTP access to any file in that directory. In such a case, you need to use the Files directive and disallow access to all files. Create a .htaccess file in the directory where you want to block access with the following code:

<Files *>
  Deny from all

The code above will block all HTTP requests to that directory. But, if you want to block access to specific file types only, you need to add a file extension, for example, if you want to block direct access to all JSON and CSV files, use the following code:

<Files ~ "\.(json|csv)$">
  Deny from all

You also can target a single file like xmlrpc.php:

<Files xmlrpc.php>
   deny from all

However, if you still want to keep some file types excluded, and allow public access for them, you need to add the following code after the code above in the same .htaccess file:

<Files ~ "*\.png">
  Allow from all

It will allow public access to all PNG files.

#5 How to prevent site access from certain IP addresses?

If you have annoying visitors, site scrapers, spammers or attackers, you may find it useful to block these users from accessing your website content. You can block such visitors by IP address, you need to add the following code in .htaccess file:

<Files *>
order allow,deny
allow from all
deny from
deny from

Replace with the IP address you want to block.

#6 How to block spammers from making posts on your blog?

It is like a universal truth for all self-hosted WordPress sites, always got lots of spam comments and get frustrated by trashing them each day, you may actually block or reduce them through your .htaccess Apache configuration file.

Most spammers attack your comment box not through the blog post but actually access through your wp-comments-post.php file. Here is how you can prevent them from attacking your blog with spam and at the same time stop the unnecessary server load.

You can find the .htaccess file in your root of WordPress installation folder and add the following rules at the end of .htaccess file:

# Protect from spam comments 
<IfModule mod_rewrite.c> 
  RewriteEngine On 
  RewriteCond %{REQUEST_URI} .wp-comments-post\.php* 
  RewriteCond %{HTTP_REFERER} !.*your-domain-name.* [OR] 
  RewriteCond %{HTTP_USER_AGENT} ^$ 
  RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] 

However, you must replace your-domain-name with your domain name

#7 Protect WordPress media files from direct HTTP access?

Okay, here when you are using WordPress Download Manager you don’t need to worry about editing .htaccess file manually, you can simply do that from the media manager.

When you click on a media file you will see an option like the following image:

WordPress Media File Protection - using .htaccess rules

You simply need to click on the green button with the label “PROTECT THIS FILE” to control access to that file, then there will come new options to control access to the file, like the following image:

WordPress Media File Protection - Access Control Options

As you can see there, you can set a password or select user roles to allow access, finally, click on the “APPLY RESTRICTIONS” button to apply the restrictions.

Let, say you set a password and save the password by clicking the “APPLY RESTRICTIONS” button, now, when someone opens the media file URL, it will ask for the password, like this:

WordPress Media File Protection - Media Password

Finally, as you see, all those WordPress .htaccess Tips, Tricks and Hacks come in handy for site owners to keep the site clean and services seamless. But most of them, are related to file access control, you don’t need to do manually by editing .htaccess file when you are using WordPress Download Manager, as you see above, you can control media file access using the media access control option and for other server file access control, you can use WPDM asset manager. You will find details about asset managers in the following article:

Leave a Reply