How to update your .htaccess in your WordPress Website
The .htaccess file is a powerful server configuration file that can dramatically enhance the security, performance, and overall resilience of your WordPress website. However, incorrect configurations can easily cause errors or break site functionality.
This guide provides a robust, well-commented .htaccess baseline. It is not a “one-size-fits-all” solution but a strong starting point that you must review and customize for your specific website.
Why This Is Critical
A default WordPress installation is vulnerable to a range of attacks. A properly configured .htaccess file helps mitigate:
Cross-Site Scripting (XSS) and Clickjacking
Data/Content Injection
Mixed Content Warnings and insecure HTTP traffic
Information Leakage through directory listings or exposed configuration files
Poor Performance due to inefficient browser caching
IMPORTANT: Before You Begin
Backup Your .htaccess File: Before making any changes, connect to your server via FTP or a file manager and download a copy of your existing .htaccess file. If anything goes wrong, you can restore it.
This is a Template, Not a Command: Do not blindly copy and paste this entire file. The Content Security Policy (CSP) and Wordfence WAF path, in particular, will require customization to avoid breaking your site.
Server Compatibility: This guide is for servers running Apache (like LiteSpeed or OpenLiteSpeed). It will not work on NGINX servers.
The .htaccess Baseline Template
Copy the relevant sections into your site’s root .htaccess file, placing them above the default # BEGIN WordPress block.
# ==============================================================================
# 1. SECURITY HEADERS - A STRONG STARTING POINT
#
# These headers instruct the browser on how to handle your site's content
# securely. The Content-Security-Policy (CSP) is the most complex and
# will likely need to be customized.
# ==============================================================================
<IfModule mod_headers.c>
# Enforce HTTPS for 1 year, including subdomains. Remove 'preload' if you
# are not 100% sure about your site-wide SSL commitment.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Block content-type sniffing.
Header always set X-Content-Type-Options "nosniff"
# Prevent the site from being loaded in an <iframe> (clickjacking protection).
# Use "ALLOW-FROM uri" if you need to allow a specific domain.
Header always set X-Frame-Options "SAMEORIGIN"
# Control what referrer information is sent to other sites.
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Restrict browser features like camera or microphone access.
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
# -- CONTENT SECURITY POLICY (CSP) - CUSTOMIZE THIS! --
# This is a restrictive baseline. It will likely break third-party tools
# (Google Analytics, YouTube embeds, etc.) until you whitelist them.
# See the guide below on how to customize this.
Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://www.youtube.com; object-src 'none'; frame-ancestors 'self';"
</IfModule>
# ==============================================================================
# 2. ADVANCED SECURITY: CROSS-ORIGIN ISOLATION (OPTIONAL)
#
# WARNING: This provides strong security against side-channel attacks but can
# break third-party embeds (e.g., ads, some payment gateways).
# Enable this only if you understand the implications.
#
# <IfModule mod_headers.c>
# Header set Cross-Origin-Embedder-Policy "require-corp"
# Header set Cross-Origin-Opener-Policy "same-origin"
# </IfModule>
# ==============================================================================
# ==============================================================================
# 3. APACHE HARDENING - PROTECT SENSITIVE FILES
# ==============================================================================
# Disable directory Browse.
Options -Indexes
# Protect key configuration files.
<FilesMatch "^(wp-config\.php|\.htaccess|php\.ini|readme\.html|license\.txt)">
Require all denied
</FilesMatch>
# Disable XML-RPC if you do not use it (e.g., for the WordPress mobile app).
<Files xmlrpc.php>
Require all denied
</Files>
# ==============================================================================
# 4. HTTPS REDIRECTION - CHOOSE ONE METHOD
# ==============================================================================
# -- Method A: For sites NOT using Cloudflare --
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# -- Method B: For sites USING Cloudflare --
# <IfModule mod_rewrite.c>
# RewriteEngine On
# RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
# RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
# RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# </IfModule>
# ==============================================================================
# 5. BROWSER CACHING - LEVERAGE BROWSER CACHE
# ==============================================================================
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/webp "access plus 1 year"
ExpiresByType image/avif "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType video/mp4 "access plus 1 year"
ExpiresByType video/webm "access plus 1 year"
ExpiresByType text/css "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/pdf "access plus 1 year"
ExpiresByType font/ttf "access plus 1 year"
ExpiresByType font/woff "access plus 1 year"
ExpiresByType font/woff2 "access plus 1 year"
</IfModule>
# ==============================================================================
# 6. WORDFENCE FIREWALL OPTIMIZATION (WAF)
#
# You MUST replace the placeholder path below with the correct one for your site.
# Find it in your WordPress dashboard under: Wordfence > Firewall > Advanced.
#
# <IfModule lsapi_module>
# php_value auto_prepend_file '/path/to/your/wordfence-waf.php'
# </IfModule>
# ==============================================================================
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should be considered final.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressHow to Customize and Test
Customizing Your Content Security Policy (CSP)
After adding the CSP header, your site will likely have broken elements (missing images, fonts, or non-functioning scripts). This is expected.
Open your website in Chrome or Firefox.
Open the Developer Console (F12 or Ctrl+Shift+I).
Look for errors in the Console tab. They will look like this: Refused to load the script 'https://some-other-domain.com/script.js' because it violates the following Content Security Policy directive...
For each blocked domain that you trust (e.g., https://*.stripe.com, https://connect.facebook.net), add it to the appropriate directive in your CSP.
script-src for JavaScript files.
style-src for CSS files.
img-src for images.
frame-src for <iframe> embeds like YouTube.
connect-src for API calls (AJAX).
Testing Your Implementation
Clear All Caches: Purge your server cache (LiteSpeed/W3TC) and your browser cache.
Test Functionality: Thoroughly browse your site. Check contact forms, embedded videos, payment portals, and analytics.
Scan Your Headers: Use a free tool like securityheaders.com to scan your domain. Aim for an ‘A’ or ‘A+’ grade, but remember that a functional site is more important than a perfect score.
Need Professional Help?
If you’re overwhelmed or need a guarantee of secure, optimized implementation, the team at HypeX Digital can audit, customize, and deploy these configurations for you when you start web maintenance with us. Contact us to ensure your digital assets are properly protected.
