support@gracethemes.com

Tweak .htaccess to Improve WordPress Speed & Security


WordPress is an excellent platform. But, it doesn’t offer unparalleled speed and security from the start. If you are a WordPress user, you should know that you can improve almost every aspect of vanilla WordPress including speed and security.

In this article, we will learn on how to tweak .htaccess to improve WordPress speed and security.

WordPress security is one of the hot topics among the users as well as the experts. With hundreds of websites getting hacked every day, the bloggers new to blogging should take extra steps to secure their website. Also, you need to choose the best web host before you start tweaking the .htaccess file. A good hosting will provide your website a robust hosting and leverage the WordPress ecosystem. Not only that, you also need speed to rank well in Google, and a good hosting will help you achieve that easily.

Let’s get started with the ways you can tweak .htaccess file for better security and speed.

Tweak .htaccess to Improve WordPress Speed & Security

Before we dive deep into the tips, we first need to understand what .htaccess stands for. Almost all the website comes with the .htaccess file which stands for hypertext access. When you install WordPress for the first time, the .htaccess file automatically gets created. It is a configuration file which helps your web server to run at defined terms.

To access .htaccess, you first need to enable the option to “Show hidden files.” Once done, you can find the file in the root directory of your WordPress installation.

You can also create the file if for any reason it is not automatically created. To do so, you just need to copy the code below and set the file permission of .htaccess file to 644.

Also, if you are not sure what you are doing with the file, it is advisable not to tweak at all. Always backup the file and then experiment. You can also hire professionals to do the work for you if you feel overwhelmed.

Security Optimization using .htaccess

1. Hack protection for .htaccess file: The first step is to protect the core file from any modification whatsoever. We also need to protect other configuration files such as wp-config.php or the php5.ini. You can protect them simply inserting the code into .htaccess file.

<FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all
</FilesMatch>

2. Hide WordPress Directories: Hackers can find loopholes if you give them information. It is advised to use .htaccess to hide all your WordPress directories by using the code below.

Options All -indexes

3. Security plugin to the rescue: Security plugins can guide you and help you secure your website. You can use plugins such as Sucuri or WP Security Audit Log to get started. Both these plugins are great and will help you secure your website.

You can also try out WP Security Scan, a plugin that gives you a list of thing that needs to be handled and fixed. It shows the issues in red and green.

4. Blocking bad bots: It is common for websites to be bombarded by bots. They generally arrive from a particular IP address, and you can use .htaccess to block them. All you need to do is use the code below in your .htaccess file. Replace IP_ADDRESS_# with a real value.

<Limit GET POST>
order allow,deny
deny from IP_ADDRESS_1
deny from IP_ADDRESS_2
allow from all
</Limit>

5. Securing WP-Admin: The admin panel is an important place, and you need to secure it. There is a simple way to restrict access to the admin login page and can be done by using the following code.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !IP_ADDRESS_1
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

If you wish to allow multiple IP address, you need to use the following snippet.

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !IP_ADDRESS_1
RewriteCond %{REMOTE_ADDR} !IP_ADDRESS_2
RewriteCond %{REMOTE_ADDR} !IP_ADDRESS_3
RewriteRule ^(.*)$ – [R=403,L]
</IfModule>

Just replace IP_ADDRESS_X with the address you want to give access to.

Speed Optimization using .htaccess

1. Prevent image hotlinking: Hotlinking can easily burn out your server resources and can make your website crawl. The good news is that you can prevent hotlinking with the simple trick.

# HOTLINKING DISABLE
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sample.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
# HOTLINKING DISABLE

Don’t forget to change http://www.abc.com to your website URL.

2. Enable Gzip compression: If you are using an Apache-powered server, you can use the following snippet to enable Gzip compression. It reduces file size that is requested from your server and improves website speed.

# GZIP COMPRESSION
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
# GZIP COMPRESSION

3. Enable Browser Caching: Browser caching can be used to improve loading time by saving the assets in the browser. It can easily be enabled by tweaking the .htaccess..

# BROWSER CACHING #
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css “access 1 month”
ExpiresByType text/html “access 1 month”
ExpiresByType image/gif “access 1 year”
ExpiresByType image/png “access 1 year”
ExpiresByType image/jpg “access 1 year”
ExpiresByType image/jpeg “access 1 year”
ExpiresByType image/x-icon “access 1 year”
ExpiresByType application/pdf “access 1 month”
ExpiresByType application/javascript “access 1 month”
ExpiresByType text/x-javascript “access 1 month”
ExpiresByType application/x-shockwave-flash “access 1 month”
ExpiresDefault “access 1 month”
</IfModule>
# BROWSER CACHING #

Furthermore, you can use cache-control headers if the above code doesn’t work.

# Cache control headers
<ifModule mod_headers.c>
<filesMatch “\.(ico|jpe?g|png|gif|swf)$”>
Header set Cache-Control “public”
</filesMatch>
<filesMatch “\.(css)$”>
Header set Cache-Control “public”
</filesMatch>
<filesMatch “\.(js)$”>
Header set Cache-Control “private”
</filesMatch>
<filesMatch “\.(x?html?|php)$”>
Header set Cache-Control “private, must-revalidate”
</filesMatch>
</ifModule>
# Cache control headers

Final Thoughts

That’s it. We have finally tweaked the .htaccess. The best way to go through the process of editing .htaccess is to back it up and then do the changes. This way you will be sure that you can revert back to the old version if something goes wrong. If you are using Wix, you can also improve your website speed and security. Many Wix reviews already cover the process to improve security and speed. Do check them out.

If you have any question regarding security or speeding your WordPress website, don’t forget to comment below.