WordPress Htaccess Tips And Tricks

Last Updated on January 17, 2023 by 115 Comments

Editorial Note: We may earn a commission when you visit links on our website.
WordPress Htaccess Tips And Tricks
Blog / Tips & Tricks / WordPress Htaccess Tips And Tricks

The .htaccess file is a configuration file that allows you to control files and folders in the current directory, and all sub-directories. The filename is a shortened name for hypertext access and is supported by most servers.

For many WordPress users, their first meeting with the .htaccess file is when they customize their website’s permalink settings. To get those pretty permalinks that we all know and love (e.g. https://www.elegantthemes.com/sample-post/ instead of https://www.elegantthemes.com/?p=123), we need to add something like this to the .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

If no .htaccess file exists, you can create one yourself and upload it. All you have to do is create a blank text file, save it as .htaccess and upload it to the root of your WordPress installation. Be sure to include the period at the start of the filename (i.e. save the file as .htaccess and not htaccess).

You also need to ensure your .htaccess file is writeable so that WordPress can add the appropriate permalink code to your .htaccess file. WordPress.org advises file permissions of 644 for the .htaccess file.

Htaccess File is Hidden

The .htaccess file is a hidden file. You therefore need to ensure your FTP client or file manager is configured to display the file in your directory.

The .htaccess file is not only used for permalinks. The file is better known for its ability to strengthen the security of a website. Millions of WordPress users use the .htaccess file to protect their websites from spammers, hackers, and other known threats.

In this article, I would like to share with you several snippets for .htaccess that will make your website secure. I have also included a few additional snippets that I believe you will find useful.

You may have noticed in my permalink example above that the code begins with # BEGIN WordPress and ends with # END WordPress. WordPress can update any code that is placed within those tags. You should therefore add the snippets shown in this article at the top or bottom of your .htaccess file (i.e. before # BEGIN WordPress or after # END WordPress).

Be Careful

The .htaccess file is one of the most temperamental files you will encounter when using WordPress. It only takes one character to be out of place for the code to be incorrect. When that happens, it will usually cause your whole website to go down. It is therefore vital that you copy the code noted in this article correctly to your own .htaccess file.

Even if you are cautious, accidents can happen, and they frequently do.

Do not cut any corners when working with the .htaccess file. Before you begin, make a backup of your current working version of .htaccess. Store it in a safe place on your computer, and if possible, in another location such as a USB flash drive or on cloud storage.

Whenever you update your .htaccess file on your server, refresh your website to see if your website is still live. Do not skip this step as it is vital that you verify your website is still working correctly. If your website returns a blank screen, immediately revert back to your saved copy of .htaccess by uploading it over the version with errors.

If you cannot locate your backup file, either upload a blank .htaccess file or delete the .htaccess file altogether. This will get your website back online; which will obviously be your priority when your website goes offline.

Do not take any chances with .htaccess. Always have a back up. You have been warned πŸ™‚

1. Protect .htaccess

Due to how much control .htaccess has over your whole website, it is important to protect the file from unauthorised users. The following snippet will stop hackers from accessing your .htaccess file. You can, of course, still edit the file yourself via FTP and through your hosting control panel’s file manager.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

2. Protect WP-Config.php

Another important file is wp-config.php. This configuration file contains the login information for your WordPress database as well as other important maintenance settings. It is therefore advisable to disable access to it.

<files wp-config.php>
order allow,deny
deny from all

3. Protect /Wp-Content/

The wp-content directory is one of the most important areas of your WordPress website. It is where vital files are located such as your themes, plugins, uploaded media (images and videos), and cached files.

Due to this, it is one of the main targets of hackers. When a spammer managed to compromise an old website of mine last year, he did it by uploading a mail script to my uploads folder. He then proceeded to send out spam mail using my server; which subsequently placed my server on spam blacklists.

You can tackle threats like this by creating a separate .htaccess file and adding the following code to it:

Order deny,allow
    Deny from all
    <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
    Allow from all

You then need to upload this separate .htaccess file to the main wp-content directory i.e. www.yourwebsite.com/wp-content/. Doing this will allow media files to be uploaded including XML, CSS, JPG, JPEG, PNG, Gif, and Javascript. All other file types will be denied.

4. Block Include-Only Files

There are certain files that never have to be accessed by the user. You can block access to these files by adding the following code to your .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

5. Restrict Access to the Admin Area

Another entry point for hackers is the WordPress admin area. If they gain access to this area, they can do almost anything to your website.

To make this area more secure, create a new .htaccess file and add the code below to it:

# Limit logins and admin by IP
order deny,allow
deny from all
allow from

Be sure to change to your own IP address (you can find out your IP address at What Is My IP?). Then upload the file to your website’s /wp-admin/ folder i.e. www.yourwebsite.com/wp-admin/.

This will allow you to access your WordPress admin area, but will block everyone else.

Additional IP addresses can be added for other administrators and staff. You can do this by adding additional allow lines or listing their IP addresses in the main allow line and separating them using commas. For example:

allow from,,

6. Ban Someone From Your Website

If you know the IP address of a malicious party, you can completely ban them from your website using the snippet below. For example, you could ban someone who always leaves abusive comments or someone who has attempted to access your admin area.

<Limit GET POST>
order allow,deny
deny from 123.456.78.9
deny from 987.654.32.1
allow from all

7. Send Visitors to a Maintenance Page

Maintenance plugins such as Ultimate Maintenance Mode and Maintenance are useful for displaying a temporary message to visitors when you are developing a website, or when working in the background to update your website.

Unfortunately, maintenance plugins are of little help if you face the infamous WordPress White Screen of Death. They only function correctly if your website is working correctly.

If you want to prepare for the worst, I recommend creating a basic HTML page named maintenance.html that advises visitors that you are currently experiencing problems with your website, but will be back online soon. When your website does go down because of a hacking attempt or because of the White Screen of Death, simply add the snippet below to your .htaccess file to direct all traffic to your message at maintenance.html.

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]

You need to configure the above code for your own website. Change the html filename to the name and location of your own maintenance file in the second and fourth row. You also need to add your own IP address to the third row to ensure that you can access your website whilst the maintenance message is being displayed to others. The code uses a 302 redirect ensure that the maintenance page itself is not indexed.

8. Disable Directory Browsing

Allowing unauthorised individuals to look at your files and folders can be a major security risk. To disable browsing of your directories, simply add this small piece of code to your .htaccess file:

# disable directory browsing
Options All -Indexes

9. Enable Browser Caching

Browser Caching is something I recently discussed in my article β€œOptimize Your WordPress Website Using These Simple Tipsβ€œ. Once enabled, browser caching will allow visitors to save items from your web page so that they do not need to be downloaded again.

It is used for design elements such as CSS stylesheets and media items such as images. It is a practical solution as when someone uploads an image to a website, the image is rarely updated again. Browser caching would therefore allow visitors to load the image saved on their computer rather than your server. This reduces bandwidth and increases page loading times.

To enabling browsing caching, all you need to do is add this code to your .htaccess file:

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"

10. Redirect a URL

301 redirects allow you to inform search engines that a URL has permanently moved to a new location. They can be used to redirect a page, folder, or even a completely new website.

They are therefore used whenever the URL of a page changes. This can be due to changing a domain, changing the permalink structure of your website, or simply changing the page slug (e.g. changing the page slug of an article from my-news to mygreatnews).

To redirect a location, all you need to do is add a line with Redirect 301, followed by the old location and then the new location. You can see how this works in practice below:

Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html
Redirect 301 /oldfolder/page2.html /folder3/page7.html
Redirect 301 / http://www.mynewwebsite.com/

11. Disable Hotlinking

Hotlinking is a practice in which someone shares an image from your website by linking directly to the image URL. It commonly occurs on discussion forums, but many website owners still do it too (which is a mistake as it means images can be removed from your content at any time). Hotlinking can have a negative effect on your website. In addition to slowing your website down, it can also significantly increase your bandwidth costs with your hosting company.

You can prevent hotlinking by only allowing your own website, and any others you own, to execute image files. Add the code below to your .htaccess file to stop others from hotlinking your images. Be sure to replace the URL’s below with your own website addresses.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourotherwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/g7ptdBB.png [NC,R,L]

When someone now views an image of yours at another URL, they will instead be shown the image denoted in the last line of code. This image can be changed to whatever you want.

* Note that disabling hotlinking may cause some RSS readers to have problems displaying your images from your RSS feed.

I hope you have enjoyed this list of tips and tricks for the .htaccess file. As you can see, it is a versatile configuration file that can be used for many things.

If you enjoyed this article, I encourage you to subscribe to the Elegant Themes Blog. Also, please feel free to share your own .htaccess tips and tricks with others in the comment area πŸ™‚

Article thumbnail image by venimo / shutterstock.com


Want To Build Better WordPress Websites? Start Here! πŸ‘‡

Take the first step towards a better website.

Get Started
Premade Layouts

Check Out These Related Posts

Splice Video Editor: An Overview and Review

Splice Video Editor: An Overview and Review

Updated on March 10, 2023 in Tips & Tricks

Video is a valuable form of content for social media. Unfortunately, creating quality videos is usually a long process that involves moving mobile footage to a desktop app for editing. However, mobile editing is on the rise. Apps such as Splice Video Editor make it possible to efficiently create...

View Full Post
How to Use Font Awesome On Your WordPress Website

How to Use Font Awesome On Your WordPress Website

Updated on September 16, 2022 in Tips & Tricks

When given the choice between using a vector icon or a static image, it’s a good idea to go with the vector. They’re small and fast to load, and they can scale to any size without a loss of resolution. Font Awesome is a superb library of vector icons that you can use on your websites,...

View Full Post


  1. Can I hide my page number with htaccess? Anyone.

  2. excellent piece of information, I had come to know about your website from my friend kishore, pune,i have read atleast 8 posts of yours by now, and let me tell you, your site gives the best and the most interesting information. This is just the kind of information that i had been looking for, i’m already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a lot once again, Regards, pnr status.

  3. well discrbied article thanks nice way of posting and attractive design of blog thanks for share.

  4. I tried adding this:

    Order deny,allow
    Deny from all

    Allow from all

    to the WP-Content directory. Updraft Plus could not get token from Google Drive and failed to upload backup, removing the .htaccess file with that from WP-Content fixed the problem. Are we sure the above code shouldn’t be in the uploads folder?

  5. Its really informative blog post.

    But I stuck with 1 unusual problem. One of my client’s website is in DNN ASP.NET now he wants to redesign website in WordPress. But his website is very old and has good ranking in google. So he wants to use .aspx in page url. So basically he wants to change CMS from DNN to WP but wants to use old .aspx URL structure in WP.

    Example: page URL like this, domain.com.au/page.aspx

    How can I do this kind of URL rewrite? Please suggest any solution.

    Thanks in advance… πŸ™‚

  6. Hi, I added some code to the .htaccess file to enable caching and compressing. No I like to add a note in the htaccess file to clarify what the code is for. But I don’t want to mess thing up off course. Is there a way to add notes in the file without messing up the file? maybe adding a # or ** or something like that?


  7. Will these tips will work with Prestashop as well?

  8. Thanks for sharing this informative article. Very deeply explained. I would like to add one more thing that we can do using htaccess file – Adding MIME Type that our server is not setup to deliver. E.g.

    AddType text/css .css

    AddType text/x-component .htc

    AddType application/x-javascript .js

    AddType application/javascript .js2

    AddType text/javascript .js3

    AddType text/x-js .js4


    Source: http://catchupdates.com/what-is-htaccess-file/

  9. I need to redirect the home page of a WP website to a specific path; due a particular code of theme (Roots), this is the solution I must implement, to have an home page absolutely different from theme itself.
    I try with .htaccess file, and I update it on root with this code:
    Redirect 301 / http://www.mydomain.com/start/

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    where the first line target a folder where is ‘my’ index.php (note: this page exist and works fine)
    The trouble is that, when I call the URL http://www.mydomain.com the result is a loop request, and then the browser stop without load anything (just the error message).
    What wrong?

  10. In addition to above what are your thoughts on using .htaccess to protect WordPress by ‘disguising’ it or obscuring it? In other words, if someone looked at the source code for instance, it wouldn’t be obvious that they were looking at a WordPress install – no references to wp-content, etc.

  11. I came here searching for “how I can block certain pages on WordPress site.” and here you are with all the answers. Thanks for the tips too.

  12. I’d just like to thank you so much for this handy guide! I knew *nothing* about this topic, and am much the wiser for it. (And you really helped me when I had already messed up my htaccess file, whoops!)

  13. I want don’t to index robots.txt, sitemap.xml and some specific pages. Will you tell me, how can I do it through htaccess? Any suggestion will be appreciated; thanks in advance.

  14. Hello, great job!
    I have a question for you, i have a website (wordpress), i share it on facebook most of times then it get spammed by them..so i bought another domain and i had the same probleme..anyway i saw some people doing the same thing on facebook sharing their wordpress blogs..but facebook spammed only ” The Post ” Not the whole website…so they just created a New post and share it if it get spammed again they do another…for me the whole website get spammed :/

  15. I have a client that has a folder on his site that he wants to give everyone access to, but when he types in the domain name/folder name, he gets a page not found error. Is there a (safe) way to give everyone in the world access to such a folder and maintain security for the rest of the site?


  16. Regarding protecting Wp-Content directory… will the htaccess file your recommend creating for in the wp-content directory (which would restrict access to only pretty much images and similar content), will it cause problems with the new WP automatic updates/upgrades?

    I ask because WP uses a subfolder underneath Wp-content directory called “upgrades” and since htaccess protects subfolders, I wonder whether this would cause update/upgrades failures/problems? By following this advice, wouldn’t WP itself have a problem using that subdirectory as a temp upgrade location?

  17. Thanks for great post! Any idea – how to protect .htaccess file itself from hacking? I got this problem on several sites, and can’t do anyting – always bad code in .htaccess files – a bunch of redirect links. Cleaning up doesn’t help – after sometimes code become appearing again((

  18. For the wp-content directory I added ttf, eot, svg, otf and woff for fonts

  19. Really helpful ! thanks for your article

  20. Great article!

    I just had a problem with respect to implementation of protection of wp-content folder.

    I created a new htaccess file, after I added this code:

    Order deny,allow
    Deny from all

    Allow from all

    I had problems after you put it inside the wp-content folder. Some social icons, functions, and text fonts do not appear correctly.

    Could anyone help me or show me what I’m doing wrong?

    • The comment excluded part of the code. I used only what was taught in step 3. Protect /Wp-Content/

      • I had the same issue – see comment above yours.

        I think you need to add to the snippet the other file types for your font and icons. Adding these – |woff|ttf|svg|eot worked for me.

  21. Many thanks Kevin, some of this is new to me and I love it.

    I implemented the wp-content protection on one site and did not spot that I needed to add |woff| ttf| svg| eot for my font icons for quite a while.

    I thought I’d share in case it helps anyone.

  22. Hi Kevin,

    Thank you for sharing with us all these great tips.
    Do you have any idea how to hide the WP theme used through .htaccess file?

    Thank you in advance,

  23. Ok, well the comment system stripped the code. Which is fine. I just add pdf to the end of the media file list right?

  24. If I have pdf in wp-content, I just add that extention to the code right? Like this?
    #place in wp-content
    Order deny,allow
    Deny from all

    Allow from all

  25. I’ve recently signed on with ET and finding sooo much more even than I’d hoped for, including your many wonderful blog posts. I’ve been using most of what you suggest in this post for a while now on two sites. I’ve always hesitated to use the #3 protect wp-content suggestion, wondering how it would be with the ways various plugins use/engage that folder, but thought I’d give it a try after reading here.

    After 12 hours I’ve pulled the .htaccess file out of both wp-content folders. On one site Pingdom started saying the site was down, though it wasn’t. On the other site Jetpack monitor started saying the same thing for that site.

    Within minutes of deleting the .htaccess files from the wp-content folders of both sites. I received messages from both services saying the both sites were up again, after 12 hours of being down, though neither site was actually down at all during that time.

    I found also that on the site jetpack was installed that jetpack itself was having problems in it’s setting pane, not able to engage with its various modules. That also disappeared as soon as I pulled the .htaccess file in that site’s wp-content folder.

    I copy pasted your code here, after finding it identical to other sources for that code. I have experience creating and modifying cPanel files including .htaccess files.

    Wanted to share this in case it is helpful, and also because I’m wondering if there is something more here for me to learn.

    Kind regards.

  26. Hi,
    really a great article, thanks so much for sharing!

    Is there a way to do a rewrite only for the frontend? So the rule shouldn’t have an effect on the admin panel?

    Regards, Bettina

  27. Hi Kevin,

    We use a lot of theme for clients from Elegant Themes. By far this is one of the best .htaccess post I have come across today. We already use Browser Caching quite frequently but the other tips are quite helpful too!

    Thanks for sharing!


    • You’re welcome Dave.

  28. I have heard rumours that .htaccess only works on Apache servers. Is this true or can the stuff in this blog be used on any wordpress site wherever hosted? Regards

    • Yes you need to use it on Apache servers. I believe Windows servers have something similar called a web.config file.

      • I’m building my first WP page on an Apache web server and this REALLY helped me out! Thanks for sharing!

  29. Hotlinking is great for SEO, it’s a legit incoming link. It only costs you bandwidth which is normally a very cheap resource these days. I wouldn’t disable hotlinking..

    • You would perhaps change your opinion if an image of yours was shared on a high traffic discussion forum or a social network such as Reddit (e.g. the comment area).

      • If your stats show high traffic sites *which hold no SEO value*, you can always disable hotlinking from them specifically.

  30. Oh, I broke down my website by following all the instructions here. Don’t know why, just got the page not found error message. I have to delete all the add code to the .htaccess and my website is back to normal.

    One word of caution: after adding the code, use another browser or another computer to view the website for checking. Some .htaccess directives does not apply immediately if you have viewed the website on the same browser just a moment ago. This is the fact I learnt the hard way. My website was down for over 3 hours unaware.

    • This is something I stressed in my tutorial. You need to backup .htaccess and you need to refresh your website again after modifying your .htaccess file. You need to do this every time.

      .htaccess is always applied immediately – always.

      As I stressed, do not ever take any risks with .htaccess. It is a very powerful file and can close down your website if you do not enter the code correctly. πŸ™‚

      • I was just about to copy the snippet for 9. Enable Browsers Caching when I noticed
        was missing from it! Maybe that is what happened to WP Learner?

        • “” is missing

          • Thanks for noticing that Sigurfreyr. I am not sure how I missed that.

            I have asked Nick to correct the post for me. Appreciate you letting me know πŸ™‚

          • the end IfModule part is missing.

  31. Thanks for the great info! I am new to Elegant Themes and enjoying every day! Love the professionalism!!

    • Glad you liked it Sue.

  32. This is the most useful ET Blog post I’ve seen so far (newbie to WP and apache).

    For migrating sites from asp.NET to WP, I wish there was some way to do a 301 redirect for every .aspx page in a site to a page with the same name (but obviously without the aspx extension) in WP, like with wildcards or something.

  33. Great examples.. Congratulations !

    Update this tips always ! πŸ™‚

  34. Some of the tricks are really good. even I was not knowing them.

  35. This is a really great resource Kevin! It can be so hard to find practical tricks like these all in one place. Thanks muches, I will be adding a few to my site this week! πŸ™‚

  36. Thanks for the professional informations about .htaccess Kevin. My compliment for your articles.

    • You’re welcome JP πŸ™‚

  37. Thanks a lot for informative post. Really important to protect WordPress blog from hackers. These tips surely reduce the risk of hacking blogs.


    • You’re welcome Girish.

  38. Thanks a lot for the post, especially 5th point is very important for our website security, have to implement all these on my sites now πŸ™‚

    • You’re welcome Nelton.

  39. Great post Kevin, thanks!

    • Thanks Karin.

  40. Amazing tips, thanks a lot. I found that disable hotlinking is rather easy to do and secures my blog from unwanted threats.

    • You’re welcome John πŸ™‚

  41. Thanks for the great post. Useful . .

    • You’re welcome Steve.

  42. Hi Kevin,

    I am a newbie in wordpress, its very useful information. Thank you for your sharing.

    • You’re welcome.

  43. A detail knowledge of ..htaccess file

  44. All those pieces of code, starting at point 1, may be added anywhere in .htaccess file and in any order?

    • The order does not matter. You only have to ensure that the code is outside of the Begin WordPress and End WordPress code area as WordPress will automatically update that section.

      • Thanks for this, but what is the purpose of point 1 precisely? all .something files are already supposed to NOT being accessible…

        • It is not for protecting the file against internet users, it’s for denying access to scripts etc πŸ™‚

  45. Won’t any of these .htaccess declaration conflict with plugins? And thanks for tip no7, I’ve been searching for that many weeks ago.

    • No it should not clash with any plugins.

  46. Great post. Greatly appreciated :ΒΊ)

    • You’re welcome James.

  47. Doesn’t that trick conflict with the plugins themselfs?

    “Order deny,allow
    Deny from all

    Allow from all

    For example – if caching plugin like W3TC generates static html pages or copies php there?

    • Just found answer myself!
      WP-Content hosts all your themes and caches – if you add to .htaccess recommendation:
      ” 3. Protect /Wp-Content/ ”
      your site will corrupt…
      Just checked it myself.
      Be careful!

      • Thanks for checking that Andru. I am sure someone will find that useful.

  48. Really great post,

    Thanks sir for these information.

    Excellent work!

    • You’re welcome.

  49. This is great, exactly what I have been looking for.

    • Glad it helped you Cathy.

  50. I like I themes security plugin (formerly Better WP Security). Great controls plus secures .htaccess. Make sure you have a backup before changing things. It will create a database backup for you via a prompt.

    • I’m still getting used to its renaming πŸ™‚

  51. Thanks for another great post Kevin. I look forward to these bits of information (and inspiration) being delivered almost daily.

    • No problem Adam.

    • Glad you found it useful Daniel πŸ™‚

  52. Great post Kevin,

    I’ve been stumped trying to find a way to redirect a referring link to a specific page. I know and have implemented almost every step that you listed above and use them regularly on mine and my client’s sites that I build in WordPress.

    However, on my own site I have a referring link that is pointing to the root level of my domain and I keep losing these people because they are unable to find the information that pertains to them specifically.

    So literally, I want to point http://www.referringURL.com to http://www.mydomain.com/special-portfolio/

    I can’t find this answer anywhere. Any help would be great. I can’t wait for Divi 2.0


    • For some reason it wasn’t picking up changes in the .htaccess file, but a restart of apache fixed it. Thanks for posting!

      • Hey Kevin,

        Thank you so much for your help. The link you gave didn’t get me to the correct spot, but it got me thinking and I found the solution.

        I’ve added an example of the RewriteRule that is required to this and how to use in the off chance that anyone else might want to use this.

        I made some advancements to this Rewrite to allow it to redirect from any referring point of another domain. I made it cover Rewriting from http and https and also allowed it to Rewrite from domain, sub-domain, sub-sub-domain and so on.

        To use:
        1.) Replace “link-on-your-site-to-point-to/” with any special landing page slug you wish to send the people to. Make sure to keep the trailing slash.

        2.) Then change “xyz\.com” to the domain name that you are getting the traffic from that you want to point to the specific page in step one. Make sure to keep the “\.com” at the end.

        3.) Next, add your domain name WITHOUT the “www.” and the landing page slug that you wrote in step one. Keep the trailing slash and everything after it or else it won’t work.

        4.) Finally, add this BELOW your WordPress Rewrite. Look for the “# END WordPress” and paste it there. If not you will set the redirect loop of death and not be able to figure out what happened.

        5.) Refresh your browser and test the referring link. If you don’t see it working clear your browser cache and try again.

        Here’s the code:

        RewriteEngine on
        RewriteCond $1 !^link-on-your-site-to-point-to/
        RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*xyz\.com
        RewriteRule (.*) http://yourdomain/link-on-your-site-to-point-to/$1 [R=302,L]


        • Glad you got it sorted. I appreciate you coming back and sharing the code for others too. πŸ™‚


      • Thanks Kevin,

        I know of that method. However, that won’t work for me since the site that is referring the traffic is not mine. It was an ad space that was bought a long time ago and they kept a referral link for web design on their site that goes to me.

        I want to take that link and send it to a specific page on my site. I might be asking something that isn’t possible. It would seem that way since I haven’t been able to find the right answer/solution to it yet.

  53. I’ve used Bulletproof security plugin for configuring htaccess files and the like. Any reason to do it manually and not use the plugin besides load time?

    Also, how do you guys display the social icons to the left of the page in the blog? I’ve been looking for a way to do that.

    Thanks and keep up the good work.

    • I can’t recall if BulletProof security offers real-time monitoring.

      If all it does is modify your .htaccess file, then you could activate the plugin, harden your security, save the .htaccess file for reference, and then deactivate the plugin.

      With regards to the floating sharing bar: https://wordpress.org/plugins/addthis-smart-layers/


      • how can i increase the file upload size in .htaccess

    • Scott,

      You could simply use the Custom HTML widget and hand code it in about 5 minutes or so. Much easier than finding a plugin capable of the same thing. Unless you are wanting sharing parameters for each individual blog type.

  54. Kevin

    All hints are very helpful, and I’d like to implement all of them.

    Should we have only one zone

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ – [F,L]
    RewriteRule !^wp-includes/ – [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
    RewriteRule ^wp-includes/theme-compat/ – [F,L]
    more Rewrite
    more Rewrite
    more Rewrite

    or could we have several if..endif in the .htaccess.

    Other question: I’ve seen joint attack from different countries at the same time. Have you a simple solution to ban a group of countries ? (IP ranges are too numerous).


    • You should have several zones. Each snippet is separate from the next.

      I am not aware of a simple solution to ban a group of countries. It may be worth installing a security plugin that blocks known spammers and hackers.

        • Thanks John, but does anybody know if there is a limit for the list of “deny from”.

          Just to bar ukranian hackers, the list is 2490 lines πŸ™‚

          It would become a very big .htaccess file for baring joint attacks involving several countries.

          I will use it right now.


    • Great question. I have this question too.

  55. Great one-stop post for all the essentials and then some. Outstanding job!

    Quick and easy script I use to direct everyone except the dev team to the old site while the new site is under development.

    /* define redirection with IP exceptions */
    RewriteEngine On
    RewriteBase /

    #Dev Team
    RewriteCond %{REMOTE_HOST} !^123\.123\.123\.123

    RewriteCond %{REQUEST_URI} !/index\.html$
    RewriteRule .* http://www.oldsite.com/ [R=302,L]

    • Sorry I hadn’t seen your reply until now. This script is used to redirect traffic from a list of IPs (only one shown here, but you could add others) while all others are directed to the old site (the public). This allows my team to type in the new URL and get to the new site.

      The RewriteRule simply redirects all non-specified IP traffic to the old site with a temporary redirect (302, not a 301). The RewriteCond allows traffic from included IPs to proceed to the new, under development, site (REMOTE_HOST)

      Check out the Apache .htaccess guides for all kinds of technical, but useful info: http://httpd.apache.org/docs/2.0/misc/rewriteguide.html

      Really hope this helps,

    • @Mike – that script is a great idea! But since I am not very proficient (yet) with .htaccess could you please give more details on what the different elements are? Thanks!!

      BTW – This is a great post!! You have all the elements I’ve been looking for in one place, and then some.

  56. Thanks for the article.

    Another great post for all WordPress users.

    A few weeks back I was looking for this (how to disable directory browsing) Good to know this resources are in your blog.

    Makes my membership an even better value.

    • Glad you found the article useful Fernando.

  57. Do you have a trick for addon domains where if someone goes to addon.domain1.com it will change the browser bar to addondomain.com? I’ve been looking all over for that!

    • Just open the Cpanel and search for sub domain, you can change all redirects there.

    • Amy,
      You might want to check out the BlueHost (www.bluehost.com) FAQ or support pages. I have two add on domains and they are working without incident.

    • I don’t know if I got this right, but I think you are referring to an addon domain. Right? (i.e. you have a website: ‘www.yourwebsite.com’. You then registered a new domain, let’s say “newdomain.com” and instead of purchasing a new hosting, you added an addon domain to your main hosting plan (www.yourwebsite.com). So, now your new domain is hosted in: ‘www.newdomain.yourwebsite.com’) Is this the case?

      If that’s what you’re talking about, use the 301 redirect. From ‘www.newdomain.yourwebsite.com’ —> to ‘www.newdomain.com’

      (I’m not an expert by any means, so if someone here thinks I’m wrong, please correct me! πŸ˜‰ )

    • Are you referring to masking the domain? You can do this via your domain registrar?

      • Hi,

        I have two domain names

        I have created a website on one of the domain names

        is it possible for the other domain name to redirect to the 2nd domain name, but for users url keeps showing the 1st domain name?

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

Get Started With Divi