16 htaccess Hacks to Speed Up, Optimize and Secure WordPress

Hypertext access files, usually abbreviated as htaccess, are always added to the directory of a WordPress site, and they are always hidden files. There are lots of things you can do with htaccess files depending on your goals. These .htaccess file can be used to improve the security of your website, improve your a site speed among a whole host of things.

The following tips and tricks will help you speed up your WordPress blogs, secure them, and allow you to easily customize your site in various ways.

Just be aware that even a small mistake in htaccess can cause big changes to your site, so keep track of all the changes you make so that you can undo them if you need to.

1. Create a blacklist to prevent site access from certain IP addresses.Websites are made to have visitors. However, those guests can occasionally become a problem. Sometimes, there are certain site visitors that are no longer welcome. Htaccess files can be used to block those particular visitors. This is also useful to keep bots away from your site. The code used to create your blacklist is as follows:

 <limit get="GET" post="POST" put="PUT">
 order allow,deny
 allow from all
 deny from 123.456.789
 deny from 93.121.788
 deny from 223.956.789
 deny from 128.456.780

You can add as many IP addresses as you want this way to keep your site free of troublemakers. If someone is spamming your site, this little piece of code is your new best friend.

2. Create a redirect while performing site maintenance.

While you’re performing site maintenance, you want visitors to be redirected to a page that lets them now what’s going on and maybe when your site is expected to be open to visitors again. You can use the htaccess file to accomplish this using the following code:

RewriteEngine on
 RewriteCond %{REQUEST_URI} !/maintenance.html$
 RewriteCond %{REMOTE_ADDR} !^
 RewriteRule $ /maintenance.html [R=302,L]

Be sure you have created an html document to be displayed during site maintenance and that you have labeled it that. That is the page this code will send visitors to while you are performing routine site updates and creating backups. As this is a temporary redirect we are serving a 302 header response.

3. Create 301 Redirects Using Htaccess files

Sometimes you want to redirect your site visitors to a different page. This is useful when you have deleted pages from your site that users may still find through links or search engines. It is also helpful when you have moved the content from one page to a new page with a different address. Using the following code will show the new page instead of an error page when someone clicks on the link that is no longer working.

#301 Redirects
 Redirect 301 /abc/file.html http://www.yourblogname.com/def/file.html

4. Speed Up Your Site by Disabling Revisions Autosave.

WordPress saves revisions of your pages and posts in real time as you are creating them. While this is an incredibly useful feature, it can also slow down your site’s speed. Sometimes, people are willing to sacrifice the convenience of having pages automatically saved in order to have a faster website. To completely disable the WordPress autosave feature, add the following code in your wp.config.php file

define('WP_POST_REVISIONS', false );

If you would like to get the autosave feature back at a later time, simply delete that line of code.

5. Block all IP addresses except your own from accessing admin files

If you want to make sure that no IP address except your own are allowed to access the wp_admin directory of your site, there’s a code that allows you to block all other IP addresses from accessing the directory. The wp_admin directory is where all the files related to the WordPress dashboard are located. This includes all administrative functions such as writing posts, moderating your comments, installing themes, and using plug-ins.

Because WordPress allows full access to administrators, blocking others from accessing your admin files can keep hackers from accessing your site. To block all addresses except your own, the code to use is:

 AuthUserFile /dev/null
 AuthGroupFile /dev/null
 AuthName "WordPress Admin Access Control"
 AuthType Basic
 <limit get>
 order deny,allow
 deny from all
 allow from xx.xx.xx.xx

6. Ban a Single Spammer from Accessing your Site

We have already gone over a code that allows you to block multiple IP addresses from your site.Sometimes, though, there is only one spammer who is causing problems. In that case, it makes sense to use a simpler code that just bans that particular IP address. To do so, simply add their IP address into the following code.

 <limit get post="POST">
 order allow,deny
 deny from xxx.xx.xxx.xxx
 allow from all

Using this code allows access to everyone except those who are trying to access your site from the IP that has been causing trouble.

7. Render your php configurations files inaccessible.

The wp-config.php file contains crucial information like the name of your database. If you would like to deny access to this file, there is an easy way to do it. This file contains sensitive information like your user id, password, and database name in an unencrypted format. Completely blocking all access to the file adds a layer of security, protecting the site from prying eyes. Because PHP files are hidden, this information is not visible using the browser, but if someone were to hack a website, this is one of the first files they would be likely to try to access because of the information it contains.

# protect wpconfig.php
 <files wp-config.php>
 order allow,deny
 deny from all

Using this code helps tremendously with site security.

8. Only allow files smaller than 10 MB to be uploaded.

Large files can significantly slow down a website. A simple way to ensure smaller file sizes is to use a code that limits the file size that can be uploaded. This can keep a site from being bogged down by trying to open too many large files at once and allow the site to keep running at optimal speed. The following code can be used to achieve this purpose:

#limit file uploads to 10mb
 LimitRequestBody 10240000

If you would prefer to set the limit higher, you can also set the maximum upload size to 20 MB or any other file size that you choose. When larger files are being uploaded, the request will be denied.

9. Add password protection to your directories.

Adding password protection to your blog’s directories is easy to do using your htaccess file. There are many reasons why a webmaster would want to do this. When a blog does get hacked, all the blog posts are often deleted, and all sites that are connected within the directory are accessed, too.

This can cause a headache for a blog owner who has kept adequate backups. It can be completely disastrous for one who has not. Adding password protection to the files that provide access to the directories of your blog adds an additional layer of security and prevents unauthorized users from accessing other sites connected to your blog.

To do this, simply add the following code to your htaccess file:

 AuthType Basic
 AuthName "restricted area"
 AuthUserFile /usr/local/var/www/html/.htpasses
 require valid-user

10. Allow spelling errors in the URL to be automatically corrected.

By adding a Check Spelling directive to your htaccess file, users who misspell something in your url will still be able to access the file. This code is not sufficient to correct gross misspellings. However, when a typo or being one letter off is the problem, spellcheck can correct small mistakes and find the correct document. To add this feature to your site, simply use the following code:

<ifmodule mod_speling.c>
 CheckSpelling On

11. Secure your WordPress Plugin Files

Plug ins are incredibly useful, but they can also leave your website vulnerable to attackers. Sometimes plugin files allow direct access to unauthorized users which is a serious security problem. Because plugins provide so many awesome functions to WordPress sites, it doesn’t make sense to stop using plugins altogether because some of them leave loopholes that make outside access possible. Simply use the following four lines of code to prevent anyone but you from having direct access to your plugin files.

<files ~ ".(js|css)$"="&quot;.(js|css)$&quot;">
 order allow,deny
 allow from all

11. Add a trailing slash to the end of your url.

Urls with a trailing slash generally indicate a directory. Urls that don’t have a trailing slash are usually files. While it is possible to have two different pages with different content have identical urls aside from the slash at the end, this can be confusing to users and search engines.

If you would like to add a trailing slash to the end of a url by using your htaccess file, the following code will automatically do that for you:

#trailing slash enforcement
 RewriteBase /
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_URI} !#
 RewriteCond %{REQUEST_URI} !(.*)/$
 RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]

12. Redirect users to a customized 404 error page.

If you want your visitors to be redirected each time they reach a page with a 404 error, the following code will take them to a customized error page. A 404 error occurs when the page being requested is not found. This is usually because the page has either been moved or it has been deleted. Using a custom 404 error page is a good idea to keep your site streamlined and professional looking. You can use the following code to redirect users to your custom page when they do reach a page that no longer exists at the address they have typed.

# custom error pages
 ErrorDocument 401 /err/401.php
 ErrorDocument 403 /err/403.php
 ErrorDocument 404 /err/404.php
 ErrorDocument 500 /err/500.php

13. Keep spammers from making posts on your blog.

The denies all requests that do not come for your domain. To understand how this works, imagine a typical blog reader reading a post and deciding to leave a comment. The comment dialogue box will be referred by the page with the post on it. A spammer is not your typical reader, and they are not reading your blogs.

They are making what are called “no referrer requests” meaning the comment dialogue box was the first request made. The following code can deny all these types of requests cutting out the spambot activity on your website:

 RewriteEngine On
 RewriteCond %{REQUEST_URI} .wp-comments-post.php*
 RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

You can use the last line of this code to send spammers elsewhere. Be sure not to send them to other sites you own or even to sites you like. :)

14. Add and customize permalinks to create better urls.

One of the most popular htaccess tricks is to add some code that allows webmasters to create and customize their blog’s permalink settings. This makes for cleaner urls that include your keywords instead of strings of symbols and random numbers.To do this for a WordPress site is as simple as adding the following code to your sites htaccess file:

# BEGIN WordPress
 <ifmodule mod_rewrite.c="mod_rewrite.c">
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # END WordPress

15. Use htaccess file for force caching.

While force caching will not speed up an initial page load, if a page has been loaded once on a particular browser, force caching can send 304 statuses and speed up page loading if nothing on the page has changed.

 FileETag MTime Size
 ExpiresActive on
 ExpiresDefault "access plus x seconds"

16. Create an htaccess file if you do not have one.

If your site does not already have an htaccess file, it is easy to create your own and then upload it to your site. To do this, you simply create a text file, leave it blank, save it as .htaccess, and then upload it to the root of your WordPress installation file. It is important to include the period at the beginning of the file name, so be sure not to omit it.

You can use my free .htaccess generator to help you get started.

A Word of Caution

Htaccess codes have to be implemented with total accuracy or your site may go down completely. It is important that you create a backup of the htaccess file before making any changes. Store this backup externally, either using the cloud or using a flash drive to ensure that you will have access to the saved copy if you need it.

After each change you make to your htaccess file, refresh your page to ensure that your website is still online. Because a single error will make your site go down, it is important to know exactly when any problems occurred. This will help narrow down the line of code that needs to be corrected.

htaccess allows for lots of functionality by adding lines of simple code. Bookmark this list of tricks and tips so that you will have access to these codes next time you log into your WordPress site. Being able to make changes and customize your blog is one of the perks of using WordPress.

Using simple codes, you can speed up your site, deter hackers, improve your security, keep spammers away, and easily add redirects. Taking advantage of your htaccess file can supercharge your ability to customize your site.

The following two tabs change content below.

Jamie Spencer

My name is Jamie Spencer and I have spent the past 10 years building money making blogs. After growing tired of the 9-5, commuting and never seeing my family I decided that I wanted to make some changes and launched my first blog. Since then I have launched lots of successful niche blogs and after selling my survivalist blog I decided to teach other people how to do the same.

4 thoughts on “16 htaccess Hacks to Speed Up, Optimize and Secure WordPress”

  1. Hy, Nice article! Thank you for sharing this cool info with us.
    In addition, you can also :
    – enable gzip compression for your resources,
    – enable keep alive mode

    P.S. : can you take a look at your code snippets, The less than and greater than signs are not rendered, you get < and >

  2. Exceptional Blog! I was facing security issues in our blog like spamming. I am using .htaccess file only for 301 redirection and not aware of use of .htaccess file for security purpose. I hope the article greatly helps me to solve my security issues.
    Thanks for sharing such a invaluable information……..


Leave a Comment