Htaccess is a server-side, apache configuration file that controls the server running your website. With it, you can add redirects, protect files, block bots, and much more. Htaccess is sometimes called “HyperText Access” because of its ability to control access to the HTTP. All you need to know is that it is a powerful file that allows you to do some amazing things. You can find this file in the root directory of your server. This file may be hidden, unhide it with any FTP client.
Below are my top 10 .htaccess hacks for any WordPress CMS build.
First, please backup your .htaccess file before manipulating it. Messing with this file could potentially ruin your entire site. Not to scare you, but just be careful and always keep backups!
-
Stop Comment Spam from Bots
While the default Akismet plugin takes care of most spam, your server still uses bandwidth taking requests from bot users. Why not make spam even less of an issue with a bit more code in your .htaccess? Check it out below… copy and paste.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] -
Protect Site from Hotlinking
A blog is always a hot spot for hotlinking. Hotlinking refers to sites that “embed” linked content instead of saving it and hosting it on their own server. This takes lots of bandwidth from your site that should not be allowed in the first place. Protect yourself from hotlinking, and save some server stress with the code below.
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
-
Blocking Users by IP
As you may have come across some yourself, spammers, abusers, bots, and ultra mean people are always trying to ruin sites. A good way to keep them away for good is to ban their IP address. Jeff Starr from the Perishable Press has created an IP Blacklist of the 100 worst offenders from 2010. Feel free to use the IP’s below and ban them for good!
# 2010 IP BLACKLIST
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 208.120.202.98
Deny from 208.64.202.134
Deny from 217.218.166.14
Deny from 173.65.81.35
Deny from 77.21.46.241
Deny from 82.166.163.
Deny from 85.175.209.175
Deny from 212.107.136.66
Deny from 76.70.116.52
Deny from 70.106.192.200
Deny from 213.98.214.17
Deny from 114.58.253.56
Deny from 70.27.145.208
Deny from 208.99.193.10
Deny from 58.243.5.216
Deny from 146.115.72.39
Deny from 219.136.130.241
Deny from 65.208.151.
Deny from 222.73.173.11
Deny from 65.55.106.
Deny from 72.206.102.189
Deny from 99.159.41.74
Deny from 188.40.42.199
Deny from 195.10.218.132
Deny from 69.116.41.121
Deny from 84.220.96.39
Deny from 85.137.90.133
Deny from 85.137.83.160
Deny from 91.144.190.35
Deny from 83.233.165.88
Deny from 86.35.12.14
Deny from 24.182.45.28
Deny from 97.74.24.41
Deny from 24.182.45.26
Deny from 211.206.123.177
Deny from 213.215.116.99
Deny from 188.40.89.203
Deny from 65.55.207.
Deny from 71.95.178.74
Deny from 98.189.159.150
Deny from 174.143.3.188
Deny from 66.96.248.69
Deny from 71.235.77.152
Deny from 67.36.185.44
Deny from 65.242.250.130
Deny from 194.8.75.
Deny from 188.26.51.239
Deny from 118.208.240.173
Deny from 24.43.155.122
Deny from 91.149.157.136
Deny from 88.0.172.95
Deny from 66.82.9.92
Deny from 66.63.167.50
Deny from 208.99
Deny from 64.219.110.207
Deny from 98.189.159.153
Deny from 174.127.132.10
Deny from 67.185.43.239
Deny from 83.246.164.78
Deny from 213.227.252.26
Deny from 91.213.121.24
Deny from 96.243.186.28
Deny from 67.142.164.34
Deny from 173.58.132.100
Deny from 59.160.160.9
Deny from 67.225.242.171
Deny from 71.34.43.102
Deny from 67.205.45.142
Deny from 77.49.61.248
Deny from 79.174.64.184
Deny from 207.241.228.162
Deny from 204.12.192.135
Deny from 218.24.170.133
Deny from 200.90.216.146
Deny from 86.18.88.15
Deny from 212.225.185.11
Deny from 76.115.45.61
Deny from 213.37.57.113
Deny from 192.117.105.105
Deny from 69.45.51.98
Deny from 72.193.217.97
Deny from 115.133.252.31
Deny from 117.196.229.254
Deny from 117.196.234.101
Deny from 117.196.236.41
Deny from 77.49.57.214
Deny from 71.95.178.68
Deny from 92.233.3.91
Deny from 76.25.146.62
Deny from 66.25.140.85
Deny from 79.103.230.53
Deny from 76.65.178.130
Deny from 41.129.5.121
Deny from 84.40.30.37
Deny from 110.45.143.142
Deny from 66.221.63.33
Deny from 121.254.228.146
Deny from 222.236.47.182
Deny from 118.129.170.49
Deny from 88.191.94.188
Deny from 62.141.56.136
Deny from 174.120.219.160
Deny from 67.222.152.66
Deny from 92.240.42.10
Deny from 174.142.75.205
Deny from 91.142.208.158
Deny from 64.22.96.66
Deny from 78.86.185.224
Deny from 91.205.96.19
Deny from 202.70.54.115
Deny from 213.167.96.196
Deny from 195.117.223.98
Deny from 85.17.211.164
Deny from 213.93.38.160
</Limit> -
Redirect WordPress RSS to Feedburner
WordPress RSS feeds have a habit of breaking and are usually unreliable. Most developers use an external RSS manager to maintain feeds. Check out the FeedBurner site, sign up (via gMail account), look through theFeedBurner Plugins, and then add this code below to redirect to your new RSS feed.
# temp redirect wordpress content feeds to feedburner
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/yourFeedURL [R=302,NC,L]
IfModule> -
Force “Save As” when Files Open
When files open on your site for download, you can make sure they default to being saved. Some files tend to open on the site or simply stream content. This won’t effect embedded media objects like YouTube videos.
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4 -
Protect your .htaccess File
The hack below prevents external access to any file with .hta (or any case insensitive variation). Why not, right?
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files> -
Remove “Category” from site URL Strings
Not a single WordPress site wants to have “Category” in its URL path. It just looks bad and is unneeded. Hack it with .htaccess!
RedirectMatch 301 ^/category/(.+)$ http://www.askapache.com/$1
# OR
RewriteRule ^category/(.+)$ http://www.askapache.com/$1 [R=301,L] -
Auto Correct URL Typos
This neat trick will attempt to auto-correct simple URL spelling mistakes.
<IfModule mod_speling.c>
CheckSpelling On
</IfModule> -
Compress Static Data
Send site data in compressed format to visitors, which will be decompressed by the client. This hack will definitely reduce bandwidth and page weight. Hack!
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html -
Using Browser Cache
If you are OK with adding an additional plugin to your site, I would recommend using the WP-Super Cache Plugin. WP-Super Cache is a very fast caching engine for WordPress CMS that produces static html files. This allows pages/posts on your site to be cached as appose to being called from the database. This might not seem like much, but on higher traffic sites, this plugin will help keep load times down and server stress low. Gives you options on what to cache and how often, so you can make sure the homepage gets special attention. Caching can be user defined as well, so you can remove caching for your most lucrative users.
If you are against heavy plugins, check out this code below.
FileETag MTime Size
ExpiresActive on
ExpiresDefault "access plus 1 year"
IF you want to find some more useful .htaccess tips and tricks, check out the sites below.
Ask Apache – Ultimate Htaccess
WP Shout A-Z Guide
Cats Who Code – 10 Awesome .htaccess Hacks
Another great post. These small hacks will go a long way in helping improve a WordPress website.
BTW Jeff Star has a list of updated IP blacklist at http://perishablepress.com/blacklist/ip.txt which you can use to update the .htaccess file on your server.
#6 looks like its missing the open ” tag, you might want to update/fix that. Thanks!
Seth, Thanks for catching that! I must have made a bad copy/paste or lopped off some code while editing. Thanks again :)
6: Protect your .htaccess File
By default, Apache prevents .htaccess files (and .htpasswd files) from being accessed. It does this by including the following directives in the httpd.conf file:
Order allow,deny
Deny from all
Satisfy All
7: Remove “Category” from site URL Strings
This hack is harmful and should be removed from your list. All it does is force all category URLs to redirect. It does not, however, prevent WordPress from printing “/category” in your website’s HTML code. This would cause an assortment of potential problems, including broken social media widgets, slower page loads, extra stress on your server, and lower rankings in Google.
8: Auto Correct URL Typos
This hack should also be removed from your post. The mod_speling module is not enabled by default in Apache’s httpd.conf file, and for that reason alone, your hack will not do anything for the vast majority of people. If anything, it will cause a very small performance hit, as Apache will be checking for that module on every single URL request.
Additionally, the module works by checking broken URLs against a list of known file names. But WordPress runs on internally-generated virtual paths, so the only broken URLs that might benefit from this module would be things like uploaded images, style.css, etc. None of the page URLs will correspond to any real files on the server.
Ultimately, this hack would do nothing but slow down your website and tax your server.
Thanks for the response Darren.
For #7, what would be a good way to remove this virtual URL path (of /category/) without hurting rankings or causing more stress on the server? At the moment I have opted for a plugin, but I’m guessing it is just doing the same thing. Haven’t got around to testing it.
Also, do you think having a long list of banned IP’s hurts performance (#3) enough not to use it? What other ways could you achieve this? I only ask because Pali Madra, the first commenter alludes to other possibilities and I feel that a long checklist could be taxing.
Thanks again for the post, and be sure to check out my Ultimate WordPress Optimization Guide! You seen to be a pro and I would love to have your opinion.
Thanks again Darren.
For removing “/categories” from Permalinks, you would need to modify WordPress’s rewrite rules. I’m not sure how difficult it would be, as I’ve never actually looked at the WP core code behind it. I just use this plugin, which has worked well for me, without any issues.
For #3, a better alternative would be to put the list of IP addresses in your httpd.conf file. It’s kind of like a server-level .htaccess file, so you won’t have the ability to edit it if you’re using a shared hosting service–you would need a VPS or a dedicated server. The httpd.conf file is read when you start the Apache server, so it’s only processed once, compared to the .htaccess method, with requires processing on each server request.
I actually skimmed through your WP speed optimization guide before I read this post. It was surprisingly thorough, and I didn’t see any obvious errors or anything (although, admittedly, I didn’t read it very carefully). The only thing I noticed was that you recommend using eTags for browser caching (in #5), but then you disable them completely in #7.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
The default behavior for the Satisfy Directive is All, so it’s really not needed here. Plus it was designed to be used as an access policy if both the Allow and Require Directive were used.
http://httpd.apache.org/docs/2.2/mod/core.html#satisfy
Also if you’re going to use mod_rewrite (such like the default WordPress permalink directives) you should try to utilize everything with mod_rewrite in your .htaccess file as much as possible.
RewriteRule ^(wp-config\.php|php\.ini|\.ht) – [NC,F]
@MickeyRoush,
My comment that you responded to wasn’t written as an independent idea; it was written as a correction to my earlier comment, which said protecting .htaccess files isn’t necessary, as Apache’s default configuration already handles that (by including the snippet of code you commented on). Ironically, your attempt to correct me has actually re-introduced the original problem.
@ Darren Slatten
My comment was not an attempt to correct anything. It was to show a more efficient usage of available directives.
Not sure what you mean when you say I re-introduced the original problem, when I wasn’t addressing one. I was addressing a more efficient way of using directives that were mentioned.
Pingback: Ultimate WordPress Optimization Guide | GeebArt