In WordPress Last updated:
Share on:
Cloudways offers managed cloud hosting for any size business to host a website or complex web applications.

WordPress has been the go-to content management system for many technical and non-technical users who want to build and manage websites. .htacess is one of the terms you will often encounter if you want to add or modify server-level configurations, performance, and security parameters. 

In this article, I will describe what .htaccess in WordPress is, its importance in WordPress, and how .htaccess works. You will also learn how to locate .htaccess, edit/ create a new one, and best practices for managing it. 

What is .htaccess in WordPress?

.htaccess is a configuration file for the Apache web server used by most WordPress hosting companies. In simplest terms, Apache is a file with all the rules that give your WordPress site’s server instructions. 

.htaccess is a hidden file located on your website’s ‘root’ or central directory. To make it hidden, this file starts with . and has no extension. This file has many tasks in a typical website, like setting up permalinks, managing redirects, improving security, and controlling access to web pages. 

How to locate and edit .htaccess in WordPress Safely

Most WordPress sites will have hidden the .htaccess file by default. This is a safety measure because editing this file might be risky, and a simple mistake might break your website.

To avoid challenges, edit your .htaccess using a staging stage or back up your site before editing this file. Such an approach ensures you have a backup if you make a mistake when editing your root files. 

You can also download the HTTP file to your local computer, edit it from there, and then upload it when you are sure everything is working as expected.

We can use a service like FileZilla to access the files on our WordPress site. You can learn more about connecting FileZilla if it is the first time you have encountered this topic. 

Once you connect your website to FileZilla, you will have something like this:

You will have local files on your computer on the left side, while on the right side, you will see the remote files (your WordPress site).

You can now access the root directory (a folder named after your domain name). Scroll down until you find .htaccess, and right-click on it. Click the view/edit icon to open the file in your favorite editor. 

Make all the changes you want to your .htaccess file. You can now save and close the file. A popup window will appear telling you to upload the new changes. Select ‘Yes’, and the changes will take effect immediately. 

How to create .htaccess in WordPress

Not every WordPress site comes with a .htaccess file. One of the reasons is that your site might be new and may not have been prompted to create the .htaccess file in the root directory automatically.

The second reason might be that your website uses an all-Nginx tech stack that does not support .htaccess. We don’t have much control if you fall into the second category. 

However, if your website still uses Apache, you can create a .htaccess file manually. Open a code editor like Visual Studio Code on your local machine, create a file and name it .htaccess. You can then add this code:

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] </IfModule>
# END WordPress

You can then upload this file to the root folder that contains the wp-admin and wp-content folders. 

How to use .htaccess for Common WordPress Tasks 

You can use .htaccess for various tasks on a WordPress site. For instance, you can use this file to operate most security and caching plugins. Such plugins write and modify the .htaccess file to perform various functions. These are some of the most common things you can do with .htaccess:

You can customize the format and structure of your pages’ URLs (Uniform Resource Locators) and posts using a .htaccess file. A permalink is a permanent URL pointing to an individual post or page on a website. In WordPress, you can customize the URLs for SEO and user experience. 

To change this, you can follow these steps:

  • Log in to your WordPress admin dashboard.
  • Go to “Settings” -> “Permalinks”  -> “Custom Structure.”
  • Choose the desired permalink custom structure.
  • Save changes.

The .htaccess file will be updated automatically when you click the ‘save’ button. 

#2. Redirections

You can use the .htaccess file to set up a 301 redirect that moves all your traffic from insecure HTTP to secure HTTPS protocol. Using HTTPS is one of the approaches that ensure that communication between users of your WordPress site and the servers is encrypted.

Add this piece of code into your .htaccess file for 301 redirects:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

You can also redirect the traffic to a temporary domain. Take, for instance, you have a domain name,, and you want to redirect to ‘’, you can have the following code:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com$
  RewriteRule ^{REQUEST_URI} [L,R=302]

#3. Security Enhancements

You can use the .htaccess file to enhance the security of your WordPress site through various approaches. For instance, you can set up your directories to require a valid user by setting up a password. This is a code sample you can add to your .htaccess file:

<Files "*">
  AuthType Basic
  AuthName "Restricted Area"
  AuthUserFile /path/to/.htpasswd
  Require valid-user

Replace the /path/to/.htpasswd with the path to your password file. 

#4. Serve custom error messages

Have you ever tried to access a page and got this feedback? “Page not found”. This is a common error message in WordPress sites whenever you try to access an unavailable resource. You can add such error messages as follows:

# Custom Error Messages

ErrorDocument 400 /errors/400.html
ErrorDocument 401 /errors/401.html
ErrorDocument 403 /errors/403.html
ErrorDocument 404 /errors/404.html
ErrorDocument 500 /errors/500.html

You can then create an HTML document for every custom error you want to display on your website. 

Best Practices for .htaccess Management

  • Don’t edit the .htacess file directly: You may break the core code of your website if you are not cautious. You can use various approaches like a staging area or editing from your code editor to edit the .htaccess file before uploading the changes. 
  • Backup your files before editing: Something can go wrong when editing this file. Always ensure that you back up your website first so you can revert to the earlier version in case something goes wrong. Check if your host offers backup services, or you can opt for third-party services. 
  • Understand WordPress Core rules: Even though WordPress allows you to exercise your technical prowess, ensure you understand its guidelines. Ensure that you don’t overwrite or rewrite the rules governing how .htaccess should work for proper functioning. 
  • Review changes before updating: Debugging is part of building. Always check the changes you have made before you hit that save button. It is even better to use a staging area to test if they are working as expected before publishing. 

Alternatives to .htaccess in WordPress

The .htaccess file is common in Apache web servers. However, you may find some WordPress sites that don’t use this file. These are some of the alternatives that achieve the same purpose:

  • Deny from all: All PHP files have guards that prevent them from being served. Ngnix serves all the other static files in a WordPress site. Users can now add Ngnix rules to replicate some of these rules. 
  • Custom PHP code: Users can have similar functionality to .htaccess by editing their default themes/plugins. However, some themes/plugins don’t allow you to edit them. 
  • PHP Checks: Users can implement checks around the User-Agent Header ($_SERVER[‘HTTP_USER_AGENT’]. Such users can then set an environment that matches the criteria.


What is a .htaccess file?

.htaccess is a configuration file for the Apache web servers. This file gives your server instructions, such as displaying permalinks, accessing various files, and managing redirects. This file is in your WordPress site’s ‘root’ directory and has no extension. 

Do all WordPress sites have .htaccess file?

No. This file is exclusive to sites using Apache web servers. However, some that use Apache may also lack due to wrong configuration settings. Luckily, you can create a .htaccess file manually and upload it to the root folder of your WordPress site

What precautions should you take when editing .htaccess file?

Editing any core file on WordPress can be fatal. However, you can still achieve your goals if you take the right precautions. Ensure that you back up your website before you start editing this file. You can also use a staging area to test the changes before you upload and save them. 


We hope you now understand what .htaccess is and how to locate it, edit it, and use it to perform different actions. You must use a staging area or backup your site files before editing this file to avoid making mistakes that may break the entire site. It is also worth noting that not all websites will have this file, as some use other approaches to manage these core functions. 

Next, you may also explore how to enable/disable WordPress maintenance mode.

Share on:
  • Titus Kamunya
    Titus is a Software Engineer and Technical Writer. He develops web apps and writes on SaaS, React, HTML, CSS, JavaScript, Ruby and Ruby on Rails
  • Narendra Mohan Mittal

    Narendra Mohan Mittal is a versatile and experienced digital branding strategist and content editor with over 12 years of experience. He is a Gold Medalist in M-Tech and B-Tech in Computer Science & Engineering.


Thanks to our Sponsors

More great readings on WordPress

Power Your Business

Some of the tools and services to help your business grow.
  • The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder