PCI Compliant Web Hosting and Managed Service Provider
Hosting Solutions since 1995

Recommended .htaccess file settings for WordPress hosted on our servers

Author: ; Published: May 5, 2011; Category: Managed Hosting, WordPress; Tags: , ; No Comments

Let’s cover something often missed by WordPress designers, developers, and authors… the .htaccess file as it is not automatically installed as a part of WordPress

A .htaccess file (yes, there is a period before the word .htaccess and no, there is no extension such as .txt) works with the web server to add or change functionality above and beyond what is normally provided.

Consider a .htaccess file as a way to decorate a cake or customize a room in a house (it typically works from the directory it is placed downward).

The .htaccess file can be used to provide custom error documents such as page not found controlling even how error pages look on your site.

This is also the file that can be used to password protect pages, directories as well as doing redirects.

This article deals with basic .htaccess entries we believe every WordPress site should have present.  To that ends, for brand new sites on our servers, you should find a file in your domain directory called “.htaccess-wordpress-starter”   To use it, just rename it to “.htaccess” with your FTP program or ask us to do it for you.

NOTE:  If you are using a WordPress designer / developer, please have them review the .htaccess file we recommend to ensure it will not conflict with their work.

See Dynamic Net, Inc’s. recommended .htaccess starter file; feel free to copy it to notepad (do not use WordPad or Word unless you know how to save the file as a pure text file without any formatting or codes), and save that file as .htaccess to upload via FTP to the WordPress home directory (typically your domain directory or a blog directory) of your WordPress site.

Let’s go over our recommended .htaccess starter file:

We first start off with a set of commands that will not allow anyone from outside the server itself to modify the .htaccess file via the browser (btw, .htaccess only interacts with the web server, not FTP, email, etc. — only the web):

## To protect the .htaccess file(s) used on the site from abuse
order allow,deny
deny from all

The above set of lines tells the server that the file .htaccess is to be denied access from the web by everyone (that’s the “deny from all”).

Why do we want to deny access?  Because hackers who gain access to your .htaccess file can have certain areas redirected to their control, along with doing other nefarious things.

If you have one or more dedicated IP addresses, you can really up the security of protecting key areas of your site — the wp-config.php file, common cashing files, etc.. — from hackers.

Deny from all
allow from 24.229.66.131
allow from 166.143.220.38

The above command states that file file names matching any of the file names in the list, allow only from the IP addresses listed.

Next, is that even though you can turn off directory indexes (this is a Web server feature that if on, tells the web server for it to display folders and files in a directory that do not have a home page in it) off via the hosting automation system, let’s play safe and turn it off via .htaccess:

# Turn off directory indexes
Options All -Indexes

A lot of WordPress sites use permalinks; that’s where your web page address is not site/p=number but something more meaningful.

The below is needed by WordPress for permalinks to work:

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Some web severs offer compression to make your files somewhat smaller as they are sent from the web server to the browser; the below lines tell the web server how to best serve items from your WordPress site:

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/rss+xml
AddOutputFilterByType DEFLATE application/javascript application/x-javascript

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies don’t deliver the wrong content
Header append Vary User-Agent env=!dont-vary

Lastly the following is to help Search Engines know when to expire certain portions of your site to help improve search engine performance:

ExpiresActive On
ExpiresDefault A300
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A3600
ExpiresByType text/css A3600
ExpiresByType image/gif A604800
ExpiresByType image/png A604800
ExpiresByType image/jpeg A604800
ExpiresByType text/plain A300
ExpiresByType application/x-shockwave-flash A604800
ExpiresByType video/x-flv A604800
ExpiresByType application/pdf A604800
ExpiresByType text/html A300

Peter Abraham
Former CEO of Dynamic Net, Inc. Will be transitioning to a new career in the near future.
Peter Abraham

@

Peter Abraham

Leave a Comment