fb-pixel

What is the .htaccess File in WordPress? (And How to Use It)

Published in:

by:

Kevin Wood

The .htaccess file is a configuration file you can use to modify the configuration of Apache web servers. It’s a text file with rules that allow you to set up redirects, ensure that your site is reachable via HTTPS, and increase the security of your site. Essentially, it controls how your server runs. 

In this guide, we’ll show you how to find the .htaccess file or create it manually when necessary. Then, we’ll look at how to edit it and the most important settings you’ll want to configure for your WordPress site. Let’s get into it!

What is the .htaccess File?

The .htaccess file is a configuration file that allows you to modify information or add options for Apache web servers. One of the most common uses of the .htaccess file is to set up redirects for certain URLs. However, there are many other uses, as you’ll learn about below. 

In practice, .htaccess is a simple text file, but its real power is that it allows you to modify the configuration of Apache web servers without touching the main server configuration. Every web server, like Apache, has its own configuration file, and each configuration file has its own rules.

Note: Not all web servers use the .htaccess file. If your WordPress hosting provider uses Nginx or something else, then your site will not have a .htaccess file. These servers handle configuration differently.

How WordPress Uses the .htaccess File

WordPress automatically creates and modifies the .htaccess file for certain functions. The most common use is managing your site’s permalink structure. When you go to Settings > Permalinks in your WordPress dashboard and choose how you want your URLs to look, WordPress writes rules to your .htaccess file to make that happen.

For example, when you switch from the default permalink structure, which looks like yoursite.com/?p=123, to the Post name structure, which looks like yoursite.com/sample-post/, WordPress automatically rewrites your .htaccess file with rules that tell Apache how to handle these clean URLs. This process is called URL rewriting, and it’s one of the most powerful features of the .htaccess file.

Beyond permalinks, many WordPress plugins also interact with the .htaccess file. Caching plugins like W3 Total Cache often add rules to serve cached versions of your pages more efficiently. While, WordPress security plugins can add rules to block suspicious IP addresses, and plugins that handle redirects will modify .htaccess to send visitors from old URLs to new ones.

Where is the .htaccess File Located?

To edit the .htaccess file, first you need to know how to find it. Your .htaccess file is located in the root directory of your WordPress installation. This is typically a folder called public_html, www, or htdocs, depending on your hosting provider.

You can access your site’s files using the file manager that’s integrated into your hosting control panel, such as cPanel. Or you can connect to the server via FTP with a client like FileZilla or Cyberduck. In this tutorial, we’ll use file manager since it’s the quickest solution.

Htaccess File Ftp

Note that the .htaccess file is always in the root directory, but the folder may have a different name depending on your web hosting provider. Remember that rules added to the .htaccess file affect all subfolders. So if you only want to apply rules to a specific subfolder, you can add the .htaccess file to that subfolder.

How to Show Hidden Files

Files like .htaccess are hidden files. In Unix/Linux operating systems, a period is used in front of the file name to hide it. If you can’t see it, you need to check that the option to show hidden files is enabled.

If you’re using cPanel File Manager, then log in to cPanel and click on File Manager. Then click on Settings and check that the Show Hidden Files (dotfiles) option is checked. Click Save.

Htaccess File Show Hidden Files

If you’re using FileZilla (or similar tool like Cyberduck), click on the Server drop-down in the main menu and check the Force showing hidden files option. Then confirm that you want to activate the option through the window that appears.

Htaccess File Show Hidden Files Filezilla

The Default WordPress .htaccess File

Before proceeding, if you cannot find the .htaccess file even after enabling the options to show hidden files, it’s possible the file was not created in the first place. In this case, there are two alternatives. You can make WordPress generate an .htaccess file, or you can manually create the .htaccess file.

1. Generate the .htaccess File with WordPress

The quickest way to create an .htaccess file with the default information is to let WordPress do it. Simply log in to WordPress and click Settings > Permalinks. Then click on Save changes at the bottom of the page. WordPress will automatically generate the .htaccess file.

Htaccess File WordPress Permalinks

Note that if there are any errors, you will see a warning, in which case you’ll have to create the file manually.

2. Create the .htaccess File Manually

Creating the .htaccess file for WordPress manually is just as simple. Access your site’s files, via file manager (or another option) and open the folder where you want to create the file. In most cases, the folder will be public_html.

Then, click on + File or New File. Enter the file name .htaccess and click Create new file. After creating it, right-click on the file and click Edit.

In the empty file, paste this code:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Note: This is the default .htaccess code that WordPress uses for standard permalink functionality.

How to Edit the .htaccess File

Now that you’ve seen how to find the .htaccess file, it’s time to start editing it. Since it’s a text file, you can edit the .htaccess file very easily. Before modifying the file, however, it’s a good idea to create a backup copy so that you can restore the previous .htaccess file in case there are errors.

We have several options. You can edit the .htaccess file directly from the FTP client or file manager, or use a WordPress plugin that allows you to edit the file directly from WordPress. Keep in mind that WordPress SEO plugins like Yoast SEO and Rank Math already have the ability to edit the .htaccess file. If you already use one of these plugins, you don’t need to install a separate plugin to edit the .htaccess file.

Editing from File Manager

To edit the .htaccess file with file manager, just right-click on the file and then click Edit. A text editor will open in your browser showing the current contents of your .htaccess file. You can make your changes here. After making your changes, click Save. The new rules will take effect immediately.

Htaccess File Edit Htaccess File Manager

Editing from FTP

If you prefer working with local files, connect to your server using your FTP client and navigate to your root directory. Right-click on the .htaccess file and select Download to save it to your computer.

Htaccess File Download Htaccess Ftp

Open the downloaded file with a text editor like Notepad or TextEdit (make sure it’s set to plain text mode). Make your edits, then save the file. Then, go back to your FTP client and upload the modified .htaccess file to your server, overwriting the old version.

Editing the .htaccess File with Rank Math

The Rank Math plugin includes an editor that allows you to edit the .htaccess file directly from the WordPress admin area. If you’re already using this plugin, then go to Rank Math SEO > General Settings. Then, click Edit .htaccess and check the box that says, I understand the risks and I want to edit the file.

Htaccess File Edit Rank Math

From here, you can edit the file and save it by clicking Save Changes. You can also reset the file to its default settings at any time by clicking Reset Options.

Different Ways to Use/Modify the .htaccess File

We can use the .htaccess file for several purposes. You can set up redirects, password-protect a folder, show custom error pages, disable execution of PHP files, disable XML-RPC, prevent image hotlinking, disable directory listing, and block access to configuration files. We’ll show you how to do all this and more below.

Note: All the code examples we’ve included contain the first line RewriteEngine On. This helps you understand where to insert the code, but once you’ve inserted it, you don’t need to repeat this line throughout the file.

Redirect from HTTP to HTTPS

Editing the .htaccess file is one of the steps you need to take when you want to switch from HTTP to HTTPS. By adding this code to the .htaccess file, we can set up a 301 redirect from the HTTP version to the HTTPS version.

Here’s the code to enable this redirect:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*)$ https://www.yourdomain.com/$1 [L,R=301]

You’ll need to replace “www.yourdomain.com” with your domain. This ensures that visitors (and search engines) are redirected to the secure version of the site.

Redirect from WWW to Non-WWW

If you want visitors to “www.yourdomain.com” to be redirected to the non-www version “yourdomain.com”, you can use this code:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.yourdomain.com [NC]
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]

Simply replace “yourdomain.com” and “www.yourdomain.com” with the correct domain.

Redirect for Domain Change

If we change domains, we need to make sure we set up a redirect. This way, anyone trying to reach the old address will be redirected to the new one. Here’s the code to use:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^olddomain.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.olddomain.com$
RewriteRule (.*)$ https://www.newdomain.com/$1 [R=301,L]

Enter your previous domain in place of “olddomain.com” and your new domain in place of “newdomain.com”.

Single Page Redirect

To 301 redirect a page to a new address, you can use this code:

Redirect 301 /old-page https://www.mysite.com/new-page

Let’s take an example. To redirect “supporthost.com/redirects/” to “supporthost.com/redirect/”, we would insert this code:

Redirect 301 /redirects https://supporthost.com/redirect/

Password Protect a Folder

We can set a username and password combination to protect access to a folder. This requires two steps, creating a password file, then adding code to your .htaccess file.

First, we need to create a password file called .htpasswd that contains an encrypted username and password, like this: user:encrypted_password. We can generate the encrypted password with an htpasswd generator tool. Enter your desired username and password into the generator. The tool will give you a line of text that looks like this: user:czOHsdLewzkk6.

You should store this file outside your public_html directory for security. For example, you could place it in a directory like /home/user/private/.

Now, in the specific folder you want to password protect, create a new .htaccess file (or edit the existing one if there is one). If you want to password protect your entire site, then you can edit the .htaccess file inside public_html. For example, if you want to password protect a folder at public_html/members-only/, you would create or edit the file at public_html/members-only/.htaccess with the code below.

Here’s the code you want to add:

AuthType Basic
AuthName 'Restricted Area'
AuthUserFile /home/user/private/.htpasswd
Require valid-user

Make sure you replace /home/user/private/ with the path to the location of your .htpasswd file. Note that this isn’t the URL path, it’s the file system path on your server.

Set Up Custom Error Pages

We can create error pages to display to visitors when an address cannot be found or when a particular resource cannot be accessed. Note that you can create custom error pages directly from cPanel. However, we’ll show you how to do it manually.

The first thing to do is create the error page by creating an HTML file and then uploading it to the server. After that, we can edit the .htaccess file. Open the .htaccess file and insert this code:

ErrorDocument 403 /errors/403.html

Replace /errors/403.html with the path to the error page. Instead of the default error page, the custom page you created will be shown.

Disable PHP File Execution in WordPress

The .htaccess file also allows us to modify the site’s configuration to improve WordPress security. One thing we can do is restrict the execution of PHP files so that they cannot occur in certain folders. For instance, we can disable the execution of PHP files in the WordPress uploads folder.

In this case, we just need to create an .htaccess file to insert in wp-content/uploads/ with the following lines of code:

<Files *.php>
deny from all
</Files>

You can repeat the same procedure for all the folders where we don’t need to run PHP files.

Disable XML-RPC

The XML-RPC file is a PHP file that allows you to access WordPress remotely. Since more secure systems are now available thanks to the integration of REST APIs, you might want to deactivate this file to reduce security risks. If it’s not blocked on your hosting service, you can do so by adding this code to your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Disable Hotlinking

You don’t want other sites to be able to embed images on their site that are actually hosted on your server. Hotlinking uses your server’s resources and can slow down your site and cause excessive resource consumption (which could mean higher hosting fees). By inserting this code into the .htaccess file, you can disable hotlinking:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Make sure you replace “domain.com” with your domain.

Disable Directory Listing

We can prevent users from seeing the contents of folders, such as folder structures and file names, by blocking the directory listing feature. To do this, simply insert this line into the .htaccess file:

Options -Indexes

Block Access to wp-config.php and .htaccess

Since wp-config.php (for WordPress sites) and the .htaccess file are very important configuration files, it can be useful to block unauthorized access to these files. To block access to wp-config.php, add this code to the .htaccess file:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

To block access to the .htaccess file, we can use this:

<Files .htaccess>
order allow,deny
deny from all
</Files>

.htaccess and WordPress FAQs

What’s the default .htaccess file for WordPress?

The default WordPress .htaccess file contains the basic rewrite rules needed for permalinks to work. It includes rules that tell Apache to rewrite URLs so that your pretty permalinks work correctly, routing all requests through WordPress’s index.php file while still allowing direct access to files and directories.

Can I delete my .htaccess file?

You can delete your .htaccess file, and your site will probably still work, but you’ll lose some functionality. Without an .htaccess file, your permalinks will stop working, and any custom redirects or security rules you’ve set up will no longer function. If you delete the file by accident, you can easily create a new one using the methods described earlier in this article.

My hosting uses Nginx. Do I need .htaccess?

No, if your server uses Nginx instead of Apache, you don’t need an .htaccess file because Nginx doesn’t use them. Nginx uses a different configuration system. If you need to set up redirects or other rules on an Nginx server, you’ll need to contact your hosting provider or modify the Nginx configuration files directly.

How do I fix .htaccess errors?

If your site goes down after editing .htaccess, the quickest fix is to restore your backup copy of the file. If you didn’t create a backup, you can delete the .htaccess file entirely, then let WordPress regenerate a clean version by going to Settings > Permalinks in your WordPress dashboard and clicking Save Changes. If you’re seeing a 500 error, it’s almost always caused by a syntax error in your .htaccess file.

Is it safe to edit .htaccess?

Editing .htaccess is safe as long as you follow proper precautions. Always create a backup before making changes, test your site immediately after editing, and only add code from trusted sources. The .htaccess file is powerful, which means mistakes can break your site, but as long as you have a backup, you can always restore the working version if something goes wrong.

Closing Thoughts: Editing the .htaccess File for Your WordPress Site

As we’ve seen, the .htaccess file is incredibly useful for configuring Apache. It allows us to set up redirects for individual resources or the entire site, block unauthorized access to files, protect access to certain resources with passwords, and more.

With this guide, you now have the basics to easily find the .htaccess file and insert the rules you need. Start with simple changes like setting up redirects, and as you get more comfortable, you can experiment with more advanced configurations.

Now it’s your turn. Have you ever used or edited the .htaccess file before? Let us know how it’s helped you in the comments.

Kevin Wood

He built his first WordPress site in 2010 and began writing professionally in 2014. Since then, he’s crafted content for leading hosting companies, top WordPress blogs, and major tech sites, delivering engaging, in-depth articles that leave no questions unanswered.

Categories

Free trial

Try one of our hosting plans for free and without obligation for 14 days. No payment information required!

Free trial

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *