.htaccess file is a configuration file that determines how a web server responds to requests. The WordPress .htaccess file can be used to boost your website’s performance, security and usability. It is supported by most popular web servers, including the Apache web server software used by most cloud hosting providers. These files can be used to alter the configuration of Apache web server software to enable or disable additional functionalities and features that the software has to offer. A few features that you can enable or disable using a .htaccess file include server signature, file caching, URL redirection, password protection and custom error pages.

1. Where is .htaccess located?

In theory, you can locate this specific file in every directory on your server, however, it is mostly found in your web root folder public_html or www. that contains all your website content. If you have multiple website subdirectories (www.example.com/subdirectory1/subdirectory2/), then the .htaccess file would be in the root folder directory (public_html) and also in each of the subdirectories (subdirectory1, subdirectory2) as well.

To access a default WordPress .htaccess file, follow these simple instructions.

Step 1: Log into your managed hosting/shared hosting account by providing your username and password. (Check out our guide to find out your credentials)


web host login


Step 2: Now that you have logged in, go to File Manager and click on it.


Bluehost file manager


Step 3: Next, you will be taken to your site’s files. Look for one that says public.html. Your .htaccess file can mostly be found in this folder.


public.html file wordpress


Step 4: Click on public.html and you will see the .htaccess file listed inside as shown below.


htaccess file


Step 5: That is it! Now that you have found the .htaccess, you can modify it by right clicking on .htaccess file and choosing the Edit button.  But be warned, this is a configuration file, and fiddling with it should be done under expert supervision (like a WordPress website builder/WordPress developers).


edit .htaccess file web host


2. How can I create a .htaccess file?

If you do not have a .htaccess file, you would need to create one. However, before you proceed to create a .htaccess file, make sure that you actually need to. What we mean is many a time these type of files are hidden. To view them, you would need to make sure that you have turned on the ‘show hidden files’ in your file manager settings.


file manager settings


Once you click on setting a menu will open up that will have an option to ‘show hidden files’. Make sure you turn that on.

Now see if you are able to view the .htaccess file. If you still cannot see in your site’s public.html  directory, then you can proceed with creating one by following the simple instructions below.

Step 1: Create a new file in a plain text editor and save it as .htaccess. Make sure there is no .txt or any other file extension at the end of it. It should read as just .htaccess.

Step 2: Add the following basic code to the empty file to get started.

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L] </IfModule>

# END WordPress

Step 3: Save the changes and upload the file to your WordPress root directory using FTP or your file manager.

Step 3.1: To upload it to your public_html folder via file manager, log into your WordPress hosting account. And go to file manager. There you would see an option to upload. Click on that.


upload .htaccess file bluehost


Step 3.2: A new window will open where you can drag and drop your file from the local system.


select file upload bluehost


Step 3.3: Once you have selected the file, it will be uploaded on to your directory.

That’s all! Your .htaccess file is ready.

3. What does a .htaccess file do?

A .htaccess file, as we mentioned, is a configuration file and so can be used to enable or disable various functionalities and features of a dedicated server such as:

  • Error handling
  • Password protection
  • IP blacklisting and whitelisting
  • Block users by referrer
  • Specifying a default file for directory
  • URL redirects and URL rewriting
  • Block hotlinking
  • Enable or disable index
  • Configuring PHP settings

Let us understand what each of these functionalities is and what purpose they serve.

i. Error handling

When you click on a website page, what happens behind the scenes is that a request is made to the web server. And if all goes well, the web server serves you up with the page requested. However, if something goes wrong with this, you typically get an error message. It is your .htaccess file that manages these error messages.

As you may have noticed not all the error messages are the same, in fact, each of these has a different error code. One example of this is a 404 error, which you can generate if the document cannot be found on the server.   

Google 404 error

If you haven’t specified in your .htaccess file how to handle these error messages, the server will simply inform the browser, which will then display a generic error message.

We recommend that you handle each error message by creating a specific error message for different error codes. These days websites go a step further and customize the error message to add a dash of humour or personalization to it. Here is a guide that tells you how you can create these custom messages.

However, if you simply want to display certain custom error messages for the different error codes simply add the following code to your .htaccess file.

# serve custom error pages

ErrorDocument 400 /errors/400.html

ErrorDocument 401 /errors/401.html

ErrorDocument 403 /errors/403.html

ErrorDocument 404 /errors/404.html

ErrorDocument 500 /errors/500.html

ii. Password protection

Apart from aiding the web server to generate error messages, the .htaccess file also can be used to restrict access to certain directories by protecting them with a password. This process involves uploading two files .htaccess and .htpasswd in the directory that you want to restrict access to. Include the following lines of code into your .htaccess file:

AuthType Basic

AuthName "Password Protected Area"

AuthUserFile /path/to/.htpasswd

Require valid-user

Note: In the above code change the highlighted entry path/to/.htpasswd to the full path to your .htpasswd file. If you do not know the full path, don’t worry. Just refer to this short guide.

Once you have added this code to your .htaccess file, next you need to upload the .htpasswd file that contains the username and password. Include the following line text in your .htpasswd file.


Substitute ‘username’ with one of your choice and ‘encryptedpassword’ with a real password in encrypted form. To encrypt a password of your choosing, run it through an algorithm and safely and securely store the result. While logging in, however, you must use the original password that corresponds with the username and not the encrypted one.

This is a very secure way for storing passwords because even if anyone gains unauthorized access to your .htpasswd file, they wouldn’t be able to see your original password, only the encrypted version of it. And since the encryption is one-way, you can not rehash the original from the encrypted one.

Wonder where you can get a hold of these algorithms? These are two secure algorithms you can use: bcrypt, md5. Apache supports both, but the md5 is the one that the current versions of Apache uses.

a. How to create a username and password on the command line

You can add more username and password pairs as you can see in the box above. This can be done using the command line or SSH terminal.

To create a new .htpasswd file, use the command with  -c (command to create) and then the path to the directory (the one server).

> htpasswd -c /pathtodirectory/.htpasswdusername

b. Alternative method

However, if you are not comfortable fiddling with the command line or SSH terminal, then there is an alternative. You could create a .htpasswd file and populate it using a plain text editor. You can upload them to the site via FTP or file manager.You can do this the same way we uploaded a .htaccess file.

iii. IP blacklisting and whitelisting

.htaccess file can also be used to block users or blacklist IP addresses that you don’t want accessing your site. Apart from blacklisting, you can also whitelist, that is, block everyone except visitors from certain approved IP addresses.

To block specific IP addresses, use the command below in your .htaccess file.

order allow,deny

deny from

allow from all

Remember to add the IP addresses you need to block instead of the ones we have input.

The command line above sets allows from all as the default directive. And then those mentioned against deny would be denied entry.

In order to whitelist certain IP addresses, you would need to reverse the order of the directive, that is, instead of or order allow, deny, you would need to add order deny, allow as shown below. This would restrict all IP addresses except the ones you specify otherwise.

order deny,allow

deny from all

allow from

iv. Block users by referrer

Another important feature of .htaccess file is that you can use it to block certain sites from linking to your images (called hotlinking). This uses a lot of your server’s resources and is a direct case of copyright violations! Some of these referrer websites may be hostile and these links can prove to be detrimental to your site! So it is recommended that these specific sites or domain names are blocked from hotlinking to your site. In order to block such sites from linking to your site, you can add directives into your .htaccess file as shown below.

RewriteEngine on

RewriteCond % ^http://.*example.com [NC,OR]

RewriteCond % ^http://.*anotherexample.com [NC,OR]

RewriteCond % ^http://.*onemoreexample.com [NC]

RewriteRule .* - [F]

You would need to substitute example.com with the URL you need to block. The rest should remain the same.

v. Specifying a default file for WordPress directory

When you access a site without specifying a file name, most web servers assume that the request is for a directory. So the web server typically serves up the default file from the root directory, also called index file or index.html.

If however, you do not want to have index.html as the default file, and instead want it to be a different file type such as index.shtml, index.xml or index.php files then you can use .htaccess to set the default page.

Just include the following directive in your .htaccess file.

DirectoryIndex [filename here]

Substitute the file name with whatever you like.

These are some of the many functionalities and features of the .htaccess file. It is a very important file and therefore you must be careful and secure it from coming under the clutches of hackers. One way to secure it is to hide it.

4. Should I hide the .htaccess file?

As we mentioned, it is an extremely important file that contains crucial information such as the location of your .htpasswd file. So a simple, yet effective way to secure it is to hide it from public view. How do you do that? Just add the following code to your .htaccess file.

<Files .htaccess>

order allow,deny

deny from all


The beauty of a content management system like WordPress is that you can make modifications to it. Click To Tweet

But fiddling with the .htaccess file can have disastrous effects on your site, and can even lead to a site crash. In order to prevent that, here are a few things to keep in mind while you work with .htaccess file. Copy your htaccess file onto your local system each time you are about to work on it. This is a very important step and one you must prioritize over all others. This is a security measure that is very important and can save you a lot of trouble in case you accidentally delete it or modify it. Things to keep in mind.

5. Backing the file

In order to do so, go to File Manager on your web host and click on the public_html file in the Home directory to see all the files under it. After that, simply double click on the .htaccess file to download it onto your local system and save it securely.

Apart from backing up your .htaccess file, another thing to keep in mind is to do one thing at a time. That is, every time you make a change, first test it and then make another one. Making multiple changes to the file without first checking will only lead to confusion in case there is some error. Because then you wouldn’t know what exactly caused it.

Another thing that you should be careful about is that when you create the .htaccess file name, it has to begin with a dot. And it should not have any additional file extensions such as .txt etc. Implement these above mentioned good practices and your .htaccess file should be good to go.

6. Parting words

It is also important that you back up your website before you make any changes to your .htaccess file because even the slightest error could render your site dysfunctional. There are plenty of WordPress plugins available for this purpose. For more such WordPress tutorials, stay tuned.

try blogvault backups