Latest TweetsHow to Fix _blank Target Vulnerability perishablepress.com/fix-blank-…
Perishable Press

Stop WordPress from Changing .htaccess

[ Prevent WordPress Automatic .htaccess Modifications ] In a recent tutorial, I explain how to Stop WordPress from modifying .htaccess. That post explains several ways to prevent WordPress from making changes to .htaccess. This post explains an even better way that is safe, effective, non-invasive, re-usable, and super simple. I’ve been using it on my own sites now for a few years and it works flawlessly.

Keep it Simple

So this post will be kept quick and super simple, as all of the theory and .htaccess explanation can be found in the original article. So if you want more context, theory, and so forth, hit that post before continuing with the following tutorial. Also (and I always repeat this) make sure to make a backup copy of your .htaccess file before making any changes. That way if something weird happens you always can restore the original file.

Important

This technique only should be used when necessary to prevent WordPress from modifying any custom WP rules that may be in place. Otherwise if you are not using your own custom rules, it is recommended to not use this technique so that WordPress can update its rules automatically as needed.

The Magic Code

Before explaining how it works, here is the magic .htaccess code:

# PREVENT WP AUTO MODS
# @ https://m0n.co/08
<IfModule mod_ignore_wordpress.c>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

</IfModule>

See below for code explanation and implementation.

Explanation

The thing to understand with this code block, is that it effectively does nothing. In the first line, we use <IfModule> to check for a non-existent/imaginary Apache module, mod_ignore_wordpress. Because that module never will exist on any server, Apache ignores everything inside of the <IfModule> container. So the net effect of these rules on anything is absolutely nothing.

Inside of the outer <IfModule> container, are the default, automatically added WordPress rules. The ones that WordPress adds to your .htaccess file when you enable Permalinks. These inner rules are the ones that WordPress will find and update automatically as it pleases. And because the inner rules are ignored, you can have custom WordPress rules in place elsewhere in your .htaccess, and they won’t be affected by any of WordPress’ automatic modifications.

Meme It

Admittedly the underlying logic may be a bit abstract, so here is a simple diagram that hopefully explains it more clearly:

[ Diagram showing default WP rules inside of disabling container ]The default added WP rules are disabled/ignored because they exist inside of a container that checks for a non-existent Apache module. Click image to view full-size (opens in new tab).

Implementation

Once you understand how the code works, what it does, etc., feel free to add to any WordPress site that makes sense. As mentioned, I’ve been using that code snippet for years on some of my sites. For example at Perishable Press Books, I use customized WordPress rules to integrate e-commerce and short-URL functionality. The rules are carefully crafted and mission critical, so the last thing I want is for WordPress to make any changes. It would be a disaster.

The Key

The KEY to using this code effectively is to make sure that your custom WordPress rules do NOT look like the default WordPress rules. You want them to look different so WordPress does not recognize them. I think specifically this means that you do not want to include the first and last lines:

# BEGIN WordPress
	.
	.
	.
# END WordPress

Do not include anything similar to those lines with your custom code. For example, I just use # WORDPRESS and omit any closing commentary like so:

# WORDPRESS
<IfModule mod_rewrite.c>
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	# Whatever custom rules, etc.
	RewriteRule . /index.php [L]
</IfModule>

I also think # CUSTOM WORDPRESS and similar make sense. Here is an example of some custom WordPress rules together with the “prevent mods” fix:

# PREVENT WP AUTO MODS
# @ https://m0n.co/08
<IfModule mod_ignore_wordpress.c>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

</IfModule>

# CUSTOM WORDPRESS
<IfModule mod_rewrite.c>
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	# Whatever custom rules, etc.
	RewriteRule . /index.php [L]
</IfModule>

Notice how the first and last lines are unique for each of the rule blocks. WordPress will recognize and modify the first block and ignore the custom rules. It all is very simple and works beautifully.

For more in-depth discussion on this topic, check out the original post, Stop WordPress from modifying .htaccess.

Jeff Starr
About the Author Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Archives
6 responses
  1. Why not just block the file permission or use the snippet from your other article?

    And why does WordPress ignore the code with the imaginary MOdul instead of reattaching it to the bottom because the code cannot be recognized?

    • Jeff Starr

      As mentioned, I find this method to be simpler and equally effective at stopping WordPress from making changes to any custom rules that may be in play. And it’s not WordPress that ignores the fake module condition, it’s Apache. Which means that WordPress will recognize the rules within the container and modify them, leaving any custom WP rules untouched.

  2. One thing I found very effective:

    If you have your .htaccess file just above the “public_html”, and in the appropriate server “conf” file:

    # HTTPD.CONF EXAMPLE
    
    AllowOverride All
    
    DirectoryIndex index.php index.html
    IndexIgnore *
    AllowOverride None
    
    Require all granted

    This would have Apache2 simply ignore the .htaccess file in your “public_html” folder altogether. I have noticed that there are some web-hosting companies who allow the .htaccess above the “public_html” folder too!

    If you are hosting on a shared account, some accounts may allow you to make changes to a few of the server-side settings from a control panel applet.

    ( BTW: This trick on my VPS helped speed up my website loading times a little too! )

    – OR –

    You could just change the “UGO” file access bits like so:

    chmod 0555 .htaccess

    ( Or – “chmod ugo-w .htaccess” )

    – Jim

Drop a Comment  ]
RSS