WordPress .htaccess File in Action: Usage Basics

Yes, WordPress reigns supreme as a CMS, so most modern developers will have encountered WordPress in their daily activities. We’re using this tutorial to explain how one of WordPress’s most important components works. See why the .htaccess file is so important to WordPress functionality, and learn more about configuring your own .htaccess file.

What exactly is a WordPress .htaccess file?

If this is totally familiar to you – great! But if you’ve never heard of the .htaccess file – there’s a reason for that. In almost all cases the .htaccess file will be hidden in your root directory. And sometimes you simply won’t have an .htaccess file at all.

Note that .htaccess is not something unique to WP at all. In fact, it relates to the Apache web server that drives countless websites – including WordPress. So .htaccess is basically a web server configuration file. Your Apache server will look for the .htaccess document whenever it starts your website. And if it exists – it will obey the instructions in it.

Essentially, the .htaccess file helps configure specific Apache settings in order for the web server meet your specific application needs. This could include toggling on or off server functions. Or for example, making a redirect where users who do not add “www” in front of a domain name gets redirected to www.yourdomain.com.

.htaccess is also a way to tighten up security because you can also set privileges for some files. Meanwhile, you can block bots and add additional file handling capabilities via MIME types. Many settings in the .htaccess file are relevant for developers who use it to customize their WordPress.

Creating a default .htaccess file for use in a WordPress instance

Creating a wordpress .htaccess file

Every new WordPress installation will come with a .htaccess file as soon as you install it on Apache. But note that the .htaccess file will be hidden so you must select “show hidden files.” Or a similar option in your operating system. Note that occasionally a WordPress site won’t have a .htaccess file – for example, because of permission-related issues.

Here we’ll explain how to create an .htaccess. The process is broadly similar for most file managers – including those coming with Plesk or cPanel. Alternatively, you can use your computer to create the file and simply upload using a file manager or FTP.

You need to navigate to the root directory of your WP instance – it’s usually simply called public_html. Here, create a new text file and call it “.htaccess”. You can then open this file in a plain text editor of your choice. You’ll notice a few lines of text which basically specifies the default settings for your WordPress site. By  default, the WordPress .htaccess file will contain the following code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

To make your own file, simply copy the code above and paste it into the .htaccess file you just created. Then save the file, closing your text editor. That’s it, you have just made a brand new .htaccess file. We suggest you visit your website to make sure that it is working. Because a .htaccess file which is not correctly specified will lead to errors, including the dreaded 500 internal error.

Fine-tuning your WordPress instance using the power of .htaccess

When we talk about WordPress performance – not everything depends on WordPress configuration itself. So certain aspects are directly related to web server configuration. Since .htaccess gives you some additional ways on how to control Apache on the level of the certain website . You may use it to fine-tune your WordPress site overall performance.

Browser Caching

Browser caching allows visitors to save items from your web pages. In this case they don’t need to download them again and again while visiting your website. Usually it helps to reduce bandwidth and reduce page loading time.

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 year"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 3 days"

File Caching

Server-side file caching helps to serve multiple visitors within the same cache. As a result, the server load reduces and the speed of each page view increases.

Cache htm/html files for 1 week:

<FilesMatch ".(html|htm)$">
Header set Cache-Control "max-age=43200"

Cache plain text files, css and js files for 1 week:

<FilesMatch ".(js|css|pdf|txt)$">
Header set Cache-Control "max-age=604800"

Cache images for one month:

<FilesMatch ".(gif|jpg|jpeg|png)$">
Header set Cache-Control "max-age=2592000"


Disable caching for dynamic files:

<FilesMatch "\.(php|pl|cgi|spl|scgi|fcgi)$">
ExpiresActive Off

Gzip compression on Apache

By enabling gzip compression, you can reduce the size of html, js and css files up to 70%:

<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

Proper character set

In order to inform the browser about certain character set usage required to render the page, you need to specify the page’s character set.

AddDefaultCharset utf-8

Disable image hotlinking

It’s not always a good idea to allow others to use your images on their website with a direct link. Especially considering your server resources and bandwidth. The solution is simple:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Disable Directory Browsing

Additionally, directory browsing may give a lot of useful information for those who plan to hack your website. To fix this you may use the following:

Options -Indexes

Important files protection

Finally, it’s possible to protect vital files including local php.ini ( if any ), wp-config.php and error logs:

<FilesMatch "^.*(error_log|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

WordPress .htaccess usage – In conclusion

To sum up, you need your .htaccess for WordPress to work the way it should. Meanwhile, understand that your .htaccess file can also give you more control over your server features and performance. At the same time, keep an eye out for errors inside the .htaccess file since they may lead to inaccessibility of your website.

If you’re interested in getting exceptional performance for your website, solid security and simple management, try WP Toolkit with Plesk. Many have found this to be the optimal solution for their WordPress-based business.


  1. Hello, In the new version(s) of Plesk when I go to see and enable the .htaccess to be seen there’s no option to enable that. What other option can be done? Best Regards, Mihai Dobre

Add a Comment

Your email address will not be published. Required fields are marked *


  • Yes, please, I agree to receiving my personal Plesk Newsletter! WebPros International GmbH and other WebPros group companies may store and process the data I provide for the purpose of delivering the newsletter according to the WebPros Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Related Posts

Knowledge Base

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.