Understanding and Editing Your .htaccess File
Understanding and Editing Your .htaccess File
What is .htaccess?
.htaccess is a configuration file read by Apache on every request. For WordPress sites, it is the mechanism that makes clean URLs (permalinks) work. It can also handle redirects, force HTTPS, control access to files, and block unwanted traffic.
The file lives at your site root: /home/{siteuser}/htdocs/{domain}/.htaccess
Because it starts with a dot, it is hidden by default in most file browsers.
Accessing .htaccess in KPanel
- Go to your site in KPanel
- Click Files in the top navigation
- Click File Manager
- The file manager opens at your site root
- Click Show Hidden in the toolbar to make
.htaccessvisible - Click
.htaccessto open it in the editor - Make your changes and click Save
Before editing: download a copy of the file first using the Download button in the row actions. A single syntax error causes a 500 error on your entire site.
The Default WordPress .htaccess
Every WordPress site needs this block. Do not remove it:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This tells Apache to route all requests through WordPress's index.php so that pretty permalinks work. Removing or breaking this block causes all pages except the homepage to return 404 errors.
Common Tasks
Force HTTPS
Add this above the # BEGIN WordPress block:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Redirect www to non-www
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.yourdomain\.com [NC]
RewriteRule ^ https://yourdomain.com%{REQUEST_URI} [L,R=301]
Redirect non-www to www
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Custom 404 page
ErrorDocument 404 /404.html
Replace /404.html with the path to your custom 404 page, or use /index.php to route 404s through WordPress.
Block a specific IP address
<RequireAll>
Require all granted
Require not ip 123.456.789.0
</RequireAll>
Protect wp-admin with IP allowlist
<Files wp-login.php>
<RequireAll>
Require all denied
Require ip 123.456.789.0
</RequireAll>
</Files>
Replace 123.456.789.0 with your own IP address. This blocks brute-force login attempts from other IPs.
Block bad bots by user agent
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (SemrushBot|AhrefsBot|DotBot) [NC]
RewriteRule .* - [F,L]
</IfModule>
Resetting a Broken .htaccess
If you have a syntax error in .htaccess your site will return a 500 error. To reset it:
Option 1: Regenerate via WordPress admin
If your admin is still accessible (errors are sometimes scoped to the front end):
- Log in to
/wp-admin - Go to Settings, then Permalinks
- Click Save Changes without changing anything
WordPress regenerates a clean .htaccess with the default rewrite block.
Option 2: Replace via File Manager
- Open File Manager in KPanel (Files menu)
- Enable Show Hidden to see
.htaccess - Delete the broken
.htaccess - Create a new file named
.htaccess - Paste the default WordPress block (shown above) and save
Option 3: Via SFTP
Use an SFTP client to connect to your site and upload a replacement .htaccess file. See SFTP guide for connection details.
.htaccess and WordPress Plugins
Many plugins add their own rules between # BEGIN and # END markers. These are managed automatically by those plugins and should not be edited manually. Rules you add should go outside those blocks.
If a plugin's rules are causing issues, deactivate the plugin -- it will remove its own .htaccess entries on deactivation.