The .htaccess file in WordPress might look small, but it plays a big role. It helps manage site security, handles redirects, and improves performance. In most cases, WordPress takes care of it automatically, but if something goes wrong, knowing how this file works can save you from errors and downtime.
The default WordPress .htaccess file is like a safety net. If the file is missing or broken, you can restore it easily. With a little knowledge, you can also add rules that make your site faster, more secure, and better organized.
In this guide, we’ll go step by step from finding the default file to editing it safely, adding useful rules, and fixing common issues.
What Is the .htaccess File in WordPress?
The .htaccess file is a configuration file used by the Apache web server (not NGINX) that usually lives in the root directory of your site. It controls how the server behaves at a directory level. That includes things like rewriting URLs, forcing redirects, or blocking access to sensitive files.
In WordPress, its most common job is to enable permalinks so your site links look clean and user-friendly instead of messy strings of numbers. But it’s not limited to that. You can also use it to add security rules, speed up performance, and manage redirects.
And yeah, editing this file can feel a little hectic the first time, but once you get the hang of it, it’s straightforward. At Pure Website Design, we work with WordPress every day. From setting up .htaccess rules to full web development maintenance, we make sure your site stays secure, fast, and problem-free.
Tell Us What You Need – Start Your Journey Today!
Share your project requirements, and we’ll guide you through a seamless development journey to bring your ideas to life.
Where to Find the Default WordPress .htaccess File
- In a typical setup, the .htaccess file should be in the root folder of your WordPress installation (e.g. public_html or the folder containing wp-admin, wp-content, etc.).
- Because it starts with a dot, many file managers hide it by default. You may need to enable “show hidden files (dotfiles)” in cPanel/File Manager or via your FTP client.
- If you can’t locate it, it might not have been generated yet (especially in fresh installs before permalinks are configured).
Default WordPress .htaccess Code (and How to Reset It)
Here is the standard default .htaccess content that WordPress uses when pretty permalinks are enabled (nothing fancy, just the core):
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If your .htaccess file is missing, corrupted, or overridden, you can regenerate it by going into Settings → Permalinks in the WordPress dashboard and hitting “Save Changes” (even without modifying anything). WordPress will attempt to write the default file.
If WordPress cannot write files (permissions issue, etc.), you may have to create the file manually:
- Create a new file named .htaccess (with the dot).
- Paste in the default block above.
- Upload it to the root via FTP or through File Manager.
How to Create or Recreate an .htaccess File in WordPress
- If WordPress hasn’t generated one (e.g. you haven’t touched permalinks), use the “Save Permalinks” trick as above.
- If that fails (permissions or server doesn’t allow file creation), create the .htaccess file manually (as described above) and upload it.
- In cPanel: go to File Manager, enable “show hidden files”, create a new file named .htaccess, and paste in the default contents.
- Via FTP/SFTP: in your local editor, name it .htaccess (be careful not to name it htaccess.txt) then upload to root.
Safe Ways to Edit the WordPress .htaccess File
- Backup first: Always copy the current .htaccess before editing. Even one missing bracket or typo can break your site.
- Use FTP or File Manager: Connect via FTP, locate .htaccess, download it, edit locally, then reupload. Or open with a file manager/editor in your host panel.
- Plugins (with caution): Some plugins provide built-in .htaccess editors, but using them removes your direct control, and if the plugin malfunctions, you might lose access.
- Best practice in editing: Insert new custom rules outside or before the # BEGIN WordPress / # END WordPress block, so WordPress updates don’t override your additions.
Common Redirect Rules with .htaccess
Here are typical use cases and snippets you can offer:
- 301 (Permanent) Redirect
Redirect 301 /oldpage.html https://yourdomain.com/newpage.html - 302 (Temporary) Redirect
Redirect 302 /oldpage.html https://yourdomain.com/newpage.html
Force www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,NC]
Force non-www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301]
Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Redirect entire domain
RewriteEngine On
RewriteCond %{HTTP_HOST} ^olddomain.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.olddomain.com [NC]
RewriteRule ^(.*)$ https://newdomain.com/$1 [R=301,NC,L]
Essential Security Rules for WordPress .htaccess
Here are useful protections you can layer on top of the default:
- Protect the .htaccess file itself
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
- Restrict access to wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
- Disable XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
- Block file execution (PHP) in certain directories
For example, in wp-content/uploads or wp-includes, you might want to deny execution of PHP scripts. - Disable directory listing
Options -Indexes
(Stops strangers from browsing your file directories) - Block bad bots / user agents
RewriteCond %{HTTP_USER_AGENT} ^BadBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^AnotherBadBot [NC]
RewriteRule .* – [F,L]
- Limit access to wp-admin by IP
You can place rules in a .htaccess inside wp-admin that only permit specific IPs.
Boosting Performance with .htaccess Rules
Performance-centric tweaks you can embed:
- Browser (client) caching / expire headers
Use mod_expires to instruct browsers to cache certain file types (CSS, JavaScript, images) for a defined period. - Gzip / Deflate compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/x-javascript
…
</IfModule>
- Hotlink protection
Prevent other sites from embedding your images and using your bandwidth:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [F,L]
- Limit upload sizes (if supported)
You might see config lines like:
php_value upload_max_filesize 10M
php_value post_max_size 10M
.htaccess Rules for WordPress Multisite
Multisite (WPMU) uses a slightly different default .htaccess, especially in subfolder setups versus subdomain ones.
For subfolder-based networks, a typical default block is:
# BEGIN WordPress Multisite
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ – [L]
# force trailing slash on /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
# END WordPress Multisite
For subdomain networks, the logic is similar, with some adjustments to how the base rules are applied.
Troubleshooting .htaccess Issues in WordPress
Here are common problems and how to diagnose or fix them:
| Issue | Cause / Symptoms | Fix / Diagnostic Steps |
| Site shows 500 Internal Server Error | Syntax mistake, misplaced directive, or invalid rule | Rename .htaccess to htaccess_backup, then see if site returns. If yes, restore default and re-add custom lines one by one. |
| Redirects not working | mod_rewrite module not enabled or misconfiguration | Enable Apache’s mod_rewrite (e.g. a2enmod rewrite) and restart server. |
| .htaccess being ignored / not applying rules | File not named correctly, wrong location, or permission issues | Ensure file is .htaccess (with leading dot), in root directory, and proper permissions. |
| Infinite redirect loops | Conflicting redirect rules (e.g. forcing HTTPS + www conflicting) | Comment out recent rules, test step by step. Use logs to trace. |
| Permalinks break / 404 errors after editing | The rewrite rules are not being applied or overwritten | Re-save permalinks from WP admin, restore default block, check that custom rules aren’t interfering. |
Also, always check your server’s error logs (Apache’s error log) to see what rule or syntax is causing failure.
FAQs
What default .htaccess file in WordPress actually do?
The default file controls permalinks and ensures pages load with clean URLs. It also serves as a base where you can add rules for security, redirects, and performance improvements.
Can I restore .htaccess file?
Yes, it can be restored by re-saving the permalink settings in WordPress. If that does not work, a new plain text file named .htaccess with the default WordPress code can be created manually.
What happens if the .htaccess file has errors in it?
Mistakes in the file can cause issues such as 500 Internal Server Errors or redirect loops. Replacing it with the default rules or uploading a backup usually fixes the problem.
How can the .htaccess file improve WordPress site security?
Security rules in .htaccess can block access to sensitive files, disable directory browsing, and prevent malicious requests. These changes make the site safer without the need for heavy plugins.
Can the .htaccess file make a WordPress site faster?
Yes, rules can be added to enable caching, compression, and hotlink protection. These improvements reduce load times and save bandwidth, keeping the site running smoothly.
How do redirects work in the WordPress .htaccess file?
Redirects tell visitors and search engines where to go when content changes. Common uses include forcing HTTPS, handling www or non-www versions, and setting 301 redirects for moved pages.
Can Pure Website Design help manage the .htaccess file?
Yes, Pure Website Design specializes in WordPress maintenance and can manage .htaccess files safely. From restoring defaults to adding security and performance rules, the team ensures sites stay reliable and error free.
Do I need ongoing support for managing WordPress .htaccess file?
Yes, because hosting changes, plugins, and updates can affect .htaccess. Pure Website Design provides web maintenance services with backups, monitoring, and optimization so the site always performs at its best.
Conclusion
The default WordPress .htaccess file is the foundation of a stable site. If something goes wrong, restoring it brings everything back on track. From there you can add redirects, security rules, performance tweaks or even multisite configurations, but always with care.
One misplaced line can cause errors, so it is important to back up, test changes in staging, and keep track of every update you make.
At Pure Website Design, we handle this process every day. Whether you need a secure setup, performance optimization, or ongoing site maintenance, our team makes sure your WordPress site runs smoothly without the risk of costly mistakes.
