Almost Perfect htaccess File for WordPress Blogs

Here There!

If you like this article (and we know you will!), check out the post we published covering even more WordPress Security best practices.

If you manage and edit your own website or run a blog with it’s own domain then you are probably aware of a type of file called the .htaccess file. You may or may not know what this file actually does, or how to create and edit one but fret not, I’m here to help.

This quick tutorial will provide you with an htaccess file that does the following:

1. Protects itself (security)
2. Turns the digital signature off (security)
3. Limits upload size (security)
4. Protects wp-config.php (security)
5. Gives access permission to all visitors with exceptions (security, usability)
6. Specifies custom error documents (usability)
7. Disables directory browsing (security)
8. Redirect old pages to new (optional)
9. Disables image hotlinking (bandwidth)
10. Enables PHP compression (bandwidth)
11. Sets the canonical or “standard” url for your site (seo, usability)

htaccess file creation screenshot in Notepad on Windows XP

1. Step 1, create a blank .htaccess file. This can be done in Notepad or a comparable simple text editor of your choice (no MS Word does not count although it’s possible). Open Notepad and Click Save, name this file htaccess.txt. If you’re using Windows XP the OS won’t allow you to name a file e .htaccess but don’t worry, you can rename it once it’s been uploaded to your server (no idea how Linux, Vista or OSX handle this).

2. Add content to htaccess.txt. Now that you have htaccess.txt saved, you can start to edit the file and use it to better manage your site without relying on complex PHP or bloated JavaScript code.

The example htaccess file below is one that can be used for a website like this one (running WordPress and nothing else), simply un-comment the sections you’d like to use by removing the # at the beginning of the line and copy+paste the contents into your own .htaccess file.


# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all

# disable the server signature
ServerSignature Off

# limit file uploads to 10mb
LimitRequestBody 10240000

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

#who has access who doesnt
order allow,deny
#deny from
allow from all

#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php

# disable directory browsing
Options All -Indexes

#redirect old to new
Redirect 301 /old.php

#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ [R,L]

# php compression – use with caution
<ifmodule mod_php4.c>
php_value zlib.output_compression 16386

# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$$1 [R=301,L]

# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]


3. Upload htaccess.txt. Once you’ve created your master piece of an .htaccess file upload the htaccess.txt file to your web server via ftp (in ASCII mode) and rename the file to .htaccess. Once it’s been renamed change the file permissions of the .htaccess file to 644 to further protect it from malicious hacker types.

4. Test, Test, Test. Go to your site, is it still up? Good, now check to see if you can access files you protected, or try and see a directory listing. Not all variables are testable but do your best to make sure your file is working.

Lastly Josiah Cole dot com is now running a variation of the htaccess file above with no hotlink protection (I only host a couple images) and no redirects or custom errors docs (yet). No problems *yet* but I’m still running tests to make sure there are no problems. Maybe my visitors can help me do this by commenting? If I like it I’ll add your suggestion to the article and give you some URL lovin’.

Note: If you are already using a custom permalink structure to format page names, you’ll need to keep that code in the htaccess file in order for that to continue functioning. To see your htaccess file in WordPress click Manage>Files>.htaccess (for rewrite rules).

 Hey There!  If you like this article (and we know you will!), check out the post we published covering even more <a href="">WordPress Security best practices</a>.
468 ad

4 Responses to “Almost Perfect htaccess File for WordPress Blogs”

  1. askapache says:

    Nice clean and helpful article Josiah.. There are a couple code examples in particular that I think would help you over on my blog.. Check out theUltimate htaccess tutorial.. I especially like the “For Webmasters” chapter.

    Here’s code you could use to deny access only when it’s 4pm

    # If the hour is 16 (4 PM) Then deny all access
    RewriteCond %{TIME_HOUR} ^16$
    RewriteRule ^.*$ - [F,L]

  2. imelgrat says:

    Hi! I just wanted to thank you for your clear and thorough explanation about the “perfect” .htaccess.
    I would also like to add that if you run into trouble (403 errors while trying to post or edit pages), you can add the following to the .htaccess file

    SecFilterInheritance Off

    It drove me crazy during several days. I hope it helps somebody….


  3. mike2098 says:

    Thanks for the code how can I use this for a sub folder ie


  4. stocksduniya says:

    When I’m add this code in my .htaccess:
    #who has access who doesnt
    order allow,deny
    #deny from
    allow from all

    403 Forbidden


    You don’t have permission to access / on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    Please guide me soon as possible time. Why I’m getting this error? Why I don’t able to add that code in my .htaccess file.

    Thank you!


  1. ForumKervan - Güvenlik Önlemlerinden Bazıları - [...] Josiah Cole gives a detailed explanation of how to create a .htaccess file yazısında tarif edildiği gibi bir .htaccess …
  2. איך להגן על הקובץ wp-config מפני האקרים | בלוג של מפתח אינטרנט - [...] בחור בשם ג'ושיעה קול כתב מאמר נחמד על איך לשנות את ה- htaccess כדי להגן על ה- wp-config. [...]
  3. 4 Easy Ways to Keep WordPress Safe from Hackers | I'm No Geek! - [...] the .htaccess and wp-config.php files Thanks to Josiah Cole and Stephanie Leary for the information in this [...]
  4. WordPress 3.x Workshop – #heweb10 « Shelley Keith - [...] Almost perfect .htaccess file for WordPress blogs [...]
  5. Wordpress Htaccess Tutorials | tutorials blogs - [...] htaccess: The Definite Guide | Almost Perfect htaccess File for WordPress Blogs — Josiah Cole; Technologist and Web …
  6. Secure WP-Config File (Wordpress Database Account) With .Htaccess - [...] As we have already known that our database account, such as database name, username, password and hostname are placed …
  7. links for 2011-02-05 « sySolution - [...] Almost Perfect htaccess File for WordPress Blogs — Josiah Cole; Technologist and Web Hacker Extrao... (tags: htaccess) [...]
  8. 10 undeniable, unspoken truths about blogging | Website In A Weekend - [...] nice web host with the best support imaginable, it mattered. Check out Josiah Cole’s ‘almost-perfect .htaccess file‘ for WordPress …
  9. .htaccess for WordPress | Me Design Pretty One Day - [...] When I ran into permission issues while working on my VPS, I came across this informative post on an …
  10. Speeding Up Your WordPress Website: 11 Ways to Improve Your Load Time | WordPress News at - [...] Thanks to Josiah Cole for this hack. [...]
  11. SFCite | Blog | Speeding Up Your WordPress Website: 11 Ways to Improve Your Load Time - [...] Thanks to Josiah Cole for this hack. [...]
  12. Speeding Up Your WordPress Website: 11 Ways to Improve Your Load Time - [...] Thanks to Josiah Cole for this hack. [...]
  13. htaccess examples « « Memory Dump Memory Dump - [...] Almost Perfect htaccess File for WordPress Blogs [...]
  14. Rebuilding « A day in the life II - [...] Move or hide your wp-config.php file: The wp-config.php file has lots of secret information in it and it lives …
  15. .htaccess ideal para Wordpress | - [...] Vía | Josiahcole [...]
  16. Jail break Iphone 4.3.3 - Jailbreak iOS 4.3.3 Untethered on iPhone 4, 3GS, iPad, iPod touch ...... Today iPhone Dev Team has released PwnageTool 4.3.3 for …
  17. Securing a new WordPress installation, part 1: wp-config.php - [...] security can be achieved by configuring Apache to forbid direct access to the wp-config.php file. This is done through …
  18. How To Secure WordPress configuration file - Wordpress Arena - [...] Josiah Cole wrote a nice htaccess tutorial on modifying your .htaccess to protect the wp-config. [...]
  19. What the heck is a .htaccess file (and why is my blog messed up?) « COM585 - [...] in creating a more robust .htaccess file for your site (and know more about coding than I do), this …
  20. Consejos de seguridad en wordpress | fanesvag, el blog de Paco Anes - [...] El proceso es sencillo: se  hace una copia de tu .htaccess, se abre con un editor de texto como Notepad …
  21. 10 Ways to Use .htaccess to Speed Up WordPress - [...] with caution <ifmodule mod_php4.c> php_value zlib.output_compression 16386 </ifmodule>Source8. WP Super CacheThe single plugin that everyone always points at as …
  22. Boost your Wordpress Blog - AnandTech AnandTech - [...] Source: Josiahcole [...]
  23. WordPress Arena: A Blog for WordPress Developers, Designers and Blogger - [...] Josiah Cole giving solution on how to secure your own Website by editing or creating own .htaccess file in the …
  24. How to do damn near anything with WordPress – Stephanie Leary - [...] The Almost Perfect .htaccess File for WordPress Blogs [...]
  25. Wordpress Speed and Security by Mark de Scande | BlogLines Africa - [...] to 5G BLACKLIST/FIREWALL by Jeff Starr 2) Line 70 to 74 is all Server Security Tweaks thx to Josiah Cole 3) …

Leave a Reply