Security 8 min read

.htaccess security basics for shared hosting (without breaking WordPress)

Apache still powers a huge chunk of the web, especially shared hosting where you get a `.htaccess` file instead of a Kubernetes cluster. That file is powerful; treat it like production config.

What .htaccess is for

On Apache with `AllowOverride`, per-directory config lets you force HTTPS, set cache headers, deny directory listings, and route pretty URLs without touching the main server config. On nginx-only hosts, these rules do nothing — know your stack first.

Each request may read `.htaccess` up the path chain. Keep files small and test after every change. A syntax error takes down every URL in that folder with a 500.

WordPress, Laravel, and static SPAs each expect different rewrite recipes. Copy-paste from a random forum thread is how permalinks die.

Security-minded defaults

Force HTTPS with a 301 once certificates work. Add HSTS at the CDN or vhost when you are confident you will not downgrade to HTTP during migration.

Block access to dotfiles, backup extensions (`.bak`, `.sql`), and environment files. Directory listing should be off unless you intentionally serve public downloads from that folder.

The .htaccess Generator on DroidXP assembles common snippets — redirects, gzip, cache lifetimes, SPA fallback, UTF-8 — in the browser. Copy, paste into your repo, diff, deploy. No upload of your vhost secrets.

Performance without guesswork

Enable compression for text assets and set sensible `Cache-Control` for hashed static files. Do not cache `index.html` aggressively if you ship SPA bundles with changing filenames — cache `assets/*` with long max-age instead.

Canonical host rules (www vs apex) belong in one place. Pick one hostname and 301 the other before you earn duplicate content in Search Console.

Test rewrite loops: trailing-slash rules plus WordPress’s own rules can fight until requests time out.

Deploy discipline

Version `.htaccess` in git even if the host also has a UI editor. The UI will lie about what is live after the next migration.

Stage on a subdomain with the same Apache version when possible. `mod_rewrite` availability and `Order allow,deny` versus `Require` syntax trip people on older hosts.

When something breaks, rename `.htaccess` to `.htaccess.bak` via FTP to confirm the culprit — then fix one block at a time.

Related posts

More in Security

Security

SSL expiry: why we forget until the site is down

Ninety-day certs are normal now — if your reminder is a calendar event tied to a two-year cert from 2019, you are living dangerously.

Read article
Security

JWT Decode for Debugging—Do Not Trust Tokens Blindly

Decoding a JWT shows what the client claims; verification shows what you should believe.

Read article
Security

Password Managers vs One-Off Generated Passwords

A generated password is only as good as where you store it and whether you reuse it next month.

Read article