December 25, 2018

Many new site owners find themselves asking a common question: where is the .htaccess file in WordPress sites? Before we get there, let’s zoom out to give some context. 

WordPress relies on several open-source applications, including the PHP interpreter, the MySQL database, and the Apache web server. Apache’s role is to pass requests to WordPress so that HTML pages can be generated. Apache then sends those pages to the browser that requested them. Without Apache, WordPress wouldn’t be on the web.

Apache can be configured to handle requests according to the needs of the application and its users. Most of that configuration lives in the httpd.conf file which acts as a centralized configuration file for all sites on the server. However, it is often necessary to customize the configuration for individual sites. This is where the WordPress .htaccess file comes in.

Htaccess basics

The .htaccess file is among WordPress’s core files, and tells the server how to address certain aspects of your website such as redirecting users and protecting certain directories. It’s a server configuration file that allows and disallows certain functionality. Unlike the httpd.conf file, the .htaccess file is a per-directory configuration file that only affects the site in the same directory as the file. 

Most WordPress configurations can be done from within the WordPress admin dashboard, but in some cases, it can be useful to make changes to .htaccess. 

Before we look at how to find and edit the .htaccess file, it’s important to understand that mistakes in .htaccess can take a WordPress site offline, make pages inaccessible, or hurt its SEO. Be careful when editing .htaccess, and always have your site backed up.

Where is the Htaccess file in WordPress?

So, how do you locate the .htaccess file? If you look in your WordPress site’s root directory, you may find that it already has an .htaccess file. If it isn’t in your root directory, your .htaccess file may just be hidden from view by your File Transfer Protocol (FTP) client, as it’s a sensitive file that isn’t intended to be edited often. Another possibility, if you can’t find your .htaccess file, is that it just may not exist yet, but let’s back up and take a step-by-step look at how to find the .htaccess file. Generally, you can use the steps below, but keep in mind that there may be some differences with each hosting provider and FTP client.

  1. Download an FTP client if you haven’t done so already. Many free versions, such as FileZilla, are sufficient. If you’re hosting with Nexcess, simply log in to the SiteWorx account shared in your Welcome Email.
  2. Connect to your website’s server using the FTP client.
  3. Once you have connected to the server, access your site directory (this can be found in your cPanel), and select the “root” folder.
  4. Below files such as wp-admin and wp-content, the .htaccess file should appear.
  5. Right click on the .htaccess file and select ‘Edit.’
  6. You should now be able to make changes to the .htaccess file.

If your .htaccess file is not appearing in the root folder, check with your FTP client on how to access hidden files as every FTP client has its own process.

How the Htaccess file works with WordPress

Whether or not you choose to manually edit the .htaccess file, it’s still being worked on by WordPress. WordPress adds rules to .htaccess, as do some WordPress plug-ins. When you change the permalink structure of a WordPress site, rules are written to the .htaccess file so that Apache knows about the changes. Security plug-ins often use .htaccess to block IP addresses or limit access to the site.

If you aren’t familiar with .htaccess or editing configuration files on the command line, you may prefer to find a plug-in that does what you need before attempting to manually edit .htaccess. These plug-ins are written by developers and extensively tested. 

But if you feel confident enough and have backed up your site, you can still gain quite a few benefits from changing your .htaccess file. From redirects to basic .htaccess security adjustments, let’s take a look at a few short and useful rules you can add on your own.

Create 301 redirects

A 301 redirect is used when a page is permanently moved to a new location. It lets browsers and search engines know that the page is located at a different URL. To redirect a page in your .htaccess file, add the following rule:

  • Redirect 301 /old-url/

Block access to sensitive files

Many files in the WordPress directory shouldn’t be readable by the whole internet – the wp-php.config file is a good example. With the following rules, you can block access to files that should not be accessible to all browsers.

  • Order deny,allow
  • Deny from all

Keeping your sensitive files private with this basic .htaccess adjustment is a smart move, even for new site owners.

Prevent specific IP addresses from loading the site

The .htaccess file can also be used to deny access to requests from particular IPs.
This can be useful for blocking a small number of IP addresses by adding the rules below. 

However, if you’re having problems with brute force attacks against your WordPress site, a plug-in like SiteGuard WP is a more efficient solution.

  • order allow, deny
  • deny from
  • allow from all

Make sure to replace the IP address in the above with the address that you would like to block.

Stop directory browsing

Directory browsing, which is permitted by default, allows bad actors to see the files in your WordPress site’s directory – information that might be useful to them.

  • Options -Indexes

The above command will prevent directory browsing.

We’ve covered only a few of the many configuration options that can be used to control Apache. For a full explanation, take a look at .htaccess Guide.

Learn more about Htaccess files

We set out to answer a few important questions for WordPress site owners: Where is the .htaccess file in WordPress sites? What is it? And how do we make changes to .htaccess?

To summarize, .htaccess is a configuration file that’s specific to your site and can be found in the root folder of your site directory using an FTP client. By adding a few simple rules into .htaccess, you can create helpful redirects and establish heightened security measures for your site.

Don’t forget, we’re here to help, so don’t hesitate to chat with our experts to learn more about htaccess basics.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.