A to Z of WordPress .htaccess Hacks
Posted on 10. Apr, 2009 by Alex Denning in Security
The .htaccess file allows you to easily improve your blog’s security, reduce bandwith and increase usability. In this post we’re going to look at 26 .htaccess hacks, from A to Z. If you enjoy this post then please grab the WPShout RSS feed!
Remember the golden rule:
Always have a backup!
A – WP- Admin
Your can restrict access to wp-admin by IP:
order deny,allow allow from a.b.c.d # This is your static IP deny from allSource - BlogSecurity.net
B – Blacklist
One of the most important things you can do with .htaccess is blacklist IP addresses. You can do so with the following code:
<Limit GET POST PUT> order allow,deny allow from all deny from 123.456.789 </LIMIT>Source – Perishable Press
C – WP-Config Protection
Your wp-config file contains your database name, your database username and your database password. In other words, you’ll want to keep it secure.
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>Source – Josiah Cole
D – Disable Directory Browsing
# disable directory browsing Options All -IndexesSource- Josiah Cole
E – Explanation
I bet if I asked you to explain exactly what .htaccess is, you’d struggle to tell me exactly. To be honest, until I wrote this, I wasn’t totally sure. Wikipedia explains in a nice, jargon free way:
.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree.
The Wikipedia article then goes on, with some examples of common usage:
- Authorization, authentication
- .htaccess files are often used to specify the security restrictions for the particular directory, hence the filename “access.” The .htaccess file is often accompanied by a .htpasswd file which stores valid usernames and their passwords. [3]
- Customized error responses
- Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found
- Rewriting URLs
- Servers often use .htaccess to rewrite long, overly comprehensive URLs to shorter and more memorable ones.
- Cache Control
- .htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.
F – Feedburner
Feedburner is a blogger’s best friend. Trouble is, directing your feed to it is a bit of a pain. The solution: a .htaccess hack of course!
# temp redirect wordpress content feeds to feedburner <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC] RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC] RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/nometech [R=302,NC,L] </IfModule>Source – Perishable Press
G – Get an RSS Feed on a static page
This is quite complicated, so check out the source below. In a nutshell it is a way of getting round using Javascript (because it doesn’t do the SEO any good).
Source – adityaspeaks.com
H – Disable hotlinking
Hotlinking. According to Wikipedia, also known as “leeching, piggy-backing, direct linking, offsite image grabs and bandwidth theft”. In other words it is using an image from another site. If people do it to you, it’ll use up your bandwith. You can stop it with the .htaccess hack below.
#disable hotlinking of images with forbidden or custom image option RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] #RewriteRule \.(gif|jpg)$ - [F] RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]Source – Josiah Cole
I – Important!
Yeah, ok, I got a bit desperate trying to find something that begins with ‘I’ 
. But, that doesn’t mean this isn’t useful; it’s very important!
Backup. Always, always make sure you have a backup to hand; the slightest mistake will be fatal.
J – Jauntily show the admin’s email address in error message
SetEnv SERVER_ADMIN email@address.com K – Keep RSS ‘content thieves’ away
It isn’t nice when people steal your content. One of the ways ‘content thieves’ scrape content from sites is by simply using your RSS feed. If you’ve got the scraper’s IP address (which is very easy to do; Google it) then you can use your .htaccess file to block the scraper. The code below redirects a site taking your feed back to another feed (ie their feed). Replace the IP on line two with the offending site’s and the feed on line three with the offending site’s feed.
RewriteEngine on RewriteCond %{REMOTE_ADDR} ^69.16.226.12 RewriteRule ^(.*)$ http://newfeedurl.com/feedSource – Seo Black Hat
L – Limiting number of simultaneous connections
To limit the number of simultaneous connections to a directory or your entire site, use the below line. If you place it in a directory other than the root directory, then it will limit the connections to that directory and its sub-directories only. Placing it in htaccess file of root directory will implement it for entire site.
MaxClients < number-of-connections> Source – Pix.l|ne
M – Maintenance
It doesn’t matter what the reason is, at some point in your life you’ll probably want to make maintenance page. Replace “/maintenance.html” with whatever the url of your maintenance page is and put your own IP address on line three.
RewriteEngine on RewriteCond %{REQUEST_URI} !/maintenance.html$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123 RewriteRule $ /maintenance.html [R=302,L]Source – CatsWhoCode/Woueb.net
N – Deny no referer requests [stop spam comments!]
Slightly simpler than the spam-stopping solution under ‘S’, what this hack does is utilise the fact that most spammes use bots coming from ‘nowhere’. The hack checks to see where a comment is coming from, and if it is coming from ‘nowhere’ then it blocks it. Simple.
RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Source – WPRecipes
O – Force files when opening to ‘save as’
If you’re offering files for download then the hack below will be very useful – it forces files to save as instead of opening or streaming.
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4 Source – AskApache
P – Protect your .htaccess file.
After you’ve spent all that time protecting your blog from .htaccess attack, the last thing you want to do is leave your .htaccess file itself open to attack!The hack below prevents external access to any file with .hta (or any case insensitive variation). Place the code below in your domain’s root .htaccess file.
# STRONG HTACCESS PROTECTION</code> <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>Source: Perishable Press
Q – Quicken your site’s loading time by caching
If you’re paying for what bandwith you use, this article can save you cash!
Source – Samaxes
R – Redirect to other pages on your site
RedirectMatch 301 ^/blog/.*$ http://domain.tld/target.html Source – Perishable Press
S - Spam!
.htaccess is great for stopping comment spam, and Jeff over at Perishable Press has put together a huge blacklist you can copy and paste that should stop you getting so much spam! Link.
T – Set the timezone of the server
The hack below lets you set the timezone of the server:
SetEnv TZ America/Indianapolis Source – AskApache
U – Remove /category/ from your category URL
Having /category/ in a category URL seems a bit useless. How do I get rid of it, I hear you cry! A .htaccess hack, of course!
RedirectMatch 301 ^/category/(.+)$ http://www.askapache.com/$1 # OR RewriteRule ^category/(.+)$ http://www.askapache.com/$1 [R=301,L]Source: AskApache
V – Valiantly automatically fix URL spelling mistakes
Yep. I got desperate. Well what .htaccess trick can you think of that starts with ‘v’?
This neat trick will auto-correct simple URL spelling mistakes
<IfModule mod_speling.c> CheckSpelling On </IfModule>Source – Vortex Mind
W – Redirect from http://www.whatever to http://whatever
Using a 301 (permanent) redirect, you can move all visitors to http://www.yoursite to http://yoursite
# permanently redirect from www domain to non-www domain RewriteEngine on Options +FollowSymLinks RewriteCond %{HTTP_HOST} ^www\.domain\.tld$ [NC] RewriteRule ^(.*)$ http://domain.tld/$1 [R=301,L]Source: Stupid htaccess tricks
X – Make your wp-login.php page xenophobic
Xenophobic: “an intense fear or dislike of forigners or strangers”
I think it is quite appropriate to call your wp-login page xenophobic if you install this hack; it won’t let anyone access it apart from yourself!
<Files wp-login.php> Order deny,allow Deny from All Allow from 123.456.789.0 </Files>Source – Reaper-X
Y – Easily rename your .htaccess file
What do you do if your server doesn’t like the .htaccess file format? Rename the .htaccess file! You can rename it to whatever you like, using the code below:
# rename htaccess files AccessFileName ht.accessSource – Perishable Press
Z – Say zygote in your .htaccess file
So you want to be able to put the word ‘zygote’ in your .htaccess file? You’ll be needing to make a comment. Comments are really easy to do, just use # at the beginning of a line, which tells the server to ignore the line.
# see - this is a comment - you can only use letters and numbers and - and _ That is why there are no commasAdditional reading
http://blogsecurity.net/wordpress/article-210607
http://www.askapache.com/htaccess/apache-htaccess.html#htaccess-code-examples
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
http://seoblackhat.com/2006/07/14/ip-delivery-to-stop-rss-content-thieves/
http://www.catswhocode.com/blog/10-awesome-htaccess-hacks-for-wordpress
Enjoyed the post? We'll see you on Twitter or in your RSS reader!
WPShout is hosted by the fine folks at WPWebHost.
You can get exactly the same hosting as WPShout has for $7.95/month with WPWebHost's Freedom Plan.
Plus get 30% off the Freedom Plan with the code WPSHOUT.
Alex Denning is the founder of WPShout. A WordPress developer from London, Alex is a keen musician and freelance writer and developer.
You can find Alex on Twitter.
101 Responses to “A to Z of WordPress .htaccess Hacks”
Trackbacks/Pingbacks
[...] A to Z of WordPress .htaccess Hacks Source: Nometech Excerpt: [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] A to Z of WordPress .htaccess Hacks (tags: webdev list tutorial wordpress htaccess security) [...]
[...] The A to Z of .htaccess – Alex of Nometech has published an excellent post covering a bunch of information about the .htaccess file. Useful resource to bookmark for any webmaster! [...]
[...] Bookmarked a link on Delicious. A to Z of WordPress .htaccess Hacks | Nometech.com [...]
[...] A to Z of WordPress .htaccess Hacks post presents 26 .htaccess hacks and those are my favorites : [...]
[...] The A to Z of .htaccess – Alex of Nometech has published an excellent post covering a bunch of information about the .htaccess file. Useful resource to bookmark for any webmaster! [...]
[...] A to Z of WordPress .htaccess Hacks | Nometech.com [...]
[...] A to Z of WordPress .htaccess Hacks | Nometech.com [...]
[...] A to Z of WordPress .htaccess Hacks | Nometech.com (tags: WordPress list security htaccess development cheatsheet) Leave a Reply Click here to cancel reply. [...]
[...] The A to Z of .htaccess – Alex of Nometech has published an excellent post covering a bunch of information about the .htaccess file. Useful resource to bookmark for any webmaster! [...]
[...] c. A-Z of WordPress .htaccess hacks [...]
[...] A to Z of WordPress .htaccess Hacks (tags: webdev list tutorial wordpress htaccess security) [...]
[...] A to Z of WordPress .htaccess Hacks | Nometech.com 6:06am | via [...]
[...] 26 .htaccess hacks, from A to Z [...]
[...] 10 hacks .htaccess pour WordPress [...]
[...] bookmarks tagged hacks A to Z of WordPress .htaccess Hacks | Nometech.com saved by 3 others Ginimimi bookmarked on 04/29/09 | [...]
[...] A to Z WordPress .htaccess Hacks: très instructif, faut vraiment que je m’y mette [...]
[...] Source – Nometech.com [...]
[...] Kaynak:Nometech.com [...]
[...] A to Z of WordPress .htaccess Hacks post presents 26 .htaccess hacks and those are my favorites : [...]
[...] Fonte: http://www.nometech.com/blog/a-to-z-of-wordpress-htaccess-hacks/ [...]
[...] to Z of Free WordPress Themes After the success of the last A to Z post here on Nometech, guiding you through an A to Z of WordPress .htaccess hacks, I thought I’d continue the [...]
[...] Source – Nometech.com [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] Source – A to Z of WordPress .htaccess hacks. [...]
[...] Source – A to Z of WordPress .htaccess hacks. [...]
[...] A to Z of WordPress .htaccess Hacks | Nometech.com [...]
[...] Source – Nometech.com [...]
[...] Xem thêm – Nometech.com [...]
[...] more from the original source: A to Z of WordPress .htaccess Hacks | WPShout.com Share this on del.icio.usDigg this!Buzz up!Stumble upon something good? Share it on [...]
[...] A to Z of WordPress .htaccess Hacks {57} [...]
[...] A to Z of WordPress .htaccess Hacks {57} [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] A to Z of WordPress .htaccess Hacks | WPShout.com (tags: wordpress htaccess hacks) [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] your images and save the bandwidth. You can easily disable hotlinking via .htaccess file. Check the tutorial for disabling Hotlinking and other .htaccess [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] A to Z of WordPress .htaccess Hacks Submitted by Editorial Team [...]
[...] A-to-Z of Wordpress .htaccess Hacks Tags: Blogging, Compilação, compilation, hacks, list, lista, Recursos, resources, técnicas, techniques, Tricks, truques, WordPress, WP [...]
[...] a tad awful, as did the design. However, I learnt a lot quickly and found success with an “A to Z of WordPress .htaccess Hacks“. To this day it’s still the most popular post on the site. At this point, the site was [...]
[...] A to Z of WordPress .htaccess Hacks The .htaccess file allows you to easily improve your blog’s security, reduce bandwith and [...]
[...] A to Z of WordPress .htaccess Hacks var topsy_nick = "blpro"; var topsy_style = "big"; var topsy_title = "WordPress Security – A Comprehensive Guide"; var topsy_url = "http://www.bloggingpro.com/archives/2010/04/20/wordpress-security-a-comprehensive-guide/"; [...]
[...] go wrong with your blog, simply delete the new htaccess and upload the old one. Cheers!Thanks to A-Z of WordPress htaccess hacks and Keep wordpress secure for providing some insight in the writing of this tutorial. Bookmark & [...]
[...] 6. How to: Force using SSL on wp-admin directory 7. 10 Easy Ways to Secure your WordPress Blog 8. A to Z of WordPress .htaccess Hacks 9. 11 Best Ways to Improve WordPress Security 10. Protect your WordPress blog using .htaccess 11. [...]
[...] For more .htaccess hacks visit this site. [...]
[...] Tweaks20+ Powerful WordPress security Plugins12 Essential Security Tips and Hacks for WordPressA to Z of WordPress .htaccess Hacks5 Minutes and CountingWordPress claim to a quick and easy installation of 5 minutes still stands. [...]
[...] A to Z of WordPress .htaccess Hacks [...]
[...] add some code to our .htaccess file. First, let’s disable directory browsing. (Source: WPShout). Just add the following line of code to your .htaccess file. # disable directory browsing Options [...]
Leave a Reply
- WordPress Theme Design Basics
- Create An Advanced Options Page in WordPress
- Premium Frameworks Reviewed
- Creating A Tumblog With WordPress
- 10 Practical WordPress Security Tips
- A to Z of WordPress .htaccess Hacks
- WordPress Theme Design Basics
- 10 WordPress Plugins That Every Blog Needs
- 10 Awesome Things To Do With WordPress' Custom Fields
- How To Stop An Eithical Hacker Breaking Into Your WordPress Site
Get The Hosting
WPShout is hosted by the fine folks at WPWebHost who ensure everything runs smoothly.
You can get exactly the same hosting as WPShout has for $7.95/month with WPWebHost's Freedom Plan.
Plus get 30% off the Freedom Plan with the code WPSHOUT.
Get The Look
WPShout uses the WooFramework in order to ensure everything looks lovely and runs properly.
You can get the WooFramework with all WooThemes from $15/month and use the same code as WPShout.
Linda Farmer
10. Apr, 2009
Thanks for the very useful post which I received by subscribing to your feed.
It seems that blog security is becoming even more important an issue and you have provided some great suggestions. I find it very helpful to see the code color illustrated too, helps me understand the syntax … a little! Great job.
I'm going to send this one out on Twitter. Cheers, and remember to expect good things.
Jeff Starr
12. Apr, 2009
Cool approach to delivering a wide variety of htaccess tricks. Gave me a few new ideas to play with – thank you for sharing this article and keep up the good work!
Clinton Montague
14. Apr, 2009
Great list – I have picked up a couple of these and added them to my htaccess, the feedburner one is one that I didn't think of!
John
07. Feb, 2011
Hello, clinton, do you know if all the scripts above can be used on the same htaccess file? or do they have to be on different htaccess files?
Tony Stocco
14. Apr, 2009
Seems like many of the hacks will work with non-wordpress sites too – Great job.
Piet
14. Apr, 2009
thanks for this list, quite a few I didn't know yet and are quite useful – great post!
larryetsitalia
14. Apr, 2009
Very interesting post!
Thanks
Shari Voigt
14. Apr, 2009
I found many useful tips here. Thank you. The redirect to a maintenance page via htaccess is new to me, and one idea I'll implement right away.
Chelsea Darling
15. Apr, 2009
Hahaha, some of these were hilariously desperate. But very useful!
Ariyo
15. Apr, 2009
Excellent post. Thanks
gianiaz
15. Apr, 2009
Very useful, thank you.. just a note, check your syntax highlighter, there are a few parsing errors
John Davis
15. Apr, 2009
Very useful thanks. Nice ‘Z’ tip lol.
Thomas Nadin
16. Apr, 2009
Alot of good information, I especially liked V and W. Had both on an old server but didn't know how to get it working my current one. Thanks.
DazzlinDonna
16. Apr, 2009
Nice list and very clever presentation of it. Curious though why you have 2 'S' entries, with the first S coming between L and M. Did I miss something when I learned my ABCs?
Brian Combs
16. Apr, 2009
Thanks! I took several of these and added them to my .htaccess.
Jonny Ling
16. Apr, 2009
Hi Alex
Great list!! Do you happen to have a hack that lets you re-direct url's containing query strings? I can't seem to get them working! Cheers
Donace
17. Apr, 2009
Awesome list man; I think Jeff's 4g blacklist is out now which is sweet as well; and I ofc would also plug my two articles on the matter:
http://thenexus.tk/a-few-tricks-up-my-sleaves-hta…
http://thenexus.tk/htaccess-reviewed/
Will be implementing a few tricks from here though!
terry
30. May, 2009
hey great post
cMET
04. Jun, 2009
This is a very good post. The best I've seen on this so far.
But please check your post and fix the unclosed tags. There are several "</code" and "</span>" things in the post visible. Shouldn't be
– I can imagine people copying and pasting it and not knowing why it's wrong. 
Thanks anyway, lots of tips and tricks I didn't even think about doing it in htaccess. Which in fact has a lot of functionality that we sometimes forgot is there to do the task for us right from the server (instead of using php scripts of javascript, an awesome htaccess one-liner).
aliplanning
14. Jun, 2009
Thank you to share
AskApache
16. Jul, 2009
Nice post! The “corrupted” email hack-
SetEnv SERVER_ADMIN webmaster@askapache.com
Spunky Jones SEO Strategy
02. Aug, 2009
I have to say that, Deny no referer requests is one of my most favorites so far. After installing, I noticed a nice drop in spam bots trying to comment.
.-= Spunky Jones SEO Strategy´s last blog ..Are You, Losing Web Traffic and Sales Leads? =-.
Tubagus Rusmawan
05. Aug, 2009
hi..
i am new to wp. if i want to use all the .htaccess hacks, can anyone show me how to write all the .htaccess hacks in just one .htaccess file?
Epic Alex
31. Aug, 2009
Hi Alex, Do you know how we can get a plugin/php file to write these to .htaccess, rather than adding them manually?
.-= Epic Alex´s last blog ..Site Redesign Now Live =-.
Alex Denning
01. Sep, 2009
Erm… not really. But I think WP Super Cache writes to the .htaccess, suggesting it can be done; you might want to check that out.
Comment Name Violation
15. Sep, 2009
Hey Alex, this is probably one of the most extensive list of resources pertaining to .htaccess file that I have encountered in a long time. You made so many things clear regarding how to safeguard and enhance one’s site by proper integration of .htaccess. Thanks a lot for this great and comprehensive information! I am looking forward to reading more of your helpful posts.
Alex Denning
16. Sep, 2009
Thanks! Be sure to check out the ton of other stuff that has been published after this post went up about six months ago!
Chris
30. Sep, 2009
Wow, this list is pure gold. I’m not exactly sure where to start!
b00m
20. Oct, 2009
Hi there Alex,
What if I want to change this:
to
I want to hide the root address…Can .htaccess execute like that?
If can, can You give me some example how to do it. tnx
Alex Denning
20. Oct, 2009
Wrapped the code in code tags
Unless I’m misunderstanding you, you’ll just want to change that in the header.php file, literally, what you’ve written above.
JP
22. Jan, 2010
it doesn’t work. It used to work in wordpress but for some odd reason you have to put the full url in the href :/
Satnikove skrine
18. Dec, 2009
Nice man, thank you.
salsabel
13. Feb, 2010
Cool. Thanks for the complete list.
dacaprice
15. Feb, 2010
Thanks. This post really helped me understand how .htaccess can help protect my site.
Mr.Tung
29. May, 2010
hi, I can’t make a .htaccess file to protect wp-Config.php file. I do but My web error…I don’t know, what should I do!?
Alex Denning
03. Jun, 2010
Email your host; you might not have permission to create one.
Jennifer Ray
14. Jun, 2010
Oops, the collection list is awesome, I’ve bookmarked it, it will help me alot, thanks
ersineser
08. Aug, 2010
thanks. i have learned much things about .htaccess file.
Dan
22. Aug, 2010
I need to prevent users that are not logged in from downloading files. How can I do this?
Thank you for the help!
Ravem
31. Aug, 2010
ZYGOTE!
SUSHUAHSUHUASHUAHSHAUSHAS
GREATEST EVER =)
Nice tips, congratz man
Rob
30. Nov, 2010
Some really usefull .htaccess rules all in one place! thanks
jenson
13. Jan, 2011
Hi alex, thanks for good sharing. But, i had small question and who know it could be tricky permalink.
Sample : domain.com/search/keyword-keyword.html
the question is, how to change the slash icon after search word. I wanna make the permalink be like this :
domain.com/search-keyword-keyword.html
/search/ change to /search-
Please feel free to reply to my email : doank_23@yahoo.com
timing fx
30. Jan, 2011
waw very good, I can get a lot of knowledge about htaccess and I think it is in need for beginner blogger like me
David Ashforth
14. Sep, 2011
Superuseful… Way more info than all the other pages about htaccess.
My favorite = Xenophobic: “an intense fear or dislike of forigners or strangers”
I don’t get out much
Sennik
14. Nov, 2011
What is it the best method to protect WordPress by .haccess file ?
Bridgette Anne Murray
04. Dec, 2011
Now, this will be definitely helpful to know for my wonder wheeler site… thanks a bunch!
bloganize
19. Jan, 2012
Great .htaccess tips. I’ll apply it on my blog.
Alex Denning
10. Apr, 2009
Glad you like it Linda! Appreciate you sharing it and subscribing to the feed.
<plug>I'm on Twitter too – http://twitter.com/alexdenning </plug>
Alex Denning
16. Apr, 2009
Oops. Thanks for the heads up!
Alex Denning
16. Apr, 2009
Err can't say I do; I'm not too much of an expert, perhaps someone else could help you out [HINT!]
Alex Denning
16. Apr, 2009
Cheers. I'll probably change it for the next post.