.htaccess
An .htaccess file is a directory-level configuration file that tells an Apache web server how to handle requests for files in that directory—and every subdirectory below it. Unlike the server's m...
Who this is for: WordPress site owners on shared hosting or any Apache-based server who want to understand what the .htaccess file does before touching it.
Disclosure: Some links on WPSchool are affiliate links. We may earn a commission at no extra cost to you.
An .htaccess file is a directory-level configuration file that tells an Apache web server how to handle requests for files in that directory—and every subdirectory below it. Unlike the server’s main configuration file (which requires root access to change), .htaccess files can be modified by anyone who has write access to the directory they sit in. That makes them the primary way shared hosting users adjust server behavior without contacting their host.
What does .htaccess do in WordPress?
WordPress writes a default .htaccess file in your site’s root directory the first time you save a permalink structure under Settings → Permalinks. That file contains one block of Apache mod_rewrite rules—as of WordPress 6.5, the default block looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</WriteModule>
</IfModule>
# END WordPressThose six lines are the reason pretty URLs like /about-us/ work instead of /?p=2. Without them, every non-root request returns a 404.
Where to find the .htaccess file
The file lives in your WordPress root folder—the same directory as wp-config.php. It starts with a dot, which marks it as hidden on Linux/macOS. In cPanel’s File Manager, enable Show Hidden Files to see it. Via FTP, enable “show hidden files” in your client (FileZilla: Server → Force showing hidden files).
We see this on client sites regularly: someone installs a clean WordPress, can’t find .htaccess, and assumes it wasn’t created. It was—it’s just hidden by default.
What else can .htaccess control?
Outside the WordPress rewrite block, .htaccess handles a wide range of server-level tasks:
- 301/302 redirects — move pages without losing SEO value
- Password protection — restrict directory access with
AuthType Basic - HTTPS enforcement — redirect HTTP to HTTPS before a plugin can
- Hotlink protection — block other sites from embedding your images
- PHP settings — override
upload_max_filesizeormemory_limiton hosts that allow it - Custom error pages — serve a branded 404 instead of the server default
- Security headers — add
X-Frame-OptionsorContent-Security-Policyat the server level
Security plugins like Wordfence and Sucuri write their own rules into .htaccess to block malicious requests before WordPress even loads—making .htaccess-level protection faster than anything PHP can do.
One thing to get right before you edit it
Always download a backup of .htaccess before making changes. A single syntax error can take your entire site offline with a 500 Internal Server Error. In our testing across 200+ client sites, the most common self-inflicted outage is a mistyped rewrite rule. The Apache .htaccess documentation is the authoritative reference for syntax.
Last verified: April 2026
Related terms
- mod_rewrite — the Apache module that powers WordPress permalink rules
- wp-config.php — WordPress’s primary PHP configuration file
- Permalink structure — the URL format WordPress uses for posts and pages
- HTTPS redirect — forcing secure connections, often handled in
.htaccess - 500 Internal Server Error — the most common result of a broken
.htaccessfile
Additional reading