Categories
WordPress

Almost perfect htaccess file for WordPress

A million years ago I wrote an article titled “Almost perfect htaccess file for WordPress” which while far from an accurate statement proved to be very popular. Many years, tens of thousands of views, and $0 earned I decided to resurrect the old article and update it for 2022.

While my hosting platform of choice WP Engine is phasing out htaccess file support (because they run Nginx), much of the WordPress hosting world (running Apache) still relies on this configuration file.

Before we add things to .htaccess we need to know what *should be* there on a default WordPress website.

Thanks to a very helpful and concise WordPress htaccess support article, this answer was easy.

# BEGIN WordPress

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

What should you add to your WordPress htaccess file?

I can’t answer that, but I can give you some ideas.

  1. Disable directory browsing for improved security. This ability (to browse directories from the public web) should already by disabled by your web host.
Options All -Indexes

2. Redirects – While I personally like using a plugin like Redirection for redirects to allow monitoring of usage, you can also create 301 redirects manually with htaccess.

Redirect 301 /oldpagename http://yourdomain.com/newpagename

3. Force SSL – For users visiting your site to access via https.

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

4. Block an IP address – If you need to block an IP address for abuse or lulz use the following rule. I prefer to block individual users/IPs with something like Cloudflare, or even a WordPress security plugin like Defender.

Deny from 123.123.123.123

5. Enable GZIP compression to improve the loading speed of your website assets. This is another rule that I don’t bother with, and instead utilize Cloudflare’s compression feature.

# BEGIN GZIP COMPRESSION
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
# END GZIP COMPRESSION

6. Enable caching. Different from traditional WordPress page caching, asset caching instructs the user’s browser in how long to store each file (CSS/JS/JPG/GIF etc.)

## Enable Browser Caching ##
<IfModule mod_expires.c>
    FileETag MTime Size
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
    ExpiresActive On
    ExpiresByType text/html "access 500 seconds"
    ExpiresByType application/xhtml+xml "access 500 seconds"
    ExpiresByType text/css "access 1 month"
    ExpiresByType text/javascript "access 1 month"
    ExpiresByType text/x-javascript "access 1 month"
    ExpiresByType application/javascript "access 1 month"
    ExpiresByType application/x-javascript "access 1 month"
    ExpiresByType application/x-shockwave-flash "access 1 month"
    ExpiresByType application/pdf "access 1 month"
    ExpiresByType image/x-icon "access 1 year"
    ExpiresByType image/jpg "access 1 year"  
    ExpiresByType image/jpeg "access 1 year"
    ExpiresByType image/png "access 1 year"
    ExpiresByType image/gif "access 1 year"
    ExpiresDefault "access 1 month"
</IfModule>
## Enable Browser Caching ##

7. Increase the max upload size, memory limit and server timeouts. If your website host allows, you can increase the maximum size of uploads to the WordPress media library as well as the memory limit and timeout limits.

php_value upload_max_filesize 32M
php_value post_max_size 64M
php_value memory_limit 128M
php_value max_execution_time 300
php_value max_input_time 300

8. Protect wp-config.php A very important file, wp-config.php should and can be protected with this simple code.

# Protect the wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

9. Disable access to XML-RPC for improved security. Unlesss you’re using an app or third party connection that requires this service, you should disable it:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Other WordPress htaccess options:

  • Password protect wp-admin
  • Stop Username Enumeration Attacks
  • Prevent Image Hotlinking
  • Force Files to Download
  • Protect Your Site Against Script Injections
  • Secure the wp-includes Directory

Categories
WordPress WP Engine WPEngine

WP Engine How To SFTP

SFTP may sound intimidating but don’t fret! It’s not. If you’ve used “regular” FTP, SFTP is no sweat. Here’s a quick guide on how to set up SFTP credentials with WP Engine.

  1. Login to the WP Engine User Portal
  2. Click “SFTP Users” in the left hand menu.
WP Engine How To SFTP

3. Click the purple “Create SFTP User” button.

4. Enter username, password, optional path (if you don’t know what path is, you don’t need it) and click “Add SFTP user”.

5. That’s it! Your new SFTP user will now be shown in the list of SFTP Users.

Note: Once the user is created, WP Engine will append the username you chose to the end of your account username.

6. Connection information is listed at the top of the SFTP Users screen. Your SFTP server name is always in the following format: username.sftp.wpengine.com The port is always 2222 (unlike regular FTP which is typically 22)

7. Now you can use your favorite FTP program* to connect to your WP Engine install allowing you to manage files.

*For Windows, we like FileZilla.

Sign up for premium WordPress hosting with WP Engine today!

WP Engine Coupon Codes

Categories
WordPress WP Engine WPEngine

WP Engine How To Create Staging

Thankfully almost every action within the WP Engine User Portal is intuitive, and creating a staging environment is no exception.

Steps to Create Staging at WP Engine

  1. Login to the User Portal
  2. Click Create Staging in left hand menu.
WP Engine How To Create Staging - Start

3. Choose environment options. Here you have the option to clone the live or Production site, start new (blank or guided) or copy from another install. In most cases you’ll select “Copy an existing environment to this site” as this will allow you to clone your Production environment.

WP Engine How To Create Staging - Choose environment type

4. Select the production environment. Note that you’ll need to choose the most recent Backup. If you want the most current version of your Production environment, you’ll want to create a Backup first, before you create the staging environment.

WP Engine How To Create Staging - Select environment to copy

5. Give your staging environment a unique name, and click Add Environment.

6. That’s it! You’re done. Just give it a few minutes, and the new install will be built. If you did copy the Production environment, your WordPress user information remains exactly the same, just use the new staging URL.

Note: You’ll need to create new credentials in order to access the staging install via SFTP.

Sign up for WP Engine today!

Categories
WordPress

This Post Was Composed with LocalWP

On my “to try” list for a while now is LocalWP, an application to streamline the process of working with WordPress locally. Put another way, you can build a WordPress website on your local computer and then use WPLocal to push that site online. Why would you do this you ask? There are several reasons, chief amongst them being speed. Here’s why I like LocalWP and will consider working it into my normal workflow.:

  1. It’s fast. While WPEngine is fast, the speed of interacting with any website that isn’t hosted locally is a result of many factors including your Internet connection speed and daily traffic levels. WPLocal is operating on your local computer which for the most part bypasses any reliance on your Internet connection.
  2. Good for travel. For those that travel and rely on cellular Internet access, closely managing your bandwidth usage is key to survival. Because WPLocal works mostly offline, this reduces the amount of bandwidth used and is of course much faster than working online if your connection is poor.
  3. Another staging environment. While WPEngine features a robust and easy-to-use staging environment system, working locally gives you another staging environment, to queue your updates and protect you (from yourself) from screwing up a live website.
  4. Tight integration with WPEngine. LocalWP will connect directly to WPEngine using their API, which is easily enabled. You can then view all of your sites, and “pull” any of them locally, to be edited and then pushed back live.
  5. It’s free. The Community version is free, and LocalWP claims it will stay that way. Pro adds a few features, and priority support which makes sense if you’re going to make LocalWP an integral part of your team’s process.

While I’ve only scratched the surface of what LocalWP can offer, I’m pleased to find the toolset to be simple and powerful.

**Update**

Upon pushing my local changes live, I had an issue. The local domain: josiahcole.local did not update to the live domain: josiahcole.com – A quick chat with WPEngine support solved the issue, however the root cause is still unkown. I will udpate this post the next time I attempt to publish vis LocalWP.

Categories
WordPress WP Engine WPEngine

How to Clear the WP Engine Cache

WP Engine built-in caching is a breath of fresh air if you’re used to managing caching plugins, and their finicky settings and tendency to break.  Built into the WordPress dashboard, the WP Engine cache control is just two clicks away, which makes theme changes easy to see immediately.

This action can also be accomplished via the WP User Customer Portal which is a nice feature addition, allowing an administrator or network technician to clear the website cache, without having direct WordPress access.

WPEngine Cache Control User Portal