WordPress .htaccess Generator

Generate a safe, minimal .htaccess file for your WordPress website.

Backup First!

Always backup your existing .htaccess file before making changes. A single typo can cause a "500 Internal Server Error".

Production-Ready WordPress Rules

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Security: Disable directory browsing
Options -Indexes

# Security: Protect wp-config.php
<Files wp-config.php>
    Order Allow,Deny
    Deny from all
</Files>

# Security: Protect .htaccess
<Files .htaccess>
    Order Allow,Deny
    Deny from all
</Files>

# Security: Block XML-RPC to prevent DDoS/Brute force
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Why does WordPress need a .htaccess?

WordPress uses the .htaccess file on Apache servers to manage its Permalinks. Without it, your "Pretty URLs" (like example.com/about-us) wouldn't work, and you'd be stuck with example.com/?p=123.

Who should use this?

Beginners who accidentally deleted their file, or those seeing 404 errors on all pages except the homepage.

When NOT to use this?

If your site runs on Nginx or IIS. These servers do not use .htaccess files at all.

Plain-English Explanation

RewriteEngine On

Framework Critical

Tells the server that we want to use the "Rewrite" module to change how URLs are handled.

RewriteCond %{REQUEST_FILENAME} !-f

Framework Critical

"If the requested URL is NOT an actual file (like an image or CSS)..."

Options -Indexes

Optional / Recommended

Prevents hackers from seeing a list of all your files if they visit a folder like /wp-content/uploads/.

Files xmlrpc.php

Optional / Recommended

Blocks access to a legacy WordPress file often used for brute-force attacks.

Frequently Asked Questions (FAQs)

Upload the .htaccess file to your website’s root directory. This is usually named public_html, www, or httpdocs. It should be in the same folder as the wp-config.php file.

Files that start with a dot (like .htaccess) are hidden by default. In your hosting file manager or FTP client, enable the option “Show Hidden Files” or “Show Dotfiles” to make it visible.

Missing the dot: The file must be named .htaccess. Names like htaccess.txt or .htaccess.php will not work.
Incorrect file permissions: Set permissions to 644. If the file is too restrictive, Apache won’t be able to read it.
Editing with Word: Using word processors can insert hidden characters. Always edit the file using a plain text editor.

Some low-cost shared hosting providers disable AllowOverride, which prevents .htaccess rules from working. In such cases, the file is ignored entirely. You may need to contact your hosting provider to confirm support.

Yes. WordPress can regenerate its default rules. Go to Settings → Permalinks in the admin panel and click “Save Changes”. This will recreate the .htaccess file if permissions allow.

Explore Other .htaccess Tools:

301 Redirect Generator Laravel .htaccess CodeIgniter .htaccess Plain PHP .htaccess Browse All Tools