If you are just starting out as a web designer or developer & working with WordPress, chances are you have seen a .htaccess file and wondered what it is.
.htaccess files are config files for the servers running on the Apache Web Server software.
The files basically tells the server a number of things about the current folder/files the visitor is accessing. It is often about access, security, and redirection.
So from whether a user should be allowed access at all, if they should be redirected to another page, if you should require them to login first will be decided by the .htaccess file on a website.
How Does .htaccess Work?
Before we can look at how .htaccess work, we need to explain a little about Apache.
Apache is basically a web server software that runs as a layer between the operating system on the machine itself and a web-browser.
It offers a number of services that we use on the internet, through protocols like HTTP, SMTP, & DNS.
Basically it allows you to access certain files, or run certain programs/services from another computer, through the internet.
Apache uses a directory system, which separates it’s data into folders and files. (Similar to how you use Windows explorer.)
A .htaccess file in the parent directory will control the access for all files and child directories.
For example, in the WordPress core, this htaccess file affects every file in the folder, from index to xmlrpc, including all files in the “wp-admin”, “wp-content”, and “wp-includes” folders.
Every time a user requests access to a file or folder, apache will check in with the .htaccess file.
Only after the .htaccess has cleared access, will apache allow the user to access or run the file.
What can you do with the .htacces file?
Since .htaccess allows you to “get in the middle” of a user & the file they want to access, it has a lot of practical applications.
You can for example:
- Require a password to access every file/folder on your site.
- Redirect all requests for non-existant files to a certain page.
- Automatically load a subdirectory when ROOT is accessed.
- Force or Forcefully remove www in the URL of your website.
- Deny access from certain IP adresses.
.htaccess in WordPress
Since WordPress is typically installed in an apache environment (as opposed to nGinx), .htaccess files are a part of the core.
But if you open it up, this is the only thing that you will see:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]
</IfModule>
# END WordPress
But, if you use certain WordPress security plugins, they will drastically change your .htaccess file to prevent things like brute-force attacks & access from known bad IPs.
For example, the security plugin “all in one WP Security & Firewall” uses .htaccess rules to deny access to certain files in this way:
# BEGIN All In One WP Security
#AIOWPS_BASIC_HTACCESS_RULES_START
<Files .htaccess>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
ServerSignature Off
LimitRequestBody 10240000
<Files wp-config.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
#AIOWPS_BASIC_HTACCESS_RULES_END
What is the 4G, 5G, 6G .htaccess Firewall or Blacklist?
The 4G, 5G, 6G Firewall or blacklist, is basically a set of .htaccess code designer to reduce hostile access to your site to a minimum.
For more than 10 years, Jeff Star, the WordPress developerer behind the industry blog, Perishable Press, has released these to the public.
The most recent release is the 6G firewall.
This is not a WordPress plugin, and you can install it by simply adding the code to the .htaccess file in your ROOT directory.
(This means it also works for non-WP sites.)