NAVI

Htaccess snippet collection

Tutorial Htaccess Snippet Collection

.htaccess (yes, a nameless file with the extension “htaccess”) is a hidden Apache configuration file. It can be placed in any directory within your website, but the main one is placed in the root folder. It allows you to further protect your website, set redirects and tweak performance.

Over the years, I’ve gathered a small collection of .htaccess snippets for the WordPress websites I create. So here’s my handy WordPress htaccess configuration items collection.

Note: Lines starting with the hashkey (#) are comment lines, and do not actually do anything.

Force SSL


# FORCE SSL
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# More options:
# http://www.inmotionhosting.com/support/website/ssl/how-to-force-https-using-the-htaccess-file

Redirection options

Redirect during build

When you’re in the process of building a website for your client, you can use this code snippet to grant yourself and your client access by IP address, while redirecting the rest of the world to a temporary page.

# REDIRECT TO WWW SUBFOLER
# IF not from your address
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.1$
# Fill in IP address above

# AND not for /www directory
RewriteCond %{REQUEST_URI} !^/www

# THEN sen them to /www/index.html
RewriteRule (.*) /www/index.html [R=307,L]

Redirect wp-login.php

Leaving the login page at its default setting is a security risk. By changing this, you make it a bit more difficult for uninvited guests to gain entrance to your WP-admin.

# REDIRECT /WP-LOGIN.PHP TO /ACCESS
RewriteRule ^access$ /wp-login.php [NC,L]

Redirection of a domain name to a single page on a website


# DOMAIN REDIRECTS
# Uncomment the next line and put between < and >
# IfModule mod_rewrite.c
RewriteEngine On
RewriteCond %{HTTP_HOST} domainB\.com [NC] RewriteRule (.*) https://domainA.com/sub-page/$1 [R=301,L]
# Uncomment the next line and put between < and >
# /IfModule

Redirect the domain name to the WWW subdomain

I prefer to use the basic domain as default (https://example.com), but if for some reason you prefer to use https://www.example.com as your default domain, you can reverse the redirection. Now, if you visit https://example.com, you are automatically redirected to https://www.example.com.
Snippets found on

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example\.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Alternatively, if you also have https://example.nl and https://example.fre, this is how you can redirect them to https://www.example.com as well:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Security tweaks

Block framing/Sniff/Xss


# BLOCK FRAMING/SNIFF/XSS
#Header set X-Frame-Options DENY
#Header set X-Content-Type-Options "nosniff"
#Header set X-Xss-Protection "1; mode=block"

Block “includes” directories and files


# BLOCK INCLUDE FILES AND DIRS
# Uncomment the next line and put between < and >
# IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
# Uncomment the next line and put between < and >
# /IfModule

Block access to wp-config.php


# BLOCK XS TO WP-CONFIG
# Uncomment the next line and put between < and >
# files wp-config.php
order allow,deny
deny from all
# Uncomment the next line and put between < and >
# /files

Block access to .htaccess


# BLOCK XS TO HTACCESS
# Uncomment the next line and put between < and >
# files ~ "^.*\.([Hh][Tt][Aa])"
order allow,deny
deny from all
satisfy all
# Uncomment the next line and put between < and >
# /files

Block directory browsing


# DISABLE DIRECTORY BROWSING
Options All -Indexes

Prevent entering full path to file in uploads folder into browser


# PREVENT ENTERING FULL PATH TO FILE IN UPLOADS FOLDER INTO BROWSER
Options All -Indexes

Performance tweaks

Keep in mind that if you are using a caching plug-in, some of the settings here will already be written to the .htaccess file by the plugin, and therefore need not be added manually.

Set expiration dates

Increase performance by setting expiration dates on file types.

# SET EXPIRATION DATES TO INCREASE WEBSITE PERFORMANCE
# Uncomment the next line and put between < and >
# IfModule mod_expires.c
# Enable expirations
ExpiresActive On
# Default directive
ExpiresDefault "access plus 1 month"
# My favicon
ExpiresByType image/x-icon "access plus 1 year"
# Images
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
# CSS
#ExpiresByType text/css "access 1 month"
# experimenting here. with the timestamp added through functions.php, the css file changes version number when updated,
# causing the stylesheet to be downloaded again, and resetting the plus 1 year. Test this!
ExpiresByType text/css "access plus 1 year"
# Javascript
ExpiresByType application/javascript "access plus 1 year"
# Uncomment the next line and put between < and >
# /IfModule

Disable eTags

Disabling eTags increases website performance.

# DISABLE ETag TO INCREASE WEBSITE PERFORMANCE
FileETag MTime Size

Enable Gzip, method #1

Enabling gzip compression increases performance.

# ENABLE GZIP METHOD #1
# Uncomment the next line and put between < and >
# ifModule mod_gzip.c
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
# Uncomment the next line and put between < and >
# /IfModule

Enable Gzip, method #2


# ENABLE GZIP METHOD #2
# Uncomment the next line and put between < and >
# IfModule mod_deflate.c
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
# Uncomment the next line and put between < and >
# /IfModule

Want to know more about .htaccess? Start .

This is a live document. I will add new snippets as I come across them. If you have any useful additions, please feel free to post them in the comments!


foto Boris Hoekmeijer
My name is Boris Hoekmeijer, I'm a webdesigner and graphic designer.
I sometimes run into a problem for which I have to find my own solution because Google just won't tell me. That's when I climb behind my mechanical keyboard, and fire away until a tutorial materializes. One of the great things about the web: we can all help each other!
If this article has helped you, or if you have anything to add or ask, please leave a comment or share the post.
Cheers!

© ★ Published: June 25, 2018
1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *