WordPress .htaccess Generator
Generate a production-ready .htaccess file for your WordPress site. Select your options and download instantly.
Back up your existing .htaccess first
An incorrect .htaccess file can make your site inaccessible. Always test on a staging site before replacing your production file.
Understanding .htaccess for WordPress
What is .htaccess?
The .htaccess file is a configuration file used by Apache web servers to control how your website behaves. It sits in your WordPress root directory and can enforce HTTPS redirects, set security headers, control caching, block malicious requests, and manage URL rewriting. WordPress itself creates a basic .htaccess file for pretty permalinks, but most sites benefit from additional rules.
HTTPS and redirect rules
Forcing HTTPS ensures all traffic to your site is encrypted. Without a redirect rule, visitors accessing http://yourdomain.com will see an insecure version of your site or a browser warning. The HTTPS redirect rule in .htaccess catches these requests at the server level and redirects them before WordPress even loads, which is faster and more reliable than handling redirects in PHP. WWW-to-non-WWW redirects (or vice versa) prevent duplicate content issues that can harm your search rankings.
Security headers
Security headers are HTTP response headers that instruct browsers to apply specific security policies. X-Frame-Options prevents your site from being embedded in iframes on other sites (clickjacking protection). X-Content-Type-Options stops browsers from guessing file types, which prevents certain types of attacks. Referrer-Policy controls how much referrer information is shared when visitors click links on your site. These headers cost nothing to implement and meaningfully improve your site’s security posture.
XML-RPC protection
XML-RPC is a WordPress API that allows remote applications to interact with your site. It was originally designed for mobile apps and external publishing tools, but it has become a common target for brute-force login attacks and DDoS amplification. Most modern WordPress sites do not need XML-RPC enabled. Blocking access to xmlrpc.php in .htaccess stops these attacks at the server level before they reach WordPress.
Browser caching rules
Browser caching tells visitors’ browsers to store static files locally for a set period. When a returning visitor loads your site, their browser serves images, CSS, and JavaScript from its local cache instead of downloading them again. This significantly reduces page load times and server bandwidth. The generator sets sensible cache durations: longer for images and fonts (which rarely change), shorter for CSS and JavaScript (which update more frequently).
When to avoid editing .htaccess
A syntax error in .htaccess will take your entire site offline. Always download a backup before making changes, and test after every edit. If your host uses Nginx instead of Apache (as Web60 does), the .htaccess file is ignored entirely. Nginx uses its own configuration format. Web60 applies all of these security rules, caching policies, and redirect logic at the server level automatically, so our customers never need to touch .htaccess.