If you are a user or owner of WordPress sites, then it is necessary that you have seen the htaccess file among the many WordPress files, and have seen many explanations about it, especially since this file is not like the rest of the default files in the control panel and has many benefits and uses to improve the performance and security of your own site, such as controlling messages. Error pages (404), securing the login page, hiding some site folders, and other functions that we will learn about in this article.
Where is the htaccess file located and how can I modify it?
htaccess file is one of the files that is located inside the files folder of WordPress and does not appear in the site interface for users, but can be viewed and dealt with by the site administrator through the cPanel control panel, or through the FTP protocol.
You can easily access the file by entering your site’s file manager, and you will find it located next to the WordPress files:
When you open the file, you will find some codes and symbols in it that resemble the following image:
Note : Some hosting companies hide the .htaccess file inside the file manager. If it is hidden and you cannot access it directly, you can access it by entering the file manager.
Then you will find the Settings button at the top of the page, click on it:
On the settings page, you will see several options, including which you will choose to show hidden files , then click Save .
After that, the .htaccess file will appear in front of you directly inside the file manager, next to the rest of your site’s WordPress files.
If you have done all the previous steps and the file does not appear, this means that your version of WordPress does not contain it in the first place, and you can create it yourself with ease, from within the file manager, click on “New File” and name it “htaccess.” .
Note : If the file does not already exist and you created it yourself, you can put its default code as follows and save and close the file:
# BEGIN WordPress
< IfModule mod_rewrite. c >
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [ L ]
RewriteCond % { REQUEST_FILENAME } !-f
RewriteCond % { REQUEST_FILENAME } !-d
RewriteRule. /index. php [ L ]
< /IfModule >
# END WordPress
Thus, you will have a .htaccess file that you can benefit from, as we will explain to you in the following explanation.
Functions that can be performed using a .htaccess file
Here is a complete list of the most important functions you can do to enhance the security of your site using an .htaccess file:
1- Redirect an old link on your site to a new link, redirect 301
We assume that one of your site links appears in Google search results, and for some reason you want to change this link that appears in Google search to another link within your site or even another site. You can do this through the .htaccess file very easily.
We assume that the link to be changed is: http://example.com/try/index.php
The new link you want to go to is: http://example.com/try /new/html
So we write the following code inside the .htaccess file in order to redirect from the old link to the new link:
Whereas the old link only writes its extension after Redirect 301 (without writing the domain name), while the new link is written in its entirety as you see in the previous code.
You can also do many types of redirection as follows:
<< Converting from Non-www to WWW, the code for the conversion is as follows:
<< Converting from www to Non-www, and the code is as follows:
< IfModule mod_rewrite. c >
RewriteEngine On
RewriteCond % { HTTP_HOST } ^www. example . com $
RewriteRule ( .* ) http://example.com/$1 [R=301,L]
< /IfModule >
Convert http links to https, where the code is as follows:
< IfModule mod_rewrite. c >
RewriteEngine On
RewriteCond % { SERVER_PORT } !^ $ 443
RewriteRule ^ ( .* ) $ https: //%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
< /IfModule >
If you convert https to http, the code is as follows:
< IfModule mod_rewrite. c >
RewriteEngine On
RewriteCond % { SERVER_PORT } ^ 443 $
RewriteRule ^ ( .* ) $ http: //%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
< /IfModule >
<< Transferring from one domain to another, the code is as follows:
< IfModule mod_rewrite. c >
RewriteEngine on
RewriteRule ^ ( .* ) $ http://example.com/$1 [R=301,L]
< /IfModule >
<< Convert pages with extensions such as html. To links without this extension: where the code is as follows:
< IfModule mod_rewrite. c >
RewriteEngine on
RewriteRule ^/? ( .* ) . ( html ) $ /$ 1 [ R= 301 ,L ]
If the extension of the pages to be converted is php. The code will be:
< IfModule mod_rewrite. c >
RewriteEngine on
RewriteRule ^/? ( .* ) . ( php|html ) $ /$ 1 [ R= 301 ,L ]
< /IfModule ><< Transferring from a subdomain to a subpage within the site. In this case, we want to convert the subdomain links to a link to an internal page on the site. For example, we want to convert the subdomain: blog.example.com.
To the page: example.com/blog
The conversion code will be as follows:
< IfModule mod_rewrite. c >
RewriteEngine on
RewriteRule ^ ( .* ) $ http:// https: //www.example.com/blog/$1 [L,NE,R=301]
< /IfModule >
Taking into account that the htaccess file in this case must be located within the subdomain files.
2- Block the IP address from accessing your site
Sometimes you notice a very large number of visits to your site from the same IP address, and this means that someone is trying to send a very large number of visits to your site for the purpose of consuming hosting resources and thus crashing your site. In this case, you can block this IP simply by writing the following code in the htaccess file:
Replace 127.124.12.1 with the actual IP address to be blocked.
3- Protecting access to the WordPress admin page (Wp-admin).
We assume that you want to prevent anyone from accessing the famous WordPress administration page wp-admin and that you only want to allow one device or a specific number of devices to have access to it. All you have to do is put the following code in the htaccess file:
AuthUserFile /dev/ null
AuthGroupFile /dev/ null
AuthName "WordPress Admin Access Control"
AuthType Basic
< LIMIT GET >
order deny,allow
deny from all
allowed from 11.11 . 11 . 111
">
Taking into account replacing 11.11.11.111 with the IP that only wants to be allowed to enter the wp-admin area of the WordPress site.
5- Prohibiting the execution of PHP commands inside WordPress folders
One of the methods that hackers use to steal or sabotage website files is to plant programs that execute specific commands inside the website folders, and these programs are run with PHP language commands.
To prevent this type of attack on your site, you can create a completely new .htaccess file and put the following code inside it:
You must upload this htaccess file to the wp-content/uploads folder and also to the wp-includes folder. This is because these files are vulnerable to piracy programs of this type.
6- Protect access to the wp-config.php file
It is certain that the wp-config file for WordPress is considered the most important file ever within your site, because it contains a lot of very sensitive information and data about your site. In order to protect access to this file, you must place the following code, which completely prevents access to the wp-config file, inside the htaccess file:
7- Blocking other sites while recalling images from within your site, or what is called image hotlinking
Some online site owners may obtain links to some images on your site, and thus include them on their sites, as the image is brought from your site to their site via the link to the image within your site. This causes the consumption of your site’s materials and thus may be subject to a malfunction if the number of Those links are remarkably large.
Therefore, placing the following code inside the .htaccess file protects you from quickly linking your site images to other sites:
RewriteEngine onRewriteCond % { HTTP_REFERER } !^$
RewriteCond % { HTTP_REFERER } !^ http ( s ) ?: //(www\.)?example.com [NC]
RewriteCond % { HTTP_REFERER } !^ http ( s ) ?: //(www\.)?google.com [NC]
RewriteRule\. ( jpg|jpeg|png|gif ) $ – [ NC,F,L ]
Consider replacing example.com with your site link. Also, leave google.com as it is, which means that only two sources are allowed to display links to images within your site, which are the site itself and also Google, because it archives links to those images in the search results.
8- Protect access to the htaccess file.
Since the htaccess file can contain a lot of sensitive information about your site, accessing it may pose a great danger to the site, and therefore access to it must be completely blocked from any source whatsoever, and the only way to access the file is by entering the private file manager. On your site only.
To block access to the htaccess file, you can place the following code inside the htaccess file itself:
< files ~ "^.*\.([Hh][Tt][Aa])" >
order allowed, deny
deny from all
satisfy all
< /files >
9- Increase the size of files allowed to be uploaded in WordPress
The previous image shows the message telling you that the maximum file upload limit is only 50MB per file. This is where the .htaccess file comes into play. To control this maximum limit, you can add the following code to assign a specific limit to the size of files uploaded within WordPress:
This code helps in changing the maximum file size and also increases the execution time required to upload the file.
Note: Some hosting companies, especially shared hosting, prevent increasing the maximum size even though it is specified within the .htaccess file.
10- Disable access to the XML-RPC file within the WordPress site
The Xmlrpc file is one of the files located inside the WordPress files folder on your site. It has many uses that may be rare, for example, it is used when there are third-party applications that work in conjunction with your site. If you do not have a need for it, many WordPress experts recommend disabling access to it.
To disable access to the Xml RPC file, you can add the following code inside the htaccess file:
# Block WordPress xmlrpc.php requests
< Files xmlrpc. php >
order deny,allow
deny from all
< /Files >
Some of the modern techniques that hackers use are trying to find the names of authors on the WordPress website, and thus using programs and techniques to predict their passwords using the author’s username.
To prevent these attempts, you can add the following code inside the htaccess file:
# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond % { QUERY_STRING } ( author=\d+ ) [ NC ]
RewriteRule .* - [ F ]
# END block author scans
12- Designing error pages within the site
Surely you must have once encountered a 404 error page that tells you that the link you are trying to access does not exist on the site. This error and other errors that appear to the user if there is something wrong with the site or the link you want to access can be controlled and modified using the .htaccess file.
You can design a specific error that contains any message, such as “Sorry, this page is not available on the site.” Then you name this page with any name, such as “error404.html,” and save it within your site’s files.
Then, using the .htaccess file, you can display this page to the visitor when he types a link or accesses the name of a page that does not exist on the site, by placing the following code inside the .htaccess file:
The previous code consists of two parts: The first: ErrorDocument 400, which is a fixed function that indicates the type of error, which is 404, which appears if a page or link is not available within the site. The second part: /errors/error400.html, which indicates the path where you saved the error page that you want to display to the visitor.
Likewise, you can customize any other error page, such as error 500, which indicates a malfunction within the site server server error. You can use the following code inside the .htaccess file to customize the 500 error page:
Likewise, ErrorDocument 500 is a constant function that indicates the type of error, which in this case is 500, which is the error related to a malfunction within the site server.
Also /errors/serverr.html, which is the path where the error page is located, which you are supposed to have designed and placed in this path within your site folders.
You can use this function within the .htaccess file to customize error pages within the site. Here is a list of the most important errors that are likely to occur:
400 Bad Request 401 Authorization Required 402 Payment Required (not used yet) 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable (encoding) 407 Proxy Authentication Required 408 Request Timed Out 409 Conflicting Request 410 Gone 411 Content Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request URI Too Long 415 Unsupported Media Type 400 – Bad Request 401 – Authorization Required 403 - Forbidden 404 – File not found 500 – Internal Server Error 503 – Service Unavailable
All of the errors mentioned above can be assigned their own pages using the ErrorDocument function as we explained above, where you mention the name of the error next to it and then write the path to the page for the instructions for the expected error, just like the two examples mentioned previously.
Note : You do not have to allocate pages for all of these errors that appear in front of you, especially since the new updates to WordPress are creating these error pages without any intervention from you.
Do I necessarily need a professional programmer to modify the htaccess file?
Of course, you can modify the file yourself without the need for a specialized programmer, but you must be as careful as possible. When you make any change to the htaccess file, you must go to the site and re-download it to ensure that it works without any problem. However, if you find a defect in the site after applying a specific change within the file, you can delete the change that you made, return the file to the previous state, and save the changes so that you can Of applying it properly.
Note : When you modify the .htaccess file yourself, it is important to take a backup copy of your site files to avoid any malfunction that may occur unexpectedly.
Is it possible to create more than one htaccess file for the website?
Of course, it is possible to create more than one .htaccess file, as each time you create an .htaccess file and upload it to the place designated for it. But note that the commands that are written inside the file are applied to other files located in the same place where the file is located. For example, if you create an htaccess file and upload it to the wp-includes folder, the commands in it will be applied only to the wp-includes file and all Only the files contained within it, not the rest of the site’s files.
Also, it is not possible to create more than one htaccess file within the same path, and even the file manager will not allow you to create more than one file with the same htaccess name, but as we explained above, you can create more than one htaccess file so that each file is in a different path.
Note : Although it is allowed to have multiple htaccess files, it is better to reduce them because they consume your site’s resources and increase the burden on them.
In the end, this is the general idea of the Htaccess file, which advises you to know the most important functions that the file performs, while being careful while modifying and editing it.
Leave a Reply