10 awesome .htaccess hacks for WordPress
Posted by Jean-Baptiste Jung on Mar 19, 2009 | 203 comments.htaccess, the file which control the Apache webserver, is very useful and allows you to do a lot of things. In this article, let’s see how .htaccess can help you with your WordPress blog, for both security,functionnality and usability.
Warning
When editing or modifying the .htaccess file of your WordPress blog, make sure to always have a backup that you can restore in case of something went wrong.
1 - Redirect WordPress RSS feeds to feedburner with .htaccess
Which blogger doesn’t use feedburner? Sure, feedburner is a very nice service, allowing you to know how many people suscribed to your rss feeds. The only problem is that you must edit your theme files to manually change the rss url. Happilly, there’s a nice hack, using .htaccess, which will make you save a lot of time!
Don't forget to modify line 6 before applying this code!
# temp redirect wordpress content feeds to feedburner
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds2.feedburner.com/catswhocode [R=302,NC,L]
</IfModule>
Source: How to redirect WordPress rss feeds to feedburner
2 - Remove /category/ from your WordPress url
By default, WordPress category permalinks are displayed that way:
http://www.catswhocode.com/blog/category/wordpress
As you can see, the category in the url is pretty useless. Here’s how to remove it:
First backup your .htaccess file. Then, open it and append the following line:
RewriteRule ^category/(.+)$ http://www.yourblog.com/$1 [R=301,L]
Once saved, your categories pages will be displayed like this:
http://www.catswhocode.com/blog/wordpress
Source: How to remove category from your WordPress url
3 - Using browser cache
A very good way to optimize your blog loading time is to force the use of the browser cache. This code will not improve your blog loading time directly, but it will save some work to the server by sending a 304 not modified status when the requested element haven't been modified.
FileETag MTime Size
<ifmodule mod_expires.c>
<filesmatch "\.(jpg|gif|png|css|js)$">
ExpiresActive on
ExpiresDefault "access plus 1 year"
</filesmatch>
</ifmodule>
Source: Comment accelerer le temps de chargement de votre blog
4 - Compress static data
Do you know that it is possible to send compressed data to the visitors, which will be decompressed by the client? This code will definitely save you (and your visitor) bandwidth and reduce your pages weight.
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4.0[678] no-gzip BrowserMatch bMSIE !no-gzip !gzip-only-text/html
5 - Redirect Day and name permalinks to /%postname%/
The first thing to do is to login to your WordPress admin, go to Settings → Permalinks and select custom. Fill out the field with /%postname%/.
Your permalinks will now look like the ones on this blog:
http://www.yourblog.com/name-of-the-post
Now we got to redirect all backlinks using the old permalinks structure to the new permalink structure. To do so, you’ll have to edit the .htaccess file, located in WordPress root directory.
Paste the following line in your .htaccess:
RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://www.domain.com/$4
Allright! You just changed your permalinks structure without loosing any backlinks!
Source: Redirect day and name permalinks to postname
6 - How to: Deny comment posting to no referrer requests
Are you sick and tired about the daily amount of spam comments received? Sure, there’s akismet, but here’s a little .htaccess trick to prevent spammers posting on your blog. The fact is that most spammers uses bots comming from nowhere. This code will look for the referrer (the page from where the commentator come from) and will deny commenting if the commentator try to access the wp-comments-post.php file without directly comming from your blog.
Just change the line 4 and specify your blog url there.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Source: How to deny comment posting to no referrer requests
7 - Redirect visitors to a maintenance page
When you're upgrading your blog, or making theme/design changes, it isn't a good idea to let people see your blog being tweaked, sometimes with design or code problems, or even worst, security gaps.
The solution is to design a nice "maintenance page" and temporarily redirect your visitors to that page until you finished the maintenance.
Replace maintenance.html (line 2) by the page you'd like to redirect your visitors, and the IP adress on line 3 by your own ip.
Note that a 302 redirection is used, to avoid search engines indexing the maintenance page instead of your real homepage!
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]
Source: Comment faire une page d'accueil pour les internautes
8 - Protect your WordPress blog from hotlinking
Hotlinking is the use of an image from one site into a web page belonging to another site. Many bloggers are hotlinked, and have their bandwidth used on another websites. This very helpful code will protect your WordPress blog from hotlinking.
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
Source: How to protect your WordPress blog from hotlinking
9 - Allow only your IP adress on the wp-admin directory
Excepted the case of a collaborative blog, only you should be allowed to visit the wp-admin directory. If you have a static IP, this code will do the job.
All you have to do is to enter your static IP adress on line 8. Note that you can add more IPs if needed, by creating a new line with: allow from xx.xx.xxx.xx inside.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Example Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xx </LIMIT>
Source: Protecting the WordPress wp-admin folder
10 - Banning a WordPress Spammer With .htaccess
You know it, spam is very annoying. In the case of a particular person/bot spamming you, you can easily avoid it by blacklisting the IP.
Simply replace the IP adress on line 3 by the spammer's IP. You can add more spammers by creating a new line with deny from xxx.xx.xxx.xxx inside.
<Limit GET POST> order allow,deny deny from 200.49.176.139 allow from all </Limit>
Nice collection of hacks.
Should point out on #9 – this rule needs to be put into the .htaccess file in the wp-admin folder – NOT in the blog/root folder.
8 – Protect your WordPress blog from hotlinking
It will be necessary to try necessarily, and that in manual each time to change names of files tires, at the same time and protection against theft of a content.
Thanks for the information
Ya, that’s impressive!
I’ve found a lot of really useful tricks.
It’s interesting to imagine – if you enable all this, your blog will look like a medieval castle, where no enemy can get inside. lol
Very nice article. Just retweeted it.
Nice top 10, especially the “Deny comment posting to no referrer requests”. Thanks a lot !
Great Hacks! im liking the whole saving bandwidth thang – that can be a problem when you got a load of popular blogs on your poor lil’server!
some of these cab be done through plugins but all of them are still very usefull
Thank you for these useful tips.
Nice list of WP hacks. Thanks a lot !
This is a great list. You do a great job with your blog of really digging into deep aspects of developing a wordpress site and it really has helped me with my blog. I might try and change some of these things.
Great tips! I’m going to employ most of them, especially the wp-admin hack.
Already saved in my bookmarks, thanks a lot !
Just a question for #2 : deleting “category” could be negative for SEO or not ?
Yes, at least I find good info. Thanks
Very nice indeed! Thank you!
Hi,
Thanks for this article, it’s going to be really useful for me, in fact – essential! I’ve dugg this article.
In response to Comment #7, plugins are bloat. I’d prefer not to use plugins if possible.
A great article! Congrats jbj! That’s what I love to read! I am going to add it to wpvote right away!!
re: #8 (hotlinking), we had a competitor stealing our images. In such cases, the options are:
1) refuse foreign references, as this solution does
2) redirect to offensive image to hasten the takedown (immature, funny, but without goatcxe, lacking “oomph”)
3) redirect to an advertisement for our site
I opted for #3, I redirected to a lighter-weight image of the site to bring in more clicks. Also, considered swapping out my own reference to that image (only one local ref) and making a permanent redirect for the original reference, with the idea that the discussion plus the 301-redirect to my content actually improves SEO around that subject — the foreign hotlink costs me less bandwidth, but brings in traffic and SEO ranking
@Alan Clark,
I like that solution. I must remember that one.
One slick and long list… stumbled it.
Awesome post.. thanks man! just a quick question though. Where should I copy these codes and how can i find this file that you mentioned? Im trying to use the hotlinking code you posted here.
thanks again…
Tried the “Remove /category/ from your WordPress url” and it didn’t work. Should the code be placed in the .htaccess file in the blog/root folder or elsewhere?
I’ve always been sorta scared to touvh the htaccess file, but I realized its fine. Just to back it up.
Anyway, nice post, I like the one with feedburner, probably the most popular one.
superb post!! bookmarked and tweeted
But I particularly don’t like the first hack. it defeats the purpose of feed structure of Wordpress.
Great post very informative. Imma wimp when it comes to messing with the .htaccess but I’v learnt somethings which am gona impelent. Thanks for the advice n tips.
awesome!
i found in my htacess old code and remove this… and now is my blog faster then before. Thx for this article!
“i found in my htacess old code and remove this… and now is my blog faster then before.” It’s the same to me! Thx!!
Your tipps are extremly helpful to secure/setup my own wordpress blog. Thanx a lot!
@ Allan i think i am going to do the same thing and show an ad for my site.
Great list of tips and tricks i am defiantly going to implement a few of them.
Nice collection of tips. Still, have you tried #4 yourself? It seems not to work (checked with YSlow), components still aren’t gziped.
As for #6, unfortunately, it’s really easy to set the referrer and user agent, from any server-side script, loads of bots are that advanced. Did you notice any improvement with it?
Cheers.
@ Maigret – removing category won’t matter unless you want to rank for that word
Re #3 – is this required if you’re using the WP Super Cache plugin? It seems to do client side caching as well as server side. Not sure though.
Wow, what a great and detailed guide, very helpful, just subscribed, thanks!
What more can I say? Seriously impressed with this post. Thanks.
Good Info, I’am try on my blog
Thanks for the wonderful list.
Nice list of .htaccess codes I think many WordPress (and other) users will like.
Stumbled your article. Thanks.
Very useful, thanks!
Emanuele
Another great tutorial. Thanks.
Excellent wordpress hacks collection. I think everyone should at least implement those security hacks, as you never know when your blog will come on hacker’s mind.
I am assuming that you need %/category/% in your permalink structure active in order to the RewriteRule to function?
This is a very solid article. Its utilization to redirect wordpress rss feeds to feedburner is genius. I also like the idea of using .htaccess to ban spammers. That definitely is going to come in handy!
Super Article!
On our site we have comments turned off, however in a dashboard you can still see the huge list of spams trying to get in via wp-comments-form.php and mostly from auto insurance sites, since we’re in that business. Hopefully we put the stop on that.
Thank you so much, I already add the lines to my .httacess,
Emil
Great collection of .htaccess hacks. Hacks about restricting all to wp-admin dir and preventing hot linking is very useful.
Excellent article. I was not aware you could do so much in the .htaccess file. I build wordpress sites almost exclusively. Good to know now how much flexibility I have in the .htaccess file.
Thanks.
I think there is allready a plugin to redirect standard rss feed to Feedburner rss feed.
Yeah but why would you ever want to use a plugin when there is no need.
Plugins increase load time of your site and also pose possible security issues to your blog. Last week, someone tried to hack our blog using a security hole in the wp-adverts plugin. We don’t use that plugin, however.
Whenever you can do something without a plugin, especially if it’s through .htaccess, that’s the way to do it.
Excellent collection, already tweeted/sent this to everyone I know.
Re: 2) there is some value to your categories being identified as such to Google, same for Tags if you use them (which I hope you do, ideally with SimpleTags plugin which rules over Wordpress’ native tag handling).
Re: 5) nice trick, of course one should set this up in the way you describe from the beginning…
Re: 6) I’ve found the YAWASP Plugin to catch 99% of spam via a very simple yet genius method that doesn’t require captchas and doesn’t have the overreach problems that Akismet has (I have Akismet turned off in fact).
Looks you’ve done a great job on .htaccess. I’d like to warn everyone – try it first before you put in on online server. Or backup your previous copy if you’re not 100% sure what you’re doing.
#6 is awesome! I was wondering how I could possibly stop all the spambot comments easier. I never even thought about the .htaccess file. Duh. Great bit of code. Mucho thanko.
Bookmarked! This post was a life saver for getting your blog running well on wordpress. I really liked the redirect feedburner.
Yeah I agree. Why use a plugin when everything you need can be found here (or with a quick google search).
Who needs plugins? You may start to disable some of it and make sa .htaccess tweaks which really comes in handy. Well, How I wish (again) I can do this for blogger platforms.
this is a great tutorial. very useful information.
many thanks to you
I hadn’t even put two and two together on the rss feeds. Way to make the most out of it by redirecting to feed burner. This was a great list and I appreciate the suggestions. I hope to see some more soon!
Wow.. great!!.. thansk for sharing.
In regards to the feedburner hack do you just replace the http://feeds2.feedburner.com/catswhocode portion with our own code?
Thanks for the hacks. With regard to #7, can I use it redirect to another site (e.g. http://abc.com and how should I rewrite the code below
RewriteCond %{REQUEST_URI} !/maintenance.html$
Is this correct?
RewriteCond %{REQUEST_URI} !abc.com$
Thanks for this nice tricks! Especially for the deny comments and hotlinking one!
re #1 – there’s a plugin for that, which lets you avoid mucking around with (and potentially screwing up) your .htaccess.
Mezanul
Just remember though, if you stop hotlinking to images on your site you may be denying people a way to find your site. I get traffic from people searching Google and Yahoo Images.
Toronto Plastic Surgeon
See my previous comment. Plugins can slow down the load time of your blog and also provide possible security holes. I’ve been on the WP forums for awhile and there are a number of people’s blogs which have been hacked due to security issues with some plugins.
.htaccess is always the best way to do things. It’s read before your website is even visited.
#1 would have helped everyone switch their feeds over to the new feeds2 URLs
yeah, i agree with John Hoff. sometimes hotlinked image can drive me some traffics. I don’t care about bandwidth because i host my files in Google (blogspot)
Thanks. Modifying the htaccess file can be quite challenging. The tips are really useful and I can see right away that I can use a number of them on my blogs.
Nice list of WP hacks. Thanks a lot !
Fantastic! The category removal from the directories has stumped me. This question might get me railed but it is possible to have an htaccess file in multiple directories on the site correct? I have only use WP for stand alone installations, not to hang on a website.
I think some of these hacks are not required. They can be done straight from the settings panel. One hack which I know can be done from settings is hack # 2. It can be done from the permalink structure settings from inside wp-admin.
I want to add my own ModRewrite Rule in wordpress blog. Then what should i do ??
You can also answer me on niazi587 at gmail dot come
Very useful article. Thanks for sharing.
I’am planning to have my own site.. thanks for this idea. really helps me a lot. I know more blogger are been helped by this topic.
I just tried the remove /category/ from the URL.
RewriteRule ^category/(.+)$ http://www.yourblog.com/$1 [R=301,L] on my blog.
It works, but when you get to any categories, it won’t let me access pages, like /page/2/ without getting a 404 error.
It appears that I need something to handle the pages.Any suggestion how to handle the following, /page/*/
i already know all this tips. Just beaware of tip number 8 . In fact, you might get penalized by Google. I also think there could be some issue when Google Images try to display your blog pitures in its results…
Finally a clear article about htaccess tips !
2 questions though : is there an easy way to set up a password at the homepage (and the whole blog) ?
My default htaccess is like this :
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Where should I insert the code you provide ? Anywhere between the two “#” tags?
thx
Yeah blocking bots is a great way to save a lot of time on comment moderation. Plus you know you won’t miss out on anything important since there hasn’t been one instance in the history that the bot would make a wirthwile comment.
Emal
You can put it above as the very first item (above the first #) or below the last #, either way will work.
All the # are, are comments.
If you’re not familiar with .htaccess, then the easiest way to password protect either a directory or your entire site (i.e. password protect your root) is to set up password protection through your web hosting control panel. Log into your control panel and look for an icon or something name “Password Protect”.
Thanks for sharing
Thank you very much for this awesom htaccess hacks. I have used 2-3 from the list. WIll try using the rest of them.
Thanks for the wordpress hack list – this will help me setting up things I wanted to.
How does the security with those hacks look?
These are definitely some great .htaccess tricks. I have actually used a few of these myself. Another resource that I thoroughly enjoy when it comes to .htaccess tricks is at http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/. You can find a ton of different .htaccess stuff there, from optimization to security.
awesome tips, thanks a lot.
you can do the same thing with categories in the permalink sections by using “/.” but it does throw out ome issues with pagination (does the htaccess change work with pagination?)
protecting from hotlinking images is really great.
great post!
Awesome stuff, thanks
i already know all this tips. Just beaware of tip number 8 . In fact, you might get penalized by Google. I also think there could be some issue when Google Images try to display your blog pitures in its result
Just like the user before me mentioned, there’s no such a thing as hacking into your email account using nothing more than your email address. Unless it’s an inside job. Whatever you are using for blog.
Good tips. I only used this in the past to restrict folder access.
#7 sorted me out! I was using a dodgy plugin that was doing some crazy stuff to my website and yet adding a maintenance page is soooo easy!
Thanks.
Hey, some good stuff here, I lost 2 hours trying to work out some stuff, found this page and it took me 5 minutes!
Nice blog too, keep up the good work.
Thanks much for those awesome tips
Hi,
Previously I was using a plugin called “Top Level Cats” to remove “category” from url. When I tried to upgrade WP to the latest version, that plugin started giving problem.
Thanks to your tip, I have now upgraded to WP 2.7.1 and everything is working perfect. Thank you so much.
that category hack has saved my ass. However now have to wait for Google to reindex the new pages :S
Thanks for the great htaccess tips
Hi!, I can´t upload the .htaccess file…
553 Can’t open that file: Permission denied
Error: Critical Error
8 and 9 were worth the click alone. thanks.
Yes! The answers I’ve been looking for, I can’t sleep again! thankyou
The tip #8 is is awesome, but I am wondering about the following… besides having ftp access to the server, I only have the Google Analytics stats, I am wondering.. how do you find out without blocking them first, who is using your images, and content? I would much rather see who is using it, as opposed to blocking them first, hehe.
-Randy
Yes! The answers I’ve been looking for, I can’t sleep again! thankyou
There are many addons that can do these things, but I still believe using .htaccess is still the best and ONLY way to do these.
Thank you very much for this awesom htaccess hacks
Thanks for the great info on this post. I just found out about the htaccess file, but I didn’t realize you could do so much with it.
Very useful tips
.. keep them coming…
Hey Jean-Baptiste,
Just want to say thank you. My stuff drove me nuts with .htaccess. Please keep it up.
Once again thanks,
Jon
Great tips, just re-tweeted this post. In particular, #4, #8 and #9 are what I need to do today!
Thanks again,
Jules
Wow! Jean, Thank you so much for sharing. Found two tricks listed here which I have been looking everywhere for. -Tom
Thanks for the great tips/tricks in htaccess that we all need it.
only facing one problem after using couple steps in here.
all my urls ending with (.htm) is there is any htaccess rule/tip to remove that and just get clean url?
thanks again
hi
i need your help i am new to wordpress my questions are
1. is it possible to publish the posts in different directories like if i post it shows
“www.example.com/your-post” i want to publish the post like “www.example.com/computers/your-post”
and “www.example.com/internet/your-post”
2. i install wordpress and i change the permalink settings from “default” to “month and name” and after saving it says “You should update your .htaccess now” but i don’t know where it is and what to update in it.
i have publish no any posts
Please help
hi..
i am new to wp. if i want to use all the .htaccess hacks, can anyone show me how to write all the .htaccess hacks in just one .htaccess file?
That’s pretty cool!!
Great post,
I really dont know about .htaccess file, but thanks for posting.
Nice list. Really like the protecting your wp-admin directory to a single ip. Bookmarked!
2 questions though : is there an easy way to set up a password at the homepage (and the whole blog) ?
@ sikiş – The easiest way to do that if you’re not familiar with .htaccess rules is to simply set up a password protection system through your web hosting control panel.
Most all hosting companies provide this service. Just a few clicks and you can password protect any directory, including your root.
Hey Jean, good list of hacks all put together in a nice and easy way. I wasn’t aware that you could utilize .htaccess file so effectively.
hi..
i am new to wp. if i want to use all the .htaccess hacks, can anyone show me how to write all the .htaccess hacks in just one .htaccess file?
Some great tips. Thanks for sharing
Very nice article, thanks for sharing.
Many thanks for the resources. I find tip #3 – Using Browser Cache particularly useful.
2 questions though : is there an easy way to set up a password at the homepage
Hi there Jean,
What if I want to change this:
…link rel=”stylesheet” href=”http://mydomain.com/wp-content/themes/xmnt/style.css” type=…
to
…link rel=”stylesheet” href=”/xmnt/style.css” type=…
I want to hide the root address…Can .htaccess execute like that?
If can, can You give me some example how to do it. tnx
I want to hide the root address…Can .htaccess execute like that?
If can, can You give me some example how to do it. tnx
If you have an established blog already, what are the negatives of switching to postname from year/month/day/postname?
Hi Jean,
I am having problem with WP blog, after upgrade to IE8
The posts/pages can only opened if the permalinks are set in default.
Others, will show “The webpage cannot be found” HTTP404
How to solve? Please
Good day,
I’m new to Wordpress and I’m trying to add permalinks so my posts are searchable. Problem – I can’t find .htaccess to open and edit it as per wp-admin instructions. If I try and create a new file .htaccess it tells me it is already there. Is it hidden? It’s probably simple but something is escaping me!!! HELP!