.htaccess best practices for WordPress on Apache (security + perf)

wordpress apache security performance

Keep rules intentional and minimal. Overlap with Cloudflare or other proxies can cause redirect issues—align with your stack.

Force HTTPS

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Disable XML-RPC (if unused)

<Files xmlrpc.php>
  Require all denied
</Files>

Essential security hardening for self-hosted WordPress on Ubuntu — server hardening
Cloudflare SSL mode and WordPress redirect loops — when HTTPS/redirect rules conflict