WordPress .htaccess Generator

Generate a clean, secure WordPress .htaccess file in seconds. Pick your security and performance rules, copy the output, and paste it at the top of your existing file or start fresh. Everything runs in your browser, and nothing is stored or sent anywhere.

WordPress Core

Required rules for WordPress to function correctly.

Security

Lock down common attack vectors and sensitive files.

Performance

Speed up your site with server-level caching and compression.

HTTPS & Redirects

Force secure connections and clean up your URLs.


            

                
                
            

        

    


    
    

    

    


    

Why your .htaccess file matters


Your .htaccess file is Apache’s instruction manual for your website. Every request that hits your server passes through it. Done right, it protects sensitive files, blocks common attacks, speeds up page delivery, and enforces HTTPS, all before WordPress even loads.


Done wrong, or left at the WordPress default, it leaves doors open that you didn’t know existed.


How to use this generator


    

  1. Check the rules you want. The defaults cover the most critical WordPress security basics.
    2. 

  2. Watch the output update in real time on the right.
    3. 

  3. Click Copy to grab the file contents, or Download .htaccess to get the file directly.
    4. 

  4. Open your current .htaccess via FTP, your host’s file manager, or a plugin like WP File Manager.
    5. 

  5. Back up your existing .htaccess first. Always. Paste the generated content at the very top, above any existing content, or replace everything if you’re starting fresh on a new install.
    6. 



.htaccess tips by site type


WordPress blogs and content sites


Enable GZIP and browser caching for every text-heavy site. The performance gains are immediate. Block XML-RPC if you’re not using Jetpack or remote publishing tools, it’s an open port attackers love.


WooCommerce stores


Force HTTPS (non-negotiable on any store), disable directory browsing, and protect wp-config.php. If your store doesn’t use XML-RPC, block it. Consider disabling PHP execution in the uploads folder, WooCommerce doesn’t need it there.


Agency-managed or multisite installs


Block author enumeration. It’s a quick win that stops bots from harvesting your usernames before brute-forcing logins. Pair it with a strong password policy and two-factor auth.


Important notes before you save


    

  • Always back up your existing .htaccess before making changes. A syntax error can take your site offline.
    • 

  • Test on staging first if you’re adding GZIP or caching rules, some host configurations conflict.
    • 

  • The www/non-www redirect: pick one and stick with it. Switching later after Google has indexed both is a headache you don’t want.
    • 

  • Hotlinking protection: if you’re on a CDN (Cloudflare, etc.), manage hotlinking there instead, since .htaccess rules may not fire for CDN-served assets.
    • 

  • Some managed WordPress hosts (WP Engine, Kinsta, Flywheel) don’t use a traditional .htaccess. Check your host’s documentation if rules don’t take effect.
    • 



	
	



	
	



			

			
		
	



	
 
	









Trusted WordPress plugins and tools, built to make your site faster, safer, and easier to run.







Plugins







Tools







Resources








© 2026 DopeThemes. A TechTonic Bytes brand.
PrivacyTerms




    	







    


	
                
                	Scroll to Top