.htaccess Generator for WordPress

.htaccess Basics Guide

JA

What is .htaccess?

A per-directory configuration file for the Apache web server .

The file is named .htaccess (dot prefix). Placing it in a directory controls the behavior of that directory and everything beneath it.

Normally, Apache settings are managed in httpd.conf , the server-wide configuration file, but shared hosting providers typically do not allow direct access to it.

.htaccess exists as a mechanism that lets you override settings on a per-directory basis without needing server-administrator privileges.

Placement and scope

Location Scope
Site root ( /public_html/ ) Entire site
/public_html/blog/ /blog/ and below only

In most cases, a single file placed in the site root where WordPress is installed is all you need.

What .htaccess can do

Feature Example
Request rewriting 301 redirect from HTTP to HTTPS, URL normalization
Access restriction Block specific IPs or bot User-Agents (return 403)
File protection Deny direct access to wp-config.php or .htaccess itself
Response header injection Add security headers: HSTS, CSP, X-Frame-Options, etc.
Cache control Set browser cache expiry for images, CSS, and JS
Compression Reduce response size with Gzip compression

Supported and unsupported environments

.htaccess is an Apache-only feature. Most major Japanese shared hosting services run Apache, so it works out of the box.

Compatibility of major hosting providers

Provider Support
Xserver ✅ Supported
ConoHa WING ✅ Supported
Shin Rental Server ✅ Supported
Sakura Internet ✅ Supported
Lolipop ✅ Supported
VPS (Nginx self-hosted) ❌ Not supported
KUSANAGI (Nginx mode) ❌ Not supported

On Nginx: Configuration is done in nginx.conf or a server block. The syntax differs, but the concepts overlap, so your .htaccess knowledge still applies.

Relationship with WordPress

The block WordPress auto-generates

When you save settings under Settings → Permalinks in WordPress, the following block is automatically written to .htaccess . 

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress"
# are dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Note: The line RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] was added in WordPress 6.0 to fix a bug where Apache strips the Authorization header, which affects the REST API and Application Passwords. The exact content of the auto-generated block may vary between WordPress versions.

Where to put your custom rules

Everything between # BEGIN WordPress and # END WordPress is automatically overwritten by WordPress — never edit it directly. Add your custom rules above the block. 

# ✅ Write your custom rules here (above the WordPress block)

# Example: HTTPS redirect
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on [NC]
    RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

# ⚠️ Also leave plugin-generated blocks untouched (Wordfence, EWWW, etc.)
# ...

# BEGIN WordPress
# (Auto-generated by WordPress — do not edit)
...
# END WordPress

The typical order is: custom rules → plugin-generated blocks → # BEGIN WordPress . Treat plugin-generated blocks (Wordfence, EWWW Image Optimizer, Nginx Cache, etc.) the same way — never edit them directly.

The three pillars of .htaccess syntax

Most of the code you encounter in .htaccess is built from combinations of these three directives. 

IfModule      → "Is this module available?" (safety guard)
 └ RewriteCond  → "Does this condition match?" (if statement)
   └ RewriteRule  → "Condition met — apply this transformation" (action)

<IfModule> — safety guard for modules

Executes the enclosed directives only when the specified Apache module is enabled. Writing module-dependent directives without <IfModule> on a server that lacks the module will cause a 500 error and site outage , so always wrap them. 

<IfModule mod_rewrite.c>
    # Executed only when mod_rewrite is available
    RewriteEngine On
    ...
</IfModule>

RewriteCond — condition (if statement)

Evaluates whether to run the following RewriteRule . Multiple consecutive conditions default to an AND relationship — all conditions must match for the rule to fire. 

RewriteCond %{TEST_STRING} pattern [flags]

RewriteRule — the action

Rewrites or redirects the URL when all preceding conditions are satisfied.

RewriteRule pattern substitution [flags]

For a detailed breakdown of directives and flags, see the Directives & Flags Guide .

Important notes

Always back up before editing

A typo in .htaccess will immediately trigger a 500 error (site outage) . Always download a backup before making any changes.

Backup method Steps
FTP / File manager Download the existing .htaccess and save it locally
Rename a copy on the server Duplicate and rename to .htaccess.bak on the server

Recovery when a 500 error occurs

If a 500 error appears after editing, restore the backup file to its original name and the site will recover. For detailed recovery steps, see the Recovery Guide .

← Back to Generator