Ultimate .htaccess Hacks to Supercharging your WordPress websites

There are several ways to improve your WordPress websites. Once you are done playing with the WordPress dashboard, plugins and themes then you must take a look to .htaccess. The .htaccess file is the easiest and the cheapest (actually it’s free!) solution to supercharging your WordPress websites but there are also some basic Apache knowledge requirements.

Whats is .htaccess in WordPress

The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis. WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof.

NOTE: .htaccess in Windows based hosting is a different story altogether. This article pertains to Linux based with LAMP hosting service only!

Backupt it first!

Working with an .htaccess file can be a bear. Sometimes it feels like a game of guess and check. And other times, you’re ready to pull out your hair if you see another 500 error. Before you make any changes, it might be a good idea to take a backup of your .htaccess. If something gets messed up, you can always replace the hacked .htaccess with the original one.
Today we’re going to take you through a guided tour of an example htaccess file. We’ll look at some different ways you can use an htaccess file to improve your website.

Ultimate .htaccess Hacks to Supercharging your WordPress websites
Ultimate .htaccess Hacks to Supercharging your WordPress websites

Securing the .htaccess and wp-config.php

This is very simple trick but almost shared hosting’s webmasters doesn’t care about it. The below piece of code will secure your .htaccess, wp-config.php from any kind of external access.

order allow,deny
deny from all
satisfy all

order allow,deny
deny from all

Also, it takes care of the case sensitive characters in the file name like .HtaCCeSs

Clean your WordPress Permalinks for Better SEO

Do you know? All the following URLs will work fine as the various parameters found in the Query String (like the utm_source parameter added by Google Analytics) will simply get ignored by WordPress.

  • https://www.narga.net/?partner=nyt
  • https://www.narga.net/?src=dlvr.it
  • https://www.narga.net/?utm_source=feedburner&utm_medium=feed

These parameters are often added to WordPress URLs by external services that aren’t in your control – for instance, URL shorteners or services that feed your blog to social sites.
You cannot prevent other services from adding new parameters to your URLs but you can always redirect these URLs to the clean versions so that there exists only one version of your URLs on the Internet.

RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteCond %{QUERY_STRING} !^(s|p)=.*
RewriteCond %{REQUEST_URI} !.*wp-admin.*
RewriteRule ^(.*)$ /$1? [R=301,L]

It first ignores URLs that have s or p parameters since we don’t want to remove any of the Post IDs (like https://www.narga.net/?p=8412) or the search parameters (like https://www.narga.net/?s=zip) from the WordPress URLs. It also ignores request coming from the WordPress admin dashboard. Finally, we do a 301 redirect thus also passing all the Google Juice to the clean and canonical URL.

Maintenance mode via .htaccess

For WordPress users there are at least three great plugins that make maintenance mode just dead-simple. Even so, here is how to do it with .htaccess.


     RewriteEngine On

     # local ip
     RewriteCond %{REMOTE_ADDR} !^123.456.678

     # server ip
     RewriteCond %{REMOTE_ADDR} !^111.222.333

     # w3c validation
     # RewriteCond %{REMOTE_ADDR} !^128.30.52.

     # maintenance page and assets
     RewriteCond %{REQUEST_URI} !/maintenance [NC]
     RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif) [NC]

     # serve default 503 response
     RewriteRule .* http://example.com/maintenance.html [R=503,L]

# serve custom 503 response
ErrorDocument 503 /maintenance.html

     # 3600 = 60 minutes
     # 86400 = 1 day
     # 604800 = 1 week
     Header always set Retry-After "86400"

Some notes about this snippet:

  • Edit the IPs in the first container with your own values
  • The W3C Validator is not allowed unless you uncomment its line
  • Change example.com with your own domain name
  • Edit the Header directive with any amount of time

Improve WordPress Speed with .htaccess

Leverage browser caching

Leverage browser caching to make your webpages faster. If you can leverage browser caching, you can increase website speed considerably.

Getting rid of ETag

ETag technology is known as slow and problematic – even YSlow complains about it. By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header.

Header unset ETag
FileETag None

Compress the data served to your visitors

Compressing things always ends up making them smaller and load faster, so implementing some form of compression on your components is a must. This optimization step might not work for you if your server does not have either mod_deflate or mod_gzip installed as part of Apache.

Following is a module that you can directly copy to your .htaccess file to compress that data that is served from your server.


SetOutputFilter DEFLATE

mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

Hardening WordPress

Stop looking into server folder structures

This is basic .htaccess stuff, says to allow includes and symlinks, but stop indexes.

Options +Includes
Options +FollowSymLinks -Indexes

Deny Access to Spam-Bots Leaving Comments

In case spam-bots leave a comment then the wp-comments-post.php file is hit directly and no referral is generated. The below piece of code will detect such spam activity and send the spam-bot back to its origin. It’s more like (almost) creating your own Akismet!

# Stop spam attack logins and comments
	RewriteEngine On
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(yourdomain.com|yourdomain.org).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

Note: Change yourdomain.com/org to your blog’s URL without www or any other prefix.

Deny Access to All But the Active Theme

General advice is to remove unused themes or plugins. If you’re planning use its late, just disable the ways to access it except actived theme or plugins.

## Whitelist the active theme. Change "active-theme" to the name of your active theme's directory
RewriteCond %{REQUEST_URI} !.*/wp-content/themes/active-theme/.* [NC]
RewriteCond %{THE_REQUEST} !.*/wp-content/themes/active-theme/.* [NC]
## Block access to any directory or document not in the active-theme's directory.
RewriteCond %{REQUEST_URI} ^.*/wp-content/themes/.* [NC,OR]
RewriteCond %{THE_REQUEST} ^.*/wp-content/themes/.* [NC]
RewriteRule .* - [F,L]

## Deny Access to All But Active Plugins
## Whitelist the active plugins.
## Change "active-plugin" in the next two lines to the name of the directory used by one of your active plugins.
## Copy the two lines, paste them below the first two lines and use them to whitelist another plugin. Repeat until all active plugins have been white-listed.

RewriteCond %{REQUEST_URI} !.*/wp-content/plugins/active-plugin/.* [NC]
RewriteCond %{THE_REQUEST} !.*/wp-content/plugins/active-plugin/.* [NC]

## Block access to any directory or document not in the active-theme's directory.
RewriteCond %{REQUEST_URI} ^.*/wp-content/plugins/.* [NC,OR]
RewriteCond %{THE_REQUEST} ^.*/wp-content/plugins/.* [NC]
RewriteRule .* - [F,L]

Completely deny access to the registration and signup scripts

Many bots and hackers attempt to create user accounts with WordPress blogs or to hack into WordPress sites through the signup, registration and login pages. If you want to be really secure, deny access to wp-login.php except from your own IP addresses.

## Registration is disabled so...
## White-list your own IP address/es. Change the numbers!!
RewriteCond %{REMOTE_HOST} !
RewriteCond %{REMOTE_HOST} !
## Uncomment to deny access to wp-login.php
# RewriteCond %{REQUEST_URI} wp-login\.php [NC,OR]
# RewriteCond %{QUERY_STRING} wp-login\.php [NC,OR]
# RewriteCond %{THE_REQUEST} wp-login\.php [NC,OR]
## Leave uncommented to deny access to wp-signup.php and wp-register.php
RewriteCond %{REQUEST_URI} wp-signup\.php [NC,OR]
RewriteCond %{QUERY_STRING} wp-signup\.php [NC,OR]
RewriteCond %{THE_REQUEST} wp-signup\.php [NC,OR]
RewriteCond %{REQUEST_URI} wp-register\.php [NC,OR]
RewriteCond %{QUERY_STRING} wp-register\.php [NC,OR]
RewriteCond %{THE_REQUEST} wp-register\.php [NC]
RewriteRule .* - [F,NS,L]


Do you agree or disagree with any of this post? Do you have additional WordPress .htaccess hacks? We’d love to hear from you. Use the comment form to express yourself.

4 thoughts on “Ultimate .htaccess Hacks to Supercharging your WordPress websites”

Comments are closed.