Top .htaccess Tips to Improve WordPress Security & SEO

The .htaccess (Hypertext Access) file is a configuration file that allows you to change the settings of your web server. You can use the file to control the folders and files in the current directory as well as all the sub-directories, and enable/disable certain functionality so as to improve your site performance and add protection against hacks and known threats.

With the proper commands in the .htaccess file, you are able to block the unauthorized access to specific files, disable image hotlinking, create redirects, enable caching, and so on.

Usually, you can find the .htaccess file in the root directory of your site, but note that this file is hidden by default, so you may not see it until you check the “Show Hidden Files” option in your FTP client or the file manager.


If the file does not exist, you can simply create an empty file, name it as “.htaccess” and then upload it to the server. To make sure the file functions well, it is suggested to assign the 644 file permissions to it.


In this tutorial, we will introduce several useful .htaccess tips and snippets you can use to improve the security, performance and SEO of your WordPress site.

Always Back up Your .htaccess File

Since the .htaccess file is an important configuration file, a minor error can break down your website. Therefore, before discussing any .htaccess tip, we would like to remind you seriously to back up the file every time before you make any change. Make sure you always have a working version of the .htaccess file stored on your local computer.

Besides, you should refresh your site to check whether it is working whenever you make modifications to the .htaccess file so that you can revert to the previous working version of the file quickly if there is anything causing errors.

Tip 1: Protect the wp-config.php File

wp-config.php is a vital file for any WordPress site because it includes much sensitive information including the security keys and the database settings (database name, username, password, etc). There are several common ways for protecting this file, while one of the most effective and easiest is to disable access to it by adding the following snippet to the .htaccess file.


For some other methods to secure wp-config.php, you can refer to this tutorial.

Tip 2: Disable Directory Browsing

Leaving your directories and files open to unauthorized visitors poses a great security risk because they can easily mess up your site with some minor changes. Disallowing directory browsing, however, helps hide your directories from others and prevent them from being opened and edited. To apply this simple security measure, add the following piece of code in the .htaccess file.


Tip 3: Protect the wp-content Directory

The wp-content directory is where your plugins, themes, cache files and uploaded media files are located. The importance of this directory makes it a target for many hackers and spammers. When hackers manage to compromise your site, they may upload a script to the uploads folder and then execute the script to do something harmful to your site, such as sending out spam emails, stealing information, etc.

To prevent this from happening, you can create a new .htaccess file and add the code below to it. With this code, only those files in the specified formats, including XML, JPEG, JPG, CSS, Gif, PNG and Javascript, are allowed to be uploaded. The uploading of any other file type would be denied by the server. Of course, you can change file types in the code by yourself based on your own needs.


After the new .htaccess file is created, you need to connect your server with an FTP client or file manager, and then upload the file to the wp-content directory of your site so the file works for the particular directory only.

Tip 4: Prevent Image Hotlinking

Image hotlinking is a bad practice that a person shares an image on your website on another site by linking to the image URL directly. This practice brings significant negative impacts because it not only slows down your site but also increases your bandwidth usage (which may result in higher hosting costs).

Fortunately, you are able to prevent image hotlinking easily by including your .htaccess file with the following code snippet.


When using this code, you need to pay attention to several things. Firstly, you have to replace all the domains with your own. Secondly, this code allows your website as well as another site you own to execute the images on your website. If you do not want any other site to share the images, simply remove the fourth line, or in the case that you want to add more sites, copy the line and change the domain.

And at last, the image on the last line is shown when someone tries to view your images at another domain. You can change it to anything you want.

Tip 5: Limit Access to WordPress Admin Area

Protecting your WordPress admin area (the wp-admin directory) is a necessary security measure that you have to take. If hackers get access to the admin area of your site, they can do anything they want, and you will never know how they would destroy your site.

A simple yet efficient way to protect the admin area is to restrict the access to the specific IPs that you and other administrators always use to access your website. This way is useful when all site admins use fixed IPs when administering the site.

To take this security method into action, create a separate .htaccess file with the code below included.


After replacing the IPs with the ones you want and saving the file, upload it to the wp-admin folder of your WordPress site. If you do not have anyone else managing your site, you can remove the additional IPs in the code, and if you have more administrators, list their IPs and separate them with commas.

Tip 6: Ban Unwanted Visitors from Your WordPress Site

If you find an IP from where someone does any harm to your site, for example, leaving spam comments or trying to access the admin area, you can ban the IP by adding the following snippet to the .htaccess file located in the root directory. For each IP you want to ban, add a deny line for it.


Besides denying access from certain IPs, you can also ban the unwanted visitors based on the referring domain in the case that your site has been referred by some other websites with malicious content. Simply use the code below.


Tip 7: Create 301 Redirects

Whenever there is a change of your website domain, permalink structure, or the URL of a simple page, you will need a 301 redirect to inform the search engines that you have moved a URL to another location. By doing so, you can regain the traffic and get some SEO benefits.

When you have changed a URL, add the following line in the .htaccess file.


Tip 8: Protect the .htaccess File

You may have protected many parts of your website with .htaccess, but have you ever taken any measure to protect this file itself from unauthorized access? If the answer is “No”, add the following code in your .htaccess file as soon as possible to stop spammers and hackers from accessing it. Despite the restriction, you can still access the file via FTP or the file manager.


Besides, you can also add another layer of security by renaming the .htaccess file to something else that is less predictable. This can be done by using the code below. After you have renamed the file, don’t forget to replace the old file name with the new one in the snippet above.

Rick Hammond

I'm a marketing consultant by trade and also own a portfolio of over 20 websites. Over the years I have tested most of the well know hosting companies for my sites and therefore can give insight into which are good and which are not from my personal experiences.

Related Articles