Languages: English • 日本語 (Add your language)
The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis.
WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalinks.
This page may be used to restore a corrupted .htaccess file (e.g. a misbehaving plugin).
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If you activated Multisite on WordPress 3.5 or later, use one of these.
Subfolder Example
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
SubDomain Example
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
If you originally installed WordPress with 3.4 or older and activated Multisite then, you need to use one of these:
SubFolder Example
WordPress 3.0 through 3.4.2
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L]
RewriteRule . index.php [L]
# END WordPress
SubDomain Example
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule . index.php [L]
# END WordPress
If you started using WordPress with WordPress MU (WPMU) and then migrated to a newer version of WordPress multisite, the .htaccess rules are more complex:
SubFolder Example
RewriteEngine On
RewriteBase /
# BEGIN WordPress
#uploaded files
RewriteRule ^(.*/)?files/$ index.php [L]
RewriteCond %{REQUEST_URI} !.*wp-content/plugins.*
RewriteRule ^(.*/)?files/(.*) wp-includes/ms-files.php?file=$2 [L]
# add a trailing slash to /wp-admin
RewriteCond %{REQUEST_URI} ^.*/wp-admin$
RewriteRule ^(.+)$ $1/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-.*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
# END WordPress
Any options preceded by a + are added to the options currently in force, and any options preceded by a - are removed from the options currently in force.
Possible values for the Options directive are any combination of:
This will disable all options, and then only enable FollowSymLinks, which is necessary for mod_rewrite.
Options None Options FollowSymLinks
DirectoryIndex sets the file that Apache will serve if a directory is requested.
Several URLs may be given, in which case the server will return the first one that it finds.
DirectoryIndex index.php index.html /index.php
DefaultLanguage will cause all files that do not already have a specific language tag associated with it will use this.
DefaultLanguage en
Set the default character encoding sent in the HTTP header. See: Setting charset information in .htaccess
AddDefaultCharset UTF-8
Set Charset for Specific Files
AddType 'text/html; charset=UTF-8' .html
Set for specific files
<Files "example.html"> AddCharset UTF-8 .html </Files>
The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents. Optionally add a line containing the server version and virtual host name to server-generated pages (internal error documents, FTP directory listings, mod_status and mod_info output etc., but not CGI generated documents or custom error documents).
SetEnv SERVER_ADMIN admin@site.com ServerSignature Email
The below will cause any requests for files ending in the specified extensions to not be displayed in the browser but instead force a "Save As" dialog so the client can download.
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4
The AddOutputFilter directive maps the filename extension extension to the filters which will process responses from the server before they are sent to the client. This is in addition to any filters defined elsewhere, including SetOutputFilter and AddOutputFilterByType. This mapping is merged over any already in force, overriding any mappings that already exist for the same extension.
See also: https://developers.google.com/speed/docs/insights/EnableCompression
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Force Compression for certain files
<FilesMatch "\.(js|css|txt|xml)$"> SetOutputFilter DEFLATE </FilesMatch>
The Header directive lets you send HTTP headers for every request, or just specific files. You can view a sites HTTP Headers using Firebug, Chrome Dev Tools, Wireshark or an online tool.
Header set X-Pingback "http://www.example.com/xmlrpc.php" Header set Content-Language "en-US" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin"
This will unset HTTP headers, using always will try extra hard to remove them.
Header unset Pragma Header always unset WP-Super-Cache Header always unset X-Pingback
This is very useful for protecting the wp-login.php file. You can use this htpasswd generator.
Basic Authentication
<Files wp-login.php> AuthType Basic AuthName "Password Protected" AuthUserFile /full/path/to/.htpasswd Require valid-user Satisfy All </Files>
Digest Authentication
<Files wp-login.php> AuthType Digest AuthName "Password Protected" AuthDigestDomain /wp-login.php https://www.example.com/wp-login.php AuthUserFile /full/path/to/.htpasswd Require valid-user Satisfy All </Files>
This is a way to only allow certain IP addresses to be allowed access.
ErrorDocument 401 default ErrorDocument 403 default <Files wp-login.php> Order deny,allow Deny from all Allow from 198.101.159.98 localhost </Files>
This denies all web access to your wp-config file, error_logs, php.ini, and htaccess/htpasswds.
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> Order deny,allow Deny from all </FilesMatch>
This will force SSL, and require the exact hostname or else it will redirect to the SSL version. Useful in a /wp-admin/.htaccess file.
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.wordpress.com"
ErrorDocument 403 https://www.wordpress.com