Skip to content

A to Z of WordPress .htaccess Hacks


The .htaccess file allows you to easily improve your blog’s security, reduce bandwith and increase usability. In this post we’re going to look at 26 .htaccess hacks, from A to Z. If you enjoy this post then please grab the WPShout RSS feed!

Remember the golden rule:

Always have a backup!

A – WP- Admin

Your can restrict access to wp-admin by IP:

order deny,allow allow from a.b.c.d # This is your static IP deny from all

Source –

B – Blacklist

One of the most important things you can do with .htaccess is blacklist IP addresses. You can do so with the following code:

<Limit GET POST PUT> order allow,deny allow from all deny from 123.456.789 </LIMIT>

Source – Perishable Press

C – WP-Config Protection

Your wp-config file contains your database name, your database username and your database password. In other words, you’ll want to keep it secure.

# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>

Source – Josiah Cole

D – Disable Directory Browsing

# disable directory browsing Options All -Indexes

Source- Josiah Cole


E – Explanation

I bet if I asked you to explain exactly what .htaccess is, you’d struggle to tell me exactly. To be honest, until I wrote this, I wasn’t totally sure. Wikipedia explains in a nice, jargon free way:

.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree.

The Wikipedia article then goes on, with some examples of common usage:

Authorization, authentication
.htaccess files are often used to specify the security restrictions for the particular directory, hence the filename “access.” The .htaccess file is often accompanied by a .htpasswd file which stores valid usernames and their passwords. [3]
Customized error responses
Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found
Rewriting URLs
Servers often use .htaccess to rewrite long, overly comprehensive URLs to shorter and more memorable ones.
Cache Control
.htaccess files allow a server to control User agent caching used by web browsers to reduce bandwidth usage, server load, and perceived lag.

F – Feedburner

Feedburner is a blogger’s best friend. Trouble is, directing your feed to it is a bit of a pain. The solution: a .htaccess hack of course!

# temp redirect wordpress content feeds to feedburner <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC] RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC] RewriteRule ^feed/?([_0-9a-z-]+)?/?$ [R=302,NC,L] </IfModule>

Source – Perishable Press

G – Get an RSS Feed on a static page

This is quite complicated, so check out the source below. In a nutshell it is a way of getting round using Javascript (because it doesn’t do the SEO any good).

Source –

H – Disable hotlinking

Hotlinking. According to Wikipedia, also known as “leeching, piggy-backing, direct linking, offsite image grabs and bandwidth theft”. In other words it is using an image from another site. If people do it to you, it’ll use up your bandwith. You can stop it with the .htaccess hack below.

#disable hotlinking of images with forbidden or custom image option RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC] #RewriteRule \.(gif|jpg)$ - [F] RewriteRule \.(gif|jpg)$ [R,L]

Source – Josiah Cole

I – Important!

Yeah, ok, I got a bit desperate trying to find something that begins with ‘I’ :P. But, that doesn’t mean this isn’t useful; it’s very important!

Backup. Always, always make sure you have a backup to hand; the slightest mistake will be fatal.

J – Jauntily show the admin’s email address in error message


K – Keep RSS ‘content thieves’ away

It isn’t nice when people steal your content. One of the ways ‘content thieves’ scrape content from sites is by simply using your RSS feed. If you’ve got the scraper’s IP address (which is very easy to do; Google it) then you can use your .htaccess file to block the scraper. The code below redirects a site taking your feed back to another feed (ie their feed). Replace the IP on line two with the offending site’s and the feed on line three with the offending site’s feed.

RewriteEngine on RewriteCond %{REMOTE_ADDR} ^ RewriteRule ^(.*)$

Source – Seo Black Hat

L – Limiting number of simultaneous connections

To limit the number of simultaneous connections to a directory or your entire site, use the below line. If you place it in a directory other than the root directory, then it will limit the connections to that directory and its sub-directories only. Placing it in htaccess file of root directory will implement it for entire site.

MaxClients < number-of-connections> 

Source – Pix.l|ne

M – Maintenance

It doesn’t matter what the reason is, at some point in your life you’ll probably want to make maintenance page. Replace “/maintenance.html” with whatever the url of your maintenance page is and put your own IP address on line three.

RewriteEngine on RewriteCond %{REQUEST_URI} !/maintenance.html$ RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123 RewriteRule $ /maintenance.html [R=302,L]

Source – CatsWhoCode/

N – Deny no referer requests [stop spam comments!]

Slightly simpler than the spam-stopping solution under ‘S’, what this hack does is utilise the fact that most spammes use bots coming from ‘nowhere’. The hack checks to see where a comment is coming from, and if it is coming from ‘nowhere’ then it blocks it. Simple.

RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.** [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Source – WPRecipes

O – Force files when opening to ‘save as’

If you’re offering files for download then the hack below will be very useful – it forces files to save as instead of opening or streaming.

AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4 

Source – AskApache

P – Protect your .htaccess file.

After you’ve spent all that time protecting your blog from .htaccess attack, the last thing you want to do is leave your .htaccess file itself open to attack!The hack below prevents external access to any file with .hta (or any case insensitive variation). Place the code below in your domain’s root .htaccess file.

# STRONG HTACCESS PROTECTION</code> <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>

Source: Perishable Press

Q – Quicken your site’s loading time by caching

If you’re paying for what bandwith you use, this article can save you cash!

Source – Samaxes

R – Redirect to other pages on your site

RedirectMatch 301 ^/blog/.*$ http://domain.tld/target.html 

Source – Perishable Press

S – Spam!

.htaccess is great for stopping comment spam, and Jeff over at Perishable Press has put together a huge blacklist you can copy and paste that should stop you getting so much spam! Link.

T – Set the timezone of the server

The hack below lets you set the timezone of the server:

SetEnv TZ America/Indianapolis 

Source – AskApache

U – Remove /category/ from your category URL

Having /category/ in a category URL seems a bit useless. How do I get rid of it, I hear you cry! A .htaccess hack, of course!

RedirectMatch 301 ^/category/(.+)$$1 # OR RewriteRule ^category/(.+)$$1 [R=301,L]

Source: AskApache

V – Valiantly automatically fix URL spelling mistakes

Yep. I got desperate. Well what .htaccess trick can you think of that starts with ‘v’?

This neat trick will auto-correct simple URL spelling mistakes

<IfModule mod_speling.c> CheckSpelling On </IfModule>

Source – Vortex Mind

W – Redirect from http://www.whatever to http://whatever

Using a 301 (permanent) redirect, you can move all visitors to http://www.yoursite to http://yoursite

# permanently redirect from www domain to non-www domain RewriteEngine on Options +FollowSymLinks RewriteCond %{HTTP_HOST} ^www\.domain\.tld$ [NC] RewriteRule ^(.*)$ http://domain.tld/$1 [R=301,L]

Source: Stupid htaccess tricks

X – Make your wp-login.php page xenophobic

Xenophobic: “an intense fear or dislike of forigners or strangers”

I think it is quite appropriate to call your wp-login page xenophobic if you install this hack; it won’t let anyone access it apart from yourself!

<Files wp-login.php> Order deny,allow Deny from All Allow from 123.456.789.0 </Files>

Source – Reaper-X

Y – Easily rename your .htaccess file

What do you do if your server doesn’t like the .htaccess file format? Rename the .htaccess file! You can rename it to whatever you like, using the code below:

# rename htaccess files AccessFileName ht.access

Source – Perishable Press

Z – Say zygote in your .htaccess file

So you want to be able to put the word ‘zygote’ in your .htaccess file? You’ll be needing to make a comment. Comments are really easy to do, just use # at the beginning of a line, which tells the server to ignore the line.

# see - this is a comment - you can only use letters and numbers and - and _ That is why there are no commas

Additional reading

Yay! 🎉 You made it to the end of the article!
Alex Denning

Most Voted
Newest Oldest
Inline Feedbacks
View all comments
January 1, 2013 3:21 pm

i have learned much things about .htaccess file. tnx

January 19, 2012 1:29 pm

Great .htaccess tips. I’ll apply it on my blog. 🙂

How to secure your WordPress blog | Tuts23
November 26, 2011 9:12 pm

[…] add some code to our .htaccess file. First, let’s disable directory browsing. (Source: WPShout). Just add the following line of code to your .htaccess file. # disable directory browsing Options […]

Webographie | Pat McFOH
November 16, 2011 5:04 pm

[…] A to Z of WordPress .htaccess Hacks […]

November 14, 2011 10:42 pm

What is it the best method to protect WordPress by .haccess file ?

David Ashforth
September 14, 2011 2:51 am

Superuseful… Way more info than all the other pages about htaccess.

My favorite = Xenophobic: “an intense fear or dislike of forigners or strangers”

I don’t get out much 😉

timing fx
January 30, 2011 2:37 pm

waw very good, I can get a lot of knowledge about htaccess and I think it is in need for beginner blogger like me

January 13, 2011 7:40 am

Hi alex, thanks for good sharing. But, i had small question and who know it could be tricky permalink.

Sample :

the question is, how to change the slash icon after search word. I wanna make the permalink be like this :

/search/ change to /search

Please feel free to reply to my email :

November 30, 2010 5:23 pm

Some really usefull .htaccess rules all in one place! thanks

August 31, 2010 5:34 pm




Nice tips, congratz man 😉

August 22, 2010 5:43 pm

I need to prevent users that are not logged in from downloading files. How can I do this?

Thank you for the help!

August 8, 2010 7:43 pm

thanks. i have learned much things about .htaccess file.

Everything You Need to Know About WordPress Security — ForSite Media
July 23, 2010 2:39 pm

[…] Tweaks20+ Powerful WordPress security Plugins12 Essential Security Tips and Hacks for WordPressA to Z of WordPress .htaccess Hacks5 Minutes and CountingWordPress claim to a quick and easy installation of 5 minutes still stands. […]

9 Critical Tips To Secure a WordPress Site | Theme Today
July 21, 2010 12:01 pm

[…] For more .htaccess hacks visit this site. […]

How To Secure Your WordPress Installation |
July 9, 2010 12:44 am

[…] 6. How to: Force using SSL on wp-admin directory 7. 10 Easy Ways to Secure your WordPress Blog 8. A to Z of WordPress .htaccess Hacks 9. 11 Best Ways to Improve WordPress Security 10. Protect your WordPress blog using .htaccess 11. […]

Jennifer Ray
June 14, 2010 12:59 pm

Oops, the collection list is awesome, I’ve bookmarked it, it will help me alot, thanks

May 29, 2010 2:02 pm

hi, I can’t make a .htaccess file to protect wp-Config.php file. I do but My web error…I don’t know, what should I do!?

Blogging Tips: How To Secure Wordpress Blogs Via Htaccess File
April 26, 2010 8:05 am

[…] go wrong with your blog, simply delete the new htaccess and upload the old one. Cheers!Thanks to A-Z of WordPress htaccess hacks and Keep wordpress secure for providing some insight in the writing of this tutorial. Bookmark & […]

February 15, 2010 3:17 am

Thanks. This post really helped me understand how .htaccess can help protect my site.

February 13, 2010 10:58 am

Cool. Thanks for the complete list. 🙂

23 articles and resources to improve your Wordpress life! |
February 1, 2010 3:28 pm

[…] A to Z of WordPress .htaccess Hacks The .htaccess file allows you to easily improve your blog’s security, reduce bandwith and […]

Best of WPShout 2009 |
January 25, 2010 5:34 pm

[…] a tad awful, as did the design. However, I learnt a lot quickly and found success with an “A to Z of WordPress .htaccess Hacks“. To this day it’s still the most popular post on the site. At this point, the site was […]

Wordpress Hacks & Tricks – A grande lista  | 2.0 Webmania
January 20, 2010 4:53 pm

[…] A-to-Z of Wordpress .htaccess Hacks Tags: Blogging, Compilação, compilation, hacks, list, lista, Recursos, resources, técnicas, techniques, Tricks, truques, WordPress, WP […]

Satnikove skrine
December 18, 2009 12:48 pm

Nice man, thank you.

A to Z of WordPress .htaccess Hacks | TopRoundups
October 27, 2009 12:06 pm

[…] A to Z of WordPress .htaccess Hacks Submitted by Editorial Team […]

January 22, 2010 10:27 pm
Reply to  Alex Denning

it doesn’t work. It used to work in wordpress but for some odd reason you have to put the full url in the href :/

NamrouD | Upgrade Your Mind ! » 30 Incredibly Useful WordPress Hacks
October 5, 2009 11:27 pm

[…] A to Z of WordPress .htaccess Hacks […]

Privacy Source » Blog Archive » Tips To Improve And Increase Your Blog’s Loading Speed
October 5, 2009 5:10 pm

[…] your images and save the bandwidth. You can easily disable hotlinking via .htaccess file. Check the tutorial for disabling Hotlinking and other .htaccess […]

September 30, 2009 11:55 pm

Wow, this list is pure gold. I’m not exactly sure where to start!

30 Incredibly Useful WordPress Hacks |
September 28, 2009 4:03 pm

[…] A to Z of WordPress .htaccess Hacks […]

links for 2009-09-25
September 25, 2009 11:39 pm

[…] A to Z of WordPress .htaccess Hacks | (tags: wordpress htaccess hacks) […]

Barker Design | Graphic & Web Development » Blog Archive » 30 Incredibly Useful WordPress Hacks
September 24, 2009 1:31 pm

[…] A to Z of WordPress .htaccess Hacks […]

30 Incredibly Useful WordPress Hacks | Tutorial9
September 24, 2009 1:03 pm

[…] A to Z of WordPress .htaccess Hacks […]

Comment Name Violation
September 15, 2009 9:01 pm

Hey Alex, this is probably one of the most extensive list of resources pertaining to .htaccess file that I have encountered in a long time. You made so many things clear regarding how to safeguard and enhance one’s site by proper integration of .htaccess. Thanks a lot for this great and comprehensive information! I am looking forward to reading more of your helpful posts.

Free WordPress (Magazine/Framework/Bloggy/Tech Blog) Theme: Biblioteca |
September 14, 2009 3:04 pm

[…] A to Z of WordPress .htaccess Hacks {57} […]

10 Ways to Use .htaccess to Speed Up WordPress |
September 10, 2009 3:02 pm

[…] A to Z of WordPress .htaccess Hacks {57} […]

Tubagus Rusmawan
August 5, 2009 3:07 am


i am new to wp. if i want to use all the .htaccess hacks, can anyone show me how to write all the .htaccess hacks in just one .htaccess file?

A to Z of WordPress .htaccess Hacks | | wpden
July 21, 2009 3:24 pm

[…] more from the original source: A to Z of WordPress .htaccess Hacks | Share this on del.icio.usDigg this!Buzz up!Stumble upon something good? Share it on […]

July 16, 2009 10:20 pm

Nice post! The “corrupted” email hack-


10 cách ??n gi?n ?? b?o m?t cho blog WordPress « .::z3rok::.
July 13, 2009 4:07 pm

[…] Xem thêm – […]

10 Easy Ways to Secure your WordPress Blog | Another Flava
July 10, 2009 10:18 pm

[…] Source – […]

'How To Guide' for securing WordPress and protecting websites. | MileHighTechGuy
July 5, 2009 11:12 pm

[…] A to Z of WordPress .htaccess Hacks | […]

10 Ways to Speed up Your WordPress Blog at BLOG GRAPHIC DESIGN
July 3, 2009 12:35 pm

[…] Source – A to Z of WordPress .htaccess hacks. […]

10 Ways to Speed up Your WordPress Blog | SEO & Web Design
June 21, 2009 10:17 am

[…] Source – A to Z of WordPress .htaccess hacks. […]

June 14, 2009 8:55 am

Thank you to share

WordPress-Sicherheit — Amys Welt
June 6, 2009 10:31 am

[…] A to Z of WordPress .htaccess Hacks […]

June 4, 2009 2:02 pm

This is a very good post. The best I've seen on this so far.

But please check your post and fix the unclosed tags. There are several "</code" and "</span>" things in the post visible. Shouldn't be 😉 – I can imagine people copying and pasting it and not knowing why it's wrong. 😉

Thanks anyway, lots of tips and tricks I didn't even think about doing it in htaccess. Which in fact has a lot of functionality that we sometimes forgot is there to do the task for us right from the server (instead of using php scripts of javascript, an awesome htaccess one-liner).

Aparna’s Weblog » Blog Archive » 10 Easy Ways to Secure your WordPress Blog
June 1, 2009 10:47 am

[…] Source – […]

May 30, 2009 5:12 pm

hey great post 🙂

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!

Would love your thoughts, please comment.x