All websites have a master gatekeeper that provides the initial security for every type of site visitor, both human and bot. It also controls the redirection of traffic and tells browsers what to do with the data from your site. Discover all of the critical features in the .htaccess file and how having a good one improves your site security and performance.
What is an .htaccess file?
Think of your site as residing in a gated community. The .htaccess file sits in the guard shack at the entrance.
It can be given a set of rules for how to deal with everything requesting access to your site.
- Which IPs can gain access to your site
- Redirecting visitors to the proper page/post
- Keeping bots and humans out of sensitive site areas
- Giving browsers explicit cache directives to speed up page loads
What’s in the default .htaccess file?
For WordPress site owners, the host will usually allow the default .htaccess file to installed. It only contains the most basic WordPress rewrite rules to ensure your permalinks work correctly.
The default .htaccess file has zero security directives.
That means as a gatekeeper, it doesn’t check anything coming into your site.
What should be in my .htaccess file?
First, ensure that you have one!!!
Not all hosts allow it to be installed and/or you may have a super old version if you installed WordPress a long time ago.
Following are the typical items found in a good .htaccess file:
- Deny access to the .htaccess file itself
- Deny access to the wpconfig file (that has your database name and password and login authorization keys, among other sensitive items)
- Disable directory browsing
- Turn off the XML-RPC output layer so you your site can’t be used in a DDoS attack against the server and other sites
Another function of the .htaccess file as the gatekeeper is to ensure that all traffic goes where it’s supposed to.
301 redirects are way faster when performed in the .htaccess file.
Doing it this way is also way lighter on your system resources too, compared to doing it with a plugin.
Redirects in .htaccess happen instantly, prior to opening WordPress.
When you redirect with a plugin, an instance of WordPress has to be opened, then the plugin, then the redirect, which then opens another instance of WordPress.
That’s a lot of system resources being chewed up!
And if the redirect plugin has tracking logs, it chews up even more.
The caveat is, you don’t want too many redirects in the .htaccess, or it can become a bottleneck and slow everything down.
Speeding Up Site Load Time
The .htaccess file also contains directives for local caching, including preloading of pages/posts, and how long browsers should hold onto static site elements.
Both of these functions speed up how long it takes your site to load.
Most site owners use caching plugins, and that’s actually a good thing because the code for each caching element can be quite extensive. Plus, plugins tend to keep pace with changes to WordPress and with Google.
How is the .htaccess file different from the robots.txt file?
The rules in the .htaccess file are law.
Everything that comes to your site, both bot and human, has to obey those rules, no exceptions.
The directives in the robots.txt file are suggestions.
Well-behaved bots will follow them. Ill-behaved bots will not.
But, a good robots.txt file is still needed, and will improve site performance.
How do I check my .htaccess file?
The .htaccess file is a hidden file type.
You will need to access it via an FTP program, like FileZilla. Or use your host’s cPanel with hidden files turned on.
DO NOT touch your .htaccess file if you don’t know what you’re doing!!!!!!!!!!
You could give your site the white screen of death and lock yourself out of access to it, or make it not work properly.
The .htaccess file is just one of the security checks I do in site audits.
In my Webmaster Training I teach designers and technical VAs how to install and maintain secure sites, including exactly what should be in the .htaccess file.