.Htaccess for everyone

Why is there that point and what does htaccess mean?

It is the abbreviation of "hypertext access", the point at the beginning serves to hide it in a folder so that it is not shown, unless the option to show hidden files has been enabled. The. htaccess file is a Apache server configuration file that you upload to Your site's root directory can give commands to your server. Please note that this file can slow down the requests sent to the serevr and must be created only if you are on a shared hosting because you do not have access to the web server conf.


What is it for and why to configure it?

Can be used for SEO, Security and Optimization

Each WordPress installation is already provided with a codeconfigured file. It can be used for redirects in the case of SEO, disable file upload on the server and other tricks for Security, use it for cache and minification in case of Optimization.  

I remind you that the .htaccess file is not only for WordPress but can be used on any platform as they are directives for the server.


Let's move on to the facts immediately


Some SEO experts say that a slash at the end of the link helps, while others say it does not. In case you want to try you can use this snippet-codes.

RewriteCond %{REQUEST_URI} /+[^.]+$
RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R=301,L]

Although WordPress comes with coded error pages, you can also create custom error pages and serve it to users through your </ strong> . htaccess , </ em> file you can use the same error page for each error status code or create one for each, separately.

ErrorDocument 404 /error404.html
ErrorDocument 403 /error403.html
ErrorDocument 500 /error500.html
ErrorDocument 501 /error501.html

The redirects 301 as come redirects permanents with which you can forward your visitors from one URL to another.

Redirect 301 /oldurl1 /newUrl1
Redirect 301 /oldUrl2 /newUrl2

In case of switching to Https of the entire platform, use this snippet-codes :

<IfModule mod_rewrite.c> RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://miosito.it/$1 [R=301,L] </IfModule>

Then add the following string in the wp-config file:

define(‘FORCE_SSL_ADMIN’, true)


Can disable the directory browsing function.

Options -Indexes


Pretect .htaccess

#BEIGN protect .htaccess <br><br>
<Files ~ "^.*\.([Hh][Tt][Aa])"><br>
Order allow,deny<br>
Deny from all<br>
Satisfy all<br>
&lt;/Files&gt; <br>


Block IPs, useful if you have an assigned IP or know that there are some IPs that bother you.

Order allow,deny
Deny from xxx.xxx.xx.xx
Deny from yyy.yyy.yy.yy
Allow from all


Keeping error logs and secure configuration files is an important security practice because they contain vulnerable data such as the database username and password.

<FilesMatch "^.(error_log|wp-config.php|php.ini|.[hH][tT][aApP].)$" >
Order deny,allow
Deny from all
< /FilesMatch>


Your folder wp-content contains plug-ins, themes, uploads of images, some backup and other important files. In addition to static files such as images, CSS and JavaScript, there is no reason to give access to the content </ em> content directory.

Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|zip|rar)$" >
Allow from all
< /Files>


The wp include folder contains important WordPress core files, better disable access.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^ wp-admin / includes / - [F, L]
RewriteRule! ^ Wp-includes / - [S = 3 ]
RewriteRule ^ wp-includes / [^ /] + . php $ - [F, L]
RewriteRule ^ wp-include / js / tinymce / langs /.+ . php - [F, L]
RewriteRule ^ wp-include / theme-compat / - [F, L]
< / IfModule >


Protect the file wp-config.php , avoiding access to the WordPress configuration file.

#BEIGN wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
#END wp-config.php


One of the practices to do is definitely disable access to php files of theme or plug-in.

RewriteCond %{REQUEST_URI} !^ /wp-content/ plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^ /wp-content/ plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(..php)$ - [R= 404 ,L]
RewriteCond %{REQUEST_URI} !^ /wp-content/ themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^ /wp-content/ themes/directory/to/exclude/
RewriteRule wp-content/themes/(.
.php)$ - [R= 404 ,L]


XML-RPC allows access to third-party apps like Jetpack on your site so that they can post content or perform different actions on it. This is a basic active setting, better to disable if not needed.

<FilesMatch "^(xmlrpc.php)" >
Order deny,allow
Allow from xxx.xxx.xx.xx
Allow from yyy.yyy.yy.yy
Deny from all
< /FilesMatch>


Hackers often target the variables GLOBALS and _REQUEST on WordPress sites. The following htaccess rules cause your server to deny these changeshe.

Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (|%3C).script.( > |%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]


WordPress uses a specific URL structure for the author's pages that display all the articles belonging to the same author. For example, if a user enters https://www.yoursite.com/?author=1 </ em> in the URL bar, the browser loads the author's page that displays all posts from the URL. author together with the username. With the same technique, it is easy to find out the user name of each author. However, you can prevent it by using this snippet-codes </ em> in your htaccess .

RewriteEngine on
RewriteBase /
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=404]

If you and all of your administrators have a static IP, you can protect your WordPress admin area by adding the following rules to your .htaccess</ em>.

AuthUserFile /dev/ null
AuthGroupFile /dev/ null
AuthName "WordPress Admin Access Control"
AuthType Basic
Order deny,allow
Deny from all
Allow from xxx.xxx.xx.xx
Allow from yyy.yyy.yy.yy

If you do not want visitors to be able to view or download certain types of files

AddType application/octet-stream .pdf
AddType application/octet-stream .zip
AddType application/octet-stream .mov


You can speed up your site by enabling the browser cache on the your server so users' browsers do not have to continually download static files like images and scripts.

#Expires headers (for better cache control)
<IfModule mod_expires.c>
ExpiresActive on
#Perhaps better to whitelist expires rules? Perhaps.
ExpiresDefault "access plus 1 month"
#cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
ExpiresByType text/cache-manifest "access plus 0 seconds"

#Your document html
ExpiresByType text/html "access plus 0 seconds"

ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType application/json "access plus 0 seconds"

ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/atom+xml "access plus 1 hour"

#Favicon (cannot be renamed)
ExpiresByType image/x-icon "access plus 1 week"

#Media: images, video, audio
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"

#HTC files (css3pie)
ExpiresByType text/x-component "access plus 1 month"

ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"

#CSS and JavaScript
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"

GZIP compression is enabled on the server side and allows a further reduction in the size of HTML, CSS and JavaScript files. It will not work on images as these are already in a different way.
<IfModule mod_deflate.c>

#Comcodess HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

#Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent

Mod_pagespeed is an open source server module. Combine Css files, removes white space and comments in Html, image editing. This way you can reduce the requests to the server.
<IfModule pagespeed_module>
ModPagespeed on
ModPagespeedEnableFilters rewrite_css,combine_css
ModPagespeedEnableFilters recomcodess_images
ModPagespeedEnableFilters convert_png_to_jpeg,convert_jpeg_to_webp
ModPagespeedEnableFilters collapse_whitespace,remove_comments

Keep-Alive is a technique that allows a Transmission Control Protocol (TCP) </ em> connection to access multiple files from the server to the web browser rather than creating a new connection for each new request (file) .

Header set Connection keep-alive


Image Hotlinking occurs when another website displays your images by linking them to their URL on your site. This extra traffic increases bandwidth and could significantly slow down your site. You can easily avoid with the following snippet-codice.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yoursite1.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yoursite2.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?google.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ – [NC,F,L]

These 22 best-practices to run in your htaccess can make a difference on your site / blog. It must be said that there are plug-ins that perform these functions, but why use them when with a few lines you can do everything and keep the platform lighter ?!