Working With The .htaccess File In WordPress
WordPress is a great platform made all the better by the detailed and powerful standard WordPress dashboard. You can achieve much in terms of customizing the way that your site feels and functions by simply using the tools that WordPress has made available to you as standard.
There is a time in any website owner’s life when you must go beyond this functionality. Working with the WordPress .htaccess file can be one way to do this. The .htaccess file can be used to achieve several useful things, though. We’ve previously covered some of them, including a process for making regex redirects in WordPress and a more general overview of header redirects for WordPress. In both of these guides, we accessed and edited the .htaccess file without explaining why the file is there in the first place and how you can use it.
That’s the purpose of this article. First, we’ll look at what the .htaccess file does in the standard WordPress setup. Then, we’ll explain how you can access it and edit it. Finally, we’ll show you why you might want to do that.
What Is The .htaccess File?
Let’s get the basics out of the way first. The .htaccess file is not technically a WordPress file. To put it more accurately, the .htaccess file is a file that is used by the Apache web server. That’s the A in LAMP, the tech stack that you host WordPress on.
The .htaccess file shares some characteristics with the other files that your WordPress site uses for configuration. The filename is hidden and must be unhidden to be edited. It also sits in the root directory of your WordPress site. htaccess provides web hosts with the following abilities:
- URL Rewriting and Redirects: Allows rewriting URLs, managing redirects (301, 302), creating custom URL structures, and redirecting from HTTP to HTTPS based on patterns or user agents.
- Access Control: Controls access to parts of the website by password-protecting directories, restricting access by IP, or limiting access to specific files or directories.
- Custom Error Pages: Defines custom error pages for HTTP status codes like 404 (Page Not Found), 403 (Forbidden), and 500 (Internal Server Error), enhancing user experience.
- MIME Type and Charset Management: Specifies file MIME types and character encoding, allowing certain files to download directly and setting charsets for internationalization.
- Caching and Compression: Sets caching rules and enables Gzip compression for files to improve site speed by caching specific file types and compressing text-based files like HTML, CSS, and JavaScript.
- Security Enhancements: Implements security features such as disabling directory browsing, blocking access to specific file types, and preventing hotlinking of images.
- File Permissions and Execution Control: Manages which types of files can be executed or accessed, such as disabling PHP execution in certain directories or preventing public access to specific files.
- Canonical URLs: Sets up canonical URLs to prevent duplicate content, redirecting all requests to either
www
or non-www
versions of the website. - Force SSL and WWW/Non-WWW: Enforces SSL by redirecting all requests to HTTPS and standardizes URLs by redirecting to either the
www
or non-www
version of the website.
Hidden behind this simple description is a lot of complexity, however. This is because many site owners, plugins, and themes change the way that permalinks are used within your WordPress site. Every time you (or a plugin) change the way that your permalinks work, these changes are stored in the .htaccess file.
In principle, this is a pretty good system and is secure. However, in the real world, it can create real problems. One is that because 75% of developers use JavaScript, and are therefore not comfortable using Apache, many plugins can overwrite the .htaccess file to leave your site insecure. Fixing (or indeed even spotting) this kind of issue is beyond our scope here. Still, the standard caveats about plugins apply – only install those you trust and that are regularly updated to fix security holes like this.
Finding And Editing The .htaccess File
Although the .htaccess file is mainly used by WordPress to handle your site’s permalinks, you can edit it to achieve a number of useful outcomes. These include redirects or simply improving your site’s security by limiting outside access to particular pages.
In this section, we’ll show you how to do that. But first…
WARNING: Editing the .htaccess file can break your website.
Making any changes to the fundamental files that your site runs on is risky. You should always backup your site before making any changes to it, and experiment without affecting the live site.
In fact, there is a good reason why the .htaccess file is not available for most WordPress users. WordPress has a clear majority of the market share for small business websites, and this means that many of their users are, shall we say, not the most technically inclined. This is why the .htaccess file is hidden by default – to avoid novice users making mistakes.
Accessing And Editing The .htaccess File
With all that out of the way, let’s look at how you can access the .htaccess file. In order to do that:
- Create a connection to the website using an FTP or SFTP client. There are plenty of free, great FTP clients out there. Read through the documentation provided to make an FTP connection to your site.
- Once you’ve established an FTP connection, you’ll be shown all the files that make up your site. Have a look through these folders, and you’ll see one called the root directory.
- Inside this folder, you’ll see your .htaccess file. It will normally be near the top of the list of files in that folder. Click on the file, and then click view/edit.
- The file will open in the text editor.
And that’s it. You’re now allowed to make changes to your file, but take note you might not want to do that. We’ll show you how to use this file in the next section, but before we do it’s a good idea to make a local copy of your .htaccess file (using the standard “save as” dialog), make your changes locally, and then upload the file to a staged site (as we noted above).
Using The .htaccess File
Now you are ready to start using the extra functionality provided by the .htacess file. Let’s start out with a few basic ones.
- 301 redirects: The 301 redirect is a tiny piece of code that sends visitors from one page to another and is necessary if you transfer a particular blog post that is linked to from an external site. Alternatively, you can use the .htaccess file to redirect the website. You can also direct visitors from an older HTTP site to a new, more secure HTTPS version. Add this to the .htacess file:
Redirect 301 /oldpage.html /newpage.html
- 301 redirects using Regular Expressions: Regex is a powerful tool supported by Apache .htaccess that identifies patterns to redirect. In the example below, I’m redirecting any links with a language code in the Martech Zone URL to a subdomain of the same code.
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^martech\.zone$ [NC]
RewriteRule ^(af|am)/(.*)$ https://%1.martech.zone/$2 [L,R=301]
- Security – There are also a number of ways to use the .htaccess file to apply advanced security strategies for WP. One of these is to lock down access to particular files so that only users with the correct authentication can access the core files that your WordPress site runs on. You can use this code, appended to the end of your .htaccess file, to limit access to a number of core files:
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>
- Modify URLs – Another useful feature of the .htaccess file, albeit a more complex one to implement, is that the file can be used to control the way that URLs are displayed when your visitors access your site. To do that, you will need to make sure you are using the most recent version of Apache. This makes the URL of one page appear different to visitors. This last example is – perhaps – a little too complex for most users just getting used to the .htaccess file. However, I’ve included it to show you the scope of what can be achieved with the file. Append this to your .htaccess file:
RewriteEngine on
RewriteRule ^oranges.html$ apples.html
Going Further With .htaccess
Working with the .htaccess file is a great way to learn about how your WordPress site works at a more fundamental level, and to give you a glimpse of the huge scope for customization that even a standard WP site affords you. Once you’ve mastered working with the .htaccess file by making the basic changes we’ve described above, a wealth of options opens up to you. One, as we’ve previously covered, is the ability to reset your WordPress blog.
Another is that many of the ways to improve your WordPress security involve either changing the .htaccess file directly, or using the same FTP system to make changes to other root files. In other words, once you start looking into the nuts and bolts of your site, you’ll find endless possibilities for customization and improvement.