WordPress htaccess Guide: Master .htaccess Rewrites, Security, and Performance Rules
The .htaccess file — the heart of any wordpress htaccess guide — is a server configuration file that controls how Apache handles every request to your WordPress site — from URL rewrites and security rules to caching and access control. This wordpress htaccess guide covers the default code, essential security rules, performance optimizations, redirects, and troubleshooting. If you are running WordPress on Apache and you have never opened this file, you are flying blind — and that is how sites get wrecked.
⚡ Key Takeaways
- The .htaccess file lives in your WordPress root directory and controls Apache server behavior.
- Never edit .htaccess without a backup — one syntax error kills your whole site.
- Security rules in .htaccess block bots, protect sensitive files, and stop common attacks.
- Performance rules enable browser caching and compression directly at the server level.
- Nginx does not use .htaccess — if you are on Nginx, you need server block rules instead.
- This wordpress htaccess guide gives you every rule you need to own your server config.
What Is the .htaccess File in WordPress?
The .htaccess file is a distributed configuration file used by the Apache web server. It lets you control server behavior on a per-directory basis — without touching the main server config. Every WordPress htaccess guide worth reading will tell you this is one of the most powerful files on your server.
WordPress uses it primarily to handle pretty permalinks, which is why every wordpress htaccess guide starts with the rewrite block. Without the right rewrite rules in .htaccess, visiting yoursite.com/about/ would return a 404. The file tells Apache to route those requests through WordPress’s index.php.
Beyond permalinks, this wordpress htaccess guide will show you how to use it for security hardening, browser caching, HTTPS redirects, hotlink protection, and access control. It is a Swiss Army knife — and most WordPress site owners ignore it completely.
43%
of all websites on the internet run on WordPress — and most of them are on Apache servers where .htaccess is the first line of defense.
Source: W3Techs Web Technology Surveys, 2024
Where to Find Your WordPress .htaccess File
Per this wordpress htaccess guide, the .htaccess file lives in the root directory of your WordPress installation — the same folder where wp-config.php, wp-admin/, and wp-content/ live. If you cannot find it, it is hidden. Most FTP clients and file managers hide dotfiles by default.
To reveal it in FileZilla, go to Server → Force showing hidden files. In cPanel’s File Manager, click Settings and check “Show Hidden Files.” Once you turn that on, you will see .htaccess sitting right there in the root. This is step one in any wordpress htaccess guide.
- FTP client: Enable “show hidden files” in your client settings
- cPanel File Manager: Settings → Show Hidden Files (dotfiles)
- SSH: Run
ls -la /path/to/wordpress/to list all files including hidden ones - WordPress Dashboard: Some plugins like WP Htaccess Editor let you edit it directly from admin
If the file does not exist at all, WordPress should have created it when you set up your permalinks. Go to Settings → Permalinks and hit Save Changes. WordPress will attempt to write the default .htaccess automatically. If it cannot write it due to permissions, it will show you the code to add manually — check our WordPress File Permissions Explained guide if you run into that wall.
The Default WordPress .htaccess Code Explained
Fresh WordPress install, default permalinks set — here is what this wordpress htaccess guide considers the baseline code WordPress generates automatically, and what every wordpress htaccess guide builds on top of:
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPressBreaking this down: RewriteEngine On activates the mod_rewrite module. The two RewriteCond lines check whether the requested URL is NOT a real file and NOT a real directory. If both conditions pass, the final RewriteRule sends the request to index.php — which is WordPress’s front controller.
The HTTP_AUTHORIZATION line passes authentication headers through to PHP, which is needed for REST API authentication in some setups. This default block is the bare minimum. The rest of this wordpress htaccess guide is about everything you add on top of it.
🏴☠️ PIRATE TIP: Never manually edit anything between the # BEGIN WordPress and # END WordPress markers. WordPress overwrites that section every time you save your permalink settings. Put your custom rules ABOVE the BEGIN block or BELOW the END block.
How to Safely Edit .htaccess in WordPress
Before you touch a single character in this wordpress htaccess guide’s most critical step, download a backup copy of the current .htaccess file. This is non-negotiable. A syntax error in .htaccess throws a 500 Internal Server Error and takes your entire site down instantly. Ask how I know.
Your editing options are: FTP client, cPanel File Manager, SSH, or a WordPress plugin. SSH is the cleanest method — use nano /path/to/wordpress/.htaccess and you are in. For those who prefer GUI tools, cPanel’s File Manager works fine. If you want to stay inside WordPress admin, the WP Htaccess Editor plugin does the job.
After making changes, test immediately. Visit your homepage, a single post, a category archive, and your admin login. If anything breaks, reupload your backup file. If you need help diagnosing errors from .htaccess changes, the How to Debug WordPress guide walks you through server error log analysis.
Essential .htaccess Security Rules for WordPress — This Is the Good Stuff
This is where the wordpress htaccess guide stops being theory and starts being armor. These rules lock down your site at the server level — before WordPress even loads, before PHP runs, before any plugin gets a chance to save you. Server-level rules are the fastest and most efficient protection you can add.
Start by protecting your most sensitive files. If someone can read your wp-config.php, they have your database credentials. Game over. Here is how to block direct access to it and other dangerous files:
# Protect wp-config.php
order allow,deny
deny from all
# Protect .htaccess itself
order allow,deny
deny from all
# Block access to xmlrpc.php
order allow,deny
deny from all
# Disable directory browsing
Options -Indexes
# Block access to sensitive file types
order allow,deny
deny from all
The XML-RPC block above is one of the most important rules in any wordpress htaccess guide. XML-RPC is a legacy API that attackers use for brute force amplification attacks — one request can attempt hundreds of login combinations. We have a full breakdown in How to Disable XML-RPC in WordPress if you want to go deeper.
Next, add security headers. These tell browsers how to handle your site’s content and protect against XSS, clickjacking, and MIME sniffing attacks. Drop these above your WordPress BEGIN block:
# Security Headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
These headers reference the Mozilla HTTP Headers Reference standards. They are free performance for any wordpress htaccess guide reader. No plugin needed. Just raw server muscle. For a complete security hardening checklist that goes beyond htaccess, see How to Secure WordPress Site.
You can also block bad bots and scrapers by user agent. This is blunt but effective:
# Block bad bots
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (ahrefsbot|semrushbot|dotbot|blexbot|mj12bot) [NC]
RewriteRule .* - [F,L]
WordPress .htaccess Performance Rules — Speed Without Paying for a Plugin
This is the performance section of the wordpress htaccess guide — every SaaS caching plugin that charges you $99/year for browser caching is literally just wrapping .htaccess rules in a GUI. This section of the wordpress htaccess guide hands you those rules for free. Add them above your BEGIN WordPress block.
First, enable Gzip compression. This compresses your HTML, CSS, JavaScript, and other text-based assets before sending them to the browser — cutting transfer sizes by 60-80%:
# Enable Gzip Compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
AddOutputFilterByType DEFLATE application/json application/xml application/xhtml+xml
AddOutputFilterByType DEFLATE image/svg+xml application/rss+xml application/atom+xml
Next, add browser caching. This tells visitors’ browsers to store static assets locally so they do not re-download them on every visit. This alone can slash load times for repeat visitors by 50% or more:
# Browser Caching
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/webp "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType text/html "access plus 1 day"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
These rules are part of a broader speed strategy. See the full picture at How to Speed Up WordPress Site and the deeper caching breakdown at WordPress Caching Explained. The htaccess rules above work best alongside server-side object caching — but even alone, they make a measurable difference.
🏴☠️ PIRATE TIP: If you are using a CDN like Cloudflare, browser caching rules in .htaccess still matter for the origin server response. Do not skip them just because you have a CDN slapped in front. Both layers work together — the CDN caches at the edge, .htaccess handles the origin. The same principle applies to wordpress htaccess guide in real-world projects.
.htaccess Redirect Rules for WordPress
Redirects are bread and butter in any wordpress htaccess guide. Whether you are migrating from HTTP to HTTPS, moving to www or non-www, or handling old URLs from a site migration, .htaccess is the right tool for permanent (301) redirects at scale.
Force HTTPS — every wordpress htaccess guide worth its salt leads with this rule, and it should be on every single WordPress site in existence. No exceptions:
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Force non-www (or www — pick one and commit):
# Force non-www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
For individual URL redirects — like when you change a slug after publishing — you can add simple rules without touching the WordPress rewrite block. This is also critical during site migrations and when consolidating old content. Use the WordPress Permalink Structure guide to make sure your slug strategy is solid before you start redirecting.
# Individual 301 Redirects
Redirect 301 /old-page/ https://yoursite.com/new-page/
Redirect 301 /another-old-url/ https://yoursite.com/correct-url/“A server configuration file that most developers never touch is also the most powerful performance and security tool available to them. Ignorance of .htaccess is not bliss — it is vulnerability.”
— Apache HTTP Server Project, Apache .htaccess Documentation
.htaccess vs Nginx — What If You Are Not on Apache?
Here is the hard truth this wordpress htaccess guide cannot avoid: if your hosting runs Nginx, none of these .htaccess rules do anything. Nginx does not read .htaccess files at all. It uses a completely different configuration system based on server blocks and location blocks in nginx.conf.
How do you know which server you are on? Check your hosting control panel, or run a tool like server header checkers to inspect the Server response header. Shared hosting (Bluehost, SiteGround, HostGator) is almost always Apache. High-performance VPS setups often run Nginx or OpenLiteSpeed.
If you are on Nginx, the WordPress permalink equivalent lives in your server block config. Check the official WordPress Developer Resources on web server configuration for the Nginx equivalent rules. The concepts are the same — the syntax is completely different. This is why understanding wordpress htaccess guide pays off long term.
Troubleshooting Common .htaccess Problems in WordPress
Every wordpress htaccess guide needs a troubleshooting section because you will break something eventually. The good news: almost every .htaccess problem has the same root cause — a syntax error, a misplaced directive, or a conflict with a module that is not loaded on your server. Knowing how to diagnose fast is the difference between 30 seconds of downtime and 30 minutes of panic.
The most common failure is an instant 500 Internal Server Error immediately after saving the file. This wordpress htaccess guide’s golden rule applies here: restore your backup. If you do not have one, rename the file to .htaccess.bak via FTP or SSH, then go to Settings → Permalinks → Save Changes to force WordPress to regenerate a clean default. Your site will come back online within seconds.
Another frequent issue is pretty permalinks suddenly returning 404 errors. This usually means the WordPress rewrite block got stripped from .htaccess, or Apache does not have mod_rewrite loaded. Check with apachectl -M | grep rewrite on SSH. If it is not listed, contact your host. For a full debug workflow when .htaccess issues cascade into deeper errors, reference the How to Debug WordPress guide — this wordpress htaccess guide pairs well with that one.
If your custom rules work locally but fail on production, check whether your host allows AllowOverride All in the Apache main config. Cheap shared hosting sometimes restricts which .htaccess directives are honored — which means half the rules in this wordpress htaccess guide silently get ignored. Ask your host, or check the Apache .htaccess documentation for the full list of contexts and overrides.
Finally, if your redirects loop infinitely (ERR_TOO_MANY_REDIRECTS), the usual culprit is conflicting HTTPS force rules between .htaccess and a CDN or reverse proxy. Audit both layers. Every wordpress htaccess guide rule should be tested in isolation — add one block, test, add the next. If something breaks, you know exactly which rule did it.
FAQ — WordPress .htaccess Guide
What is the default WordPress .htaccess code?
The default WordPress .htaccess code is generated automatically when you set a permalink structure under Settings → Permalinks. It contains a mod_rewrite block wrapped in # BEGIN WordPress and # END WordPress markers. This block routes all non-file, non-directory requests through WordPress’s index.php front controller, enabling pretty URLs. This wordpress htaccess guide shows the exact default code in the section above.
Is it safe to edit the .htaccess file in WordPress?
Yes, with preparation. Download a backup copy before making any changes. Edit outside the # BEGIN WordPress / # END WordPress markers. Test your site immediately after saving. A syntax error causes an instant 500 error, but restoring the backup file fixes it instantly. If you are comfortable with that risk and have a backup, editing .htaccess is completely safe and highly beneficial.
Where is the .htaccess file located in WordPress?
The .htaccess file is located in the root directory of your WordPress installation — the same directory that contains wp-config.php, wp-admin/, and wp-content/. It is a hidden file (dotfile) so you need to enable “show hidden files” in your FTP client or file manager to see it. Via SSH, ls -la in your WordPress directory will reveal it. See the What Is wp-config.php guide for context on navigating your WordPress root directory.
How do I fix a broken .htaccess file in WordPress?
If your site is throwing a 500 error due to a bad .htaccess edit, reupload your backup copy via FTP immediately. If you do not have a backup, delete the .htaccess file entirely and then go to Settings → Permalinks → Save Changes to regenerate the default WordPress version. This will not include your custom rules, but it will get your site back online. Then add your custom rules back carefully, one section at a time.
Can .htaccess improve WordPress site speed?
Absolutely. Browser caching rules via mod_expires tell visitors’ browsers to store static assets locally. Gzip compression via mod_deflate shrinks file sizes before they are sent over the network. Both of these are zero-cost performance wins that require no plugin. This is one of the most underused techniques in WordPress performance optimization — and this wordpress htaccess guide gives you the exact code to implement both.
⚔️ Pirate Verdict
The wordpress htaccess guide you just read is not theory — it is the config file that separates sites that get owned from sites that do the owning. Security headers, bad bot blocking, file protection, browser caching, Gzip compression, HTTPS enforcement — all of it is sitting in a single text file that most WordPress site owners have never opened. The SaaS industry built a billion-dollar business selling you plugin interfaces on top of rules you could write yourself in 10 minutes. Stop paying rent to occupy your own server. Learn your .htaccess. Lock down your config. And if your hosting does not support Apache mod_rewrite, get hosting that does — because shared hosting that respects your server config is not hard to find. Sail your own ship.
Conclusion
This wordpress htaccess guide covered everything from the bare default WordPress rewrite block to security hardening, performance rules, redirect patterns, Nginx alternatives, and troubleshooting the most common failure scenarios. The .htaccess file is not scary — it is the most direct line of control you have over how Apache serves your WordPress site.
Use the security rules to lock down your wp-config.php, block XML-RPC, disable directory indexing, and add HTTP security headers. Use the performance rules to enable browser caching and Gzip compression without paying for a plugin. Use redirect rules to enforce HTTPS and handle URL changes cleanly. Every rule in this wordpress htaccess guide is battle-tested and production-ready.
If you want to go further, pair this wordpress htaccess guide with the WordPress security hardening guide, check your PHP version compatibility, and make sure your file permissions are locked down at the OS level too. And if you are dealing with SVG uploads — which carry their own security implications — check out Secure SVG Pro in the AODN arsenal. Own your stack. Own your config. No SaaS required.