How to Use .htaccess File to Secure, Optimize, and Control Redirects in WordPress


.htaccess is among the most critical files in WordPress. It is solely responsible for defining your server’s rules and controlling files and folders of your WP site. Moreover, the htaccess file for WordPress also plays a pivotal role in enhancing WordPress security and optimization.

This blog will discuss tips and tricks for using the .htaccess file for WordPress for security, redirection, and optimization. But before we move on to the tips, let’s find out what htaccess file for WordPress is?.

What is a . htaccess File

.htaccess is a configuration file. You can use it to implement changes in the functions of the server. The word .htaccess is used for “hypertext access.” You can locate the .htaccess file for WordPress in the root folder of your WP site.

. htaccess File

1- How to Secure WordPress Through .HTACCESS File

Security is a prime concern for a WordPress site. Following are some of the most useful default htaccess WordPress tricks you can add to have additional protection layers to your WordPress folders, admin area, and plugin files.

Protect Your WordPress Admin Area

Protecting your WordPress admin area through .htaccess to restrict IP access to WP-admin is possible. The directory concerning wp-admin carries every file needed to run the WP dashboard.

The WP-admin directory includes administrative functions like plugin usage, themes installation, post writing, etc. Allowing only limited IP addresses to access the wp-admin directory will help you protect your WP website from hackers.

To restrict IP access to the admin area, simply copy and paste the below-mentioned WordPress htaccess code to your htaccess file for wordpress.

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “WordPress Admin Access Control”

AuthType Basic


order deny,allow

deny from all

# whitelist User1’s IP address

allow from xx.xx.xx.xxx

# whitelist User2’s IP address

allow from

# whitelist User3’s IP address

allow from xx.xx.xx.xxx

# whitelist User4’s IP address

allow from xx.xx.xx.xxx

# whitelist User5 IP address

allow from xx.xx.xx.xxx


If you see the above codes, ‘user 1’, ‘user 2’ etc., are the user Ips that you have allowed to access your WP-admin. They can be anyone like contributors, admins, editors, visitors, etc. Remember to replace ‘xx.xx.xx.xxx’ with the allowed IPs or your IP.

Use Password Protection to your WordPress Directories

It is possible to use the .htaccess file to insert an added password protection to your WP directory. All you need is to:

·        Generate a .htpasswd file through htpasswd-generator.

·        Upload the htpasswd file to the WP-admin folder

·        Make a .htaccess file and upload it in the wp-admin directory

Insert the below-mentioned WordPress htaccess code in the .htaccess file for WordPress:

AuthType Basic

AuthName “Restricted Area”

AuthUserFile /home/public_html/wp-admin/.htpasswd

require valid-user

Don’t forget to replace “AuthUserFile” with the htpasswd file.

Disable Directory Browsing

Disability of directory browsing is possible. It means all the files and folders in the web server’s root are listed; any visitor can access this. Disable directory browsing prevents hackers from intruding into your file structure and directory to detect a vulnerable file.

For disabling directory browsing in WordPress, you need to insert the following WordPress htaccess code in the .htaccess file for WordPress:

Options -Indexes

Disable PHP Execution in Specific Folders

Hackers generally upload backdoor files into the wp-content/uploads or wp-includes folders to execute the PHP files. The execution of these folders aims to damage your website.

To disable PHP execution through the .htaccess file, you have to:

Make a blank .htaccess file.

Please save the file and upload it to WP-includes and WP-content/upload folders.

Add the below codes to the file:

<Files *.php>

deny from all


Secure wp-config.php file

wp-config.php is among the essential files as it carries the access credentials, database name, and other critical data.

To secure the wp-config.php file, you may insert the following codes to the .htaccess file. The codes help to stop access to the wp-config.php file. 

<files wp-config.php>

order allow,deny

deny from all


Secure WordPress Plugin Files

As mentioned earlier, plugins are a double-edged sword as they can be helpful and can be a loophole for intruders. To prevent direct access to your WP plugin files, copy and paste the following codes to your .htaccess file:  

<files ~ “.(js|css)$”=”&”.(js|css)$&”>

order allow,deny

allow from all


2- How to Optimize WordPress Through HTACCESS file for WordPress

Enable Browser Caching

After enabling browser caching, you can allow visitors to save photos from your web page. It means they won’t need to download the same data when revisiting your site. This can contribute to speeding up your WP site.

To enable browser caching, you need to add the following WordPress htaccess code lines into your .htaccess file for WordPress:   


<IfModule mod_expires.c>

ExpiresActive On

ExpiresByType image/jpg “access 1 year”

ExpiresByType image/jpeg “access 1 year”

ExpiresByType image/gif “access 1 year”

ExpiresByType image/png “access 1 year”

ExpiresByType text/css “access 1 month”

ExpiresByType text/html “access 1 month”

ExpiresByType application/pdf “access 1 month”

ExpiresByType text/x-javascript “access 1 month”

ExpiresByType application/x-shockwave-flash “access 1 month”

ExpiresByType image/x-icon “access 1 year”

ExpiresDefault “access 1 month”



Automatically Correct URL Typo 

This tip is magic for those who misspell your URL and become unable to access your page. By adding the following wordpress htaccess code lines into your .htaccess file for WordPress, you can create a Check Spelling directive that aids in correcting typos. The following WordPress htaccess code lines can work effectively for small typo mistakes, not gross blunders.

<ifmodule mod_speling.c>

check spelling On


Include a Forward Slash to the End of URLs

URLs having a trailing slash like this “url.com/abc/” shows a directory. URLs without a forward slash, like “url.com/abc,” typically indicate a file. So, two look-alike URLs can show different content and produce opposite and different experiences. Also, your website might involve duplicate content issues if your website’s URLs are inconsistent.

Including the following WordPress htaccess code lines in your .htaccess file for WordPress can standardize your URLs. Standardization will force your web pages to end with a slash.

 RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_URI} !#

RewriteCond %{REQUEST_URI} !(.*)/$

RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]

Personalize Permalinks for Effective URLs

You can use the htaccess file for WordPress to edit and personalize permalinks for SEO-friendly URLs. By inserting some codes, you can replace boring numbers and strings of symbols with relevant keywords. Customized permalinks offer you to create a clean URL for organic and high search visibility.

Following are the WordPress htaccess code lines for customizing permalinks through default htaccess WordPress file:  

# BEGIN WordPress

<ifmodule mod_rewrite.c=”mod_rewrite.c”>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]


# END WordPress

Increase Upload Size of PHP Files

WordPress generally sends messages of “exceeds the maximum upload size for this website” or “warning content-length of bytes exceeds the limit” whenever you need a larger file to upload.

By using the following WordPress htaccess code lines, you can ask your server to increase the file upload size on your .htaccess file for wordpress: 

php_value upload_max_filesize 64M

php_value post_max_size 64M

php_value max_execution_time 300

php_value max_input_time 300

3- How to Control Redirects Through .HTACCESS Files

Redirect WWW to Non-WWW and Vice Versa

There are two versions of WordPress domains, “www” and “non-www”? Thus, you have to choose only one to avoid any possibility of “duplicate content.”

If “non-www” is your priority, you have to redirect “www” to “non-www” through the following code lines to your htaccess file for wordpress. 

RewriteEngine On

RewriteCond %{HTTP_HOST} !^your-domain.com$ [NC] RewriteRule ^(.*)$ http://your-domain.com/$1 [R=301,L]

For using ‘www,’ add the following codes to the .htaccess file for WordPress for redirecting ‘non-www’ to ‘www.’

RewriteEngine On

RewriteCond %{HTTP_HOST} !^www.

RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] 

Redirect HTTP to HTTPS using .HTACCESS file in WordPress

This technique checks whether your HTTPS is enabled on the server or not. If it is enabled, it will redirect the request to your site’s homepage. 

IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} ^on$ [NC]

RewriteCond %{QUERY_STRING} !https-is-on [NC]

RewriteRule (.*) /?https-is-on [R=301,L]


To redirect every request to the HTTPS protocol (when HTTPS is enabled); you can use the following:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


Redirect from an Old to a New Domain

It is quite common to redirect site visitors to a new location. You can use the below rule for this:

# redirect from old domain to new domain

RewriteEngine On

RewriteRule (.*) http://www.new-domain.com/$1 [R=301,L]

How To Edit .Htaccess With Cloud Pages

To edit your .htaccess using CloudPages, first, you need to reach the dashboard through the server as per the following screenshot:

.htaccess file for WordPress

Now, click the ‘file manager’ of the website

Now, that you have reached the public_HTML file, here you will find your .htaccess file. Do whatever changes you want:

.Htaccess With Cloud Pages

Now save all the changes:

.Htaccess With Cloud Pages

.Htaccess Rule to Remember 

Litespeed interface is fully supported by .htaccess while OpenLite interface is not supported.


We have disclosed the top .htaccess tricks you may need for your WordPress site. With these excellent .htaccess tips, you can use them to secure, optimize, and redirect the WP site. Also, ensure you don’t take any chances with the htaccess file for wordpress. A single error can damage your website, and thus, it’s important to make a backup of your .htaccess file for wordpress and track all your changes. 

Become CloudPages

Community Member to Get Latest Updates.

Scroll to Top
Scroll to Top