All tools
WordPress tools

.htaccess Generator

Generate a WordPress .htaccess file with hardening rules, GZIP compression and browser caching — choose the rules you need and download in one click.

Block xmlrpc.php Protect wp-config.php GZIP compression Browser caching Author scan block PHP file protection
Get started free Sign in

Free · No credit card · 50 credits/day

Rules you can include

🔐

Block xmlrpc.php

Deny all requests to xmlrpc.php. Eliminates brute-force amplification attacks and multicall password guessing that bypass rate limiting.

🛡️

Protect wp-config.php

Block direct HTTP access to wp-config.php. Even if it's in the web root, this rule prevents anyone from requesting the file directly.

📦

GZIP compression

Enable mod_deflate for HTML, CSS, JS, XML and JSON. Reduces page transfer size by 70–85% — significant performance improvement with no code changes.

Browser caching

Set Expires and Cache-Control headers for images (1 year), CSS/JS (1 year with ?ver= busting) and fonts (1 year). Reduces repeat visit load times.

🕵️

Block author enumeration

Redirect /?author=1 requests to the home page. Prevents automated scanners from discovering WordPress usernames via the author query parameter.

🚫

Protect uploads from PHP

Block execution of PHP files inside /wp-content/uploads/. Prevents uploaded malware (disguised as images) from being executed as PHP scripts.

Frequently asked questions

What is .htaccess and what does it control in WordPress?

.htaccess is an Apache configuration file controlling how the server processes requests for a directory. In WordPress it handles: pretty permalinks (routing /post-name/ to index.php), security (blocking sensitive files), performance (GZIP and caching headers), and redirects. Changes take effect immediately without server restart.

Should I block xmlrpc.php in WordPress?

Yes, in most cases. xmlrpc.php enables brute force attacks (attackers can try thousands of passwords in a single request via multicall) and amplification DDoS. Only keep it enabled if you use Jetpack, older mobile WordPress apps, or a third-party service that requires XML-RPC. Blocking it eliminates a significant attack vector.

How do I enable GZIP compression in WordPress .htaccess?

Use the mod_deflate module with AddOutputFilterByType DEFLATE for text/html, text/css, application/javascript, text/xml and application/json. GZIP typically reduces HTML by 70–85%, CSS by 75–90%, JavaScript by 65–80%. Verify with a GZIP checker tool or look for "Content-Encoding: gzip" in browser DevTools response headers.

What browser caching rules should I add to WordPress .htaccess?

Use the mod_expires module. Recommended: images (JPG, PNG, WebP, SVG) — 1 year; CSS and JavaScript — 1 year (WordPress appends ?ver= for cache busting); fonts — 1 year; HTML — 0–5 minutes for fresh content. A caching plugin (WP Rocket, W3 Total Cache) or CDN (Cloudflare) will handle this more comprehensively.

Related WordPress tools

More tools for WordPress hardening.

wp-config.php Generator

Harden your WordPress config file alongside .htaccess.

Login Exposure Checker

Check if wp-login.php and xmlrpc.php are publicly accessible.

Robots.txt Generator

Generate a WordPress-optimized robots.txt file.

Harden your server in one download

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →