How to Use the .htaccess File to Improve Your WordPress Site

.htaccess is one of the core files for any WordPress website. While the file is primarily used to store the permalinks data for your site, you can also use this to improve the performance of your website.

In today’s post, I am going to show you the best ways to use the .htaccess file to improve your WordPress site.

In case you don’t know where to find the .htaccess file or how to edit the file, we have published an in-depth tutorial on that topic. Check out the tutorial to know what the .htaccess file is, where will you find it, and how to create and edit the file.

Now that we have taken care of the basics, let’s find out how to use the .htaccess file to improve your WordPress site.

1. Enable Caching

Caching is an excellent way to improve your website’s loading speed. This is especially useful for the repeat visitors that browse your website on a regular basis. During the first visit, their browser has to download all the images, CSS, JavaScript files, and so on. There is no way to avoid that.

But you can enable browser caching so that these files are stored in their browser. That means the browser won’t have to request and download the files for their subsequent visits, resulting in a significantly faster loading speed.

When setting up browser cache, you need to set an expiration time for the cache. While this time varies depending on your website and the visitors, the following code will work for most sites –

# BEGIN Expire headers
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 5 seconds"
ExpiresByType image/x-icon "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType application/x-shockwave-flash "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 216000 seconds"
ExpiresByType application/javascript "access plus 216000 seconds"
ExpiresByType application/x-javascript "access plus 216000 seconds"
ExpiresByType text/html "access plus 600 seconds"
ExpiresByType application/xhtml+xml "access plus 600 seconds"
</ifModule>
# END Expire headers

2. Gzip Files

Enabling gzip compression could be another way to improve the loading speed of your website. When using the method. All the server responses will be compressed before sending back to the visitor. As a result, the server will have to send fewer data back to the visitor, which will lead to faster page loads.

To enable gzip compression to your website, add the following code to the .htaccess file –

<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>

Once you have added the code, you can use the Check GZIP compression tool to ensure that your site is getting the correct header from the server.

3. Prevent Image Hotlinking

Image hotlinking is a common malpractice in the world of internet. It happens when someone uses an image that is located on your server. While they show the image on their website(s), they are using your bandwidth to do so.

You can prevent image hotlinking by adding the following code to your .htaccess file –

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your-site.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png)$ http://www.your-site.com/hotlink.png [R,L]

You need to change two things in the code provided above –

i) Replace “your-site.com” with your domain name and

ii) Replace hotlink.png with your own file name. This file will be displayed in place of the image they are trying to show from your site.

4. Thwart Spammers

Similar to image hotlinking, spammers also eat up your bandwidth and misuse the website resources. Thwarting the spammers could be another effective way to improve your website performance. While there are several ways to detect spammers, the most common one is their no-referrer attribute.

Use the following code to stop spammers with no-referrer from accessing your site –

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*your-site.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Don’t forget to replace “your-site.com” with your domain name.

5. Protect Crucial Files

Another excellent way to use the .htaccess file is to protect the crucial website files like wp-config.php, php.ini, and the error logs. The following code will let you do that –

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

Adding this code will prevent anyone from accessing these crucial files. However, some hosts may not have the “php.ini” file. In that case, you should use “php5.ini” as the file name.

6. Restrict Access to the Admin Section

If you use specific IP addresses to access your website, you can prevent all other IP addresses from accessing the admin section. This will ensure better security for your site.

Here is the code to do that –

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xxx.xxx.xx.xxx
allow from xxx.xxx.xx.xxx
</LIMIT>

You can add as many IP addresses as you want. Just make sure you are replacing the “xxx.xxx.xx.xxx” values with the IP addresses.

7. Disable Directory Browsing

WordPress follows a fixed directory structure, which is common knowledge. That means anyone can view the files and folders inside your wp-content and wp-includes directories.

That is not a good practice in terms of website security, because anyone can target the files and folders that are available without any restrictions.

You can prevent this massive security risk by adding this single-line code to your .htaccess file –

Options All -Indexes

8. Prevent Access to PHP Files

While you should prevent access to the core WordPress folders, it is also crucial to block access to the theme and plugin PHP files on your site. As hackers and other abusers can inject malicious code into the PHP files, you should make it harder for them to find out these files.

Add the following code to the .htaccess file to block direct access to the PHP files –

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

9. Disable PHP File Execution

When it comes to website security, there is no specific point when you can feel relaxed. Rather, you need to take all the possible actions to keep your website secure from hackers. Disabling PHP file execution is one such action.

When PHP file execution is disabled, hackers will not be able to run malicious code on your site, even if they find a way to infiltrate your files. In most cases, hackers will try to execute the file from the “uploads” folder. The following code will prevent that from happening –

<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

10. Block Username Scans

Performing author scans is a common technique to find existing usernames from a WordPress site. Once the hackers find a username, they have half the information necessary to gain access to your website. Now, they only have to worry about finding the password for that account.

Since you want to be confident about your website security, you should make it as hard as possible for the hackers. That’s why you need to block username scans as well.

Add the following code to your .htaccess file to prevent username scans on your site –

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

Final Words

.htaccess opens up lots of new opportunities to improve the performance of your WordPress site. Now that you know the best ways to utilize the .htaccess file, choose which ones you will use, and get started.

Let me know which tips you are going to try. And if you know any other technique about using the .htaccess file to improve website performance, let me know that too.

Leave a Reply