WordPress htaccess: The Definite Guide

WordPress htaccess file needs tweaking for security and performance. To make things easy, here is a ready-made WordPress htaccess that anyone can use

Can I ask you - is your WordPress htaccess is in a good shape?

  • Do you have the essential security rules in place?
  • Do you know what you should have there?
  • Are you afraid to touch the whole darn thing?

No worries - after reading this post you will know the answers. You will know exactly what kind of htaccess file you should have. I will not bore you with technicalities, or go into details that you don't need, but instead - I give you the solution, right now:

Ultra Quick Intro to htaccess

  • .htaccess is the default name of a directory-level configuration file for a web server
  • it was originally created for per-directory access control, but nowadays htaccess can include many other configurations, mostly related to content control.
  • The file name is .htaccess ("dot htaccess"). Don't forget the "dot". In some operating systems, the files beginning with "dot" might be hidden, so keep that in mind.
  • the name of the htaccess-file can be changed by configuration (which is wise for security, but beyond the scope of this article).
  • .htaccess overrides the rules in the main configuration file, usually called httpd.conf.
  • for performance, it's better to use httpd.conf -file, but on shared hosting, the webmaster doesn't usually have access to the main configuration -file and needs to rely on .htaccess.
  • if you DO have access to httpd.conf, all non-directory specific rules should go into httpd.conf instead of .htaccess.

I promised I won't bore you with details you don't need, so that's it - in fact, you don't even need all the above, but I couldn't call this article definite guide if I didn't add some of that stuff in... If you want to know even more, check the links below on this post for all the htaccess information you'll ever need and then some.

WordPress htaccess

Good, default WordPress htaccess looks like this:

# BEGIN htaccess
# Protect the htaccess file
<Files .htaccess>
Order Allow,Deny
Deny from all

# Protect the htaccess file
<Files wp-config.php>
Order Allow,Deny
Deny from all

# Disable directory browsing
Options All -Indexes

# Enable the following of symlinks
Options +FollowSymLinks

<IfModule mod_headers.c>
# No ETags, No Pragma
Header unset Pragma
Header unset ETag
# Make sure proxies deliver correct content
Header append Vary User-Agent env=!dont-vary
# Ensure proxies deliver compressed content correctly
Header append Vary Accept-Encoding

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
# END htaccess

WARNING: The redirect rules at the end might be different in case you've installed WordPress in a directory and/or run several blogs from the same domain. If WordPress has already added mod_rewrite -rules into the .htaccess -file (similar to above), DO NOT delete/edit them.

With these rules in place we have the basic security in place

  • .htaccess file itself is protected,
  • WordPress wp-config.php is protected, and
  • directory browsing is disabled.

Apart from the security, we just need the default WordPress redirect rules (the last rules there).

Add More Rules as Needed

The rules above are the starting point and suitable for any blog. As said, the default rules are what any WordPress blog needs. If you do nothing else, but add the rules I showed above, you will be fine. The following posts are for the tech-heads, geeks and crazy tweakers like me:

Editing the htaccess from WordPress Dashboard

I don't recommend using a plugin that creates htaccess, because you don't really need to use such a plugin, but you can use a plugin that allows you to edit it easily from the Dashboard, so you don't have to mess with FTP or SSH if you don't have to.

From the WordPress plugins I use and recommend, Robots Meta offers just that (in addition to all the useful things it does for SEO and stuff). With Robots Meta, you can edit the htaccess file from the plugin settings (just remember to back up the content before editing and saving).

Advanced users should always use FTP or SSH to edit the files.

WordPress htaccess and W3 Total Cache

With the default rules in the htaccess,

  • we can let W3 Total Cache add the rules it needs for Browser Cache, and
  • we don't necessarily need to (manually) add the .htaccess rules for performance.

Also, se can add other .htaccess rules for blogs, but we can skip the mod_deflate / Expires rules.

The rules added by W3 Total Cache are *not* optimal, but they're good enough. And since editing .htaccess is quite technical, and hard for many WordPress bloggers out there, it's good that non-techies don't need to touch it too many times.

For tech people, there's still the option to just disable Browser Cache -option in W3TC, and tweak the caching/proxy settings manually, and this is the best option for website performance. BUT for the "average blogger", the rules above + the rules added by W3TC are everything they need.


Add the rules I presented above to your .htaccess -file before installing W3 Total Cache (or add them in by replacing everything else but the W3TC rules). Always take backup of your blog AND the htaccess before editing the file.

If your site "dies" after editing the file, you probably did something wrong - restore the backup (or add only the rules in this post in) and try again. It's not hard, but be careful when deleting / modifying the rules already in the file, as some rules can and will be, site-specific.


I hope I managed to present the kind of htaccess rules that every WordPress blogger could use. With the feedback from my earlier posts with htaccess rules for WordPress, while they were highly useful and comprehensive, I learned that some parts of them were complicated for the "technologically challenged".

Thus, the rules in this post make up for what I think is, truly essential WordPress htaccess. Beyond this, it's tweaking and tuning, adding your personal favorites, etc.

What do you think? And also: Did these .htaccess rules work for your blog?

Posted by

Topic: WordPress Optimization
Tags: , ,

If you enjoyed this post, sign up for updates (it's free)

Feedback, questions and comments are also welcome on my Facebook page