Key Takeaways
- The .htaccess (HyperText Access) file is a simple configuration tool that allows users to modify the configuration of the Apache Web Server, providing functionalities such as user redirection, URL rewrites, and password-protected directories. It’s important to note, however, that it will not work on Windows-based servers.
- When creating an .htaccess file, it’s crucial to remember that the file will affect the directory it is placed in and all subsequent sub-directories. If placed in the website root, it will affect all folders within the domain. However, if placed in a specific directory, its features will only apply to that folder and its child folders.
- The .htaccess file can be used to perform a variety of tasks, including changing the default index file of a directory, redirecting users to custom error pages, removing the need for ‘www’ in your URL, setting the time zone for your server, controlling access to files, implementing 301 permanent redirects, detecting tablets and redirecting, protecting links, forcing “File Save As”, rewriting URLs, redirecting browsers to https, activating SSI, enabling or disabling directory browsing, changing charset and language headers, blocking unwanted referrals or user agents, and blocking access to a range of files.
Creating and Uploading an .htaccess File
Creating an .htaccess file is very easy. Simply open Notepad or a similar text-based program, switch off word-wrap, add the code and save the file in the usual way. For example, you could call it:htaccess.txtUpload the file to the relevant directory on your web server and then rename it like so:
.htaccessRemember, the .htaccess file should be using 644 permissions and uploaded in ASCII mode. If your .htaccess file does not work, then you should contact your system administrator or web hosting company and ensure they have enabled ‘.htaccess’ within your account, as some web hosting companies do not allow its use without prior permission. Unfortunately, .htaccess will not work on Windows-based servers.
Using .htaccess
It is important to remember that an .htaccess file will affect the directory it is placed in and all resulting sub-directories. Therefore, if you add your ‘.htaccess’ file to the ‘web site root’ then it will affect all subsequent folders like so:http://www.yourdomain.com/ | -- directory1 | -- directory2 | -- directory3 | | -- directory3/childdirectory1 | | -- directory3/childdirectory2 | -- .htaccess | -- index.htmlHowever, if you place the ‘.htaccess’ file in http://www.yourdomain.com/directory1 then the features of the ‘.htaccess’ will be restricted to that folder and all child folders only. For example:
http://www.yourdomain.com/ | -- directory1 | | -- directory1/childdirectory1 | | -- directory1/childdirectory2 | | -- directory1/childdirectory3 | | | -- directory1/childdirectory3/newdirectory1 | | | -- directory1/childdirectory3/newdirectory2 | | -- .htaccess | | -- index.htmlAfter editing your .htaccess file on multiple occassions it may look a little complicated so I would recommend implementing comments. To do this, simply place the hash symbol at the beginning of every line like so:
# comment here # another comment here
Useful Snippets
And to get you started, it’s snippet time … (although one or two of them are strictly directives for Apache)Directory Index
You can change a default index file of directory with:DirectoryIndex welcome.html welcome.php
Custom Error Pages
You can redirect your users to an error page with:ErrorDocument 404 error.htmlAnd you can extend this like so:
ErrorDocument 400 /400.html ErrorDocument 401 /401.html ErrorDocument 403 /403.html ErrorDocument 404 /404.html ErrorDocument 500 /500.html ErrorDocument 502 /502.html ErrorDocument 504 /504.htmlBut remember to create your error pages!
Remove the Need for www in Your URL
Keep your site consistent by removing the need for ‘www’ by using:RewriteEngine On RewriteBase / RewriteCond %{HTTP_HOST} ^www.yourdomain.com [NC] RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]
Set the Time Zone for Your Server
SetEnv TZ Europe/London
Control Access to Files
Most people will remember that .htaccess is most often used to restrict or deny access to individual files and folders and you can do this like so:deny from allHowever, if you would like to be more specific and ban a specific IP address then you could use:
order allow,deny deny from XXX.XXX.XXX.XXX allow from allor alternatively for several IP addresses, you could use:
allow from all deny from 145.186.14.122 deny from 124.15
301 Permanent Redirects
Worried about those old links? Then try:Redirect 301 /olddirectory/file.html http://www.domainname.com/newdirectory/file.html
Set the Email Address for the Server Administrator
By using the following code you can specify the default email address for the server administrator:ServerSignature EMail SetEnv SERVER_ADMIN webmaster@domain.com
Detecting Tablets and Redirecting
If you would like to redirect tablet-based users to a particular web page or directory, try:RewriteCond %{HTTP_USER_AGENT} ^.*iPad.*$ RewriteRule ^(.*)$ http://yourdomain.com/folderfortablets [R=301] RewriteCond %{HTTP_USER_AGENT} ^.*Android.*$ RewriteRule ^(.*)$ http://yourdomain.com/folderfortablets [R=301]
Link Protection
Concerned about hotlinking or simply want to reduce your bandwidth usage? Try experimenting with:Options +FollowSymlinks RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?domainname.com/ [nc] RewriteRule .*.(gif|jpg|png)$ http://domainname.com/img/hotlink_f_o.png [nc]
Force “File Save As”
If you would like force users to download files rather than view them in the browser you could use:AddType application/octet-stream .csv AddType application/octet-stream .xls AddType application/octet-stream .doc AddType application/octet-stream .avi AddType application/octet-stream .mpg AddType application/octet-stream .mov AddType application/octet-stream .pdfor you simplify this as:
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4
Rewrite URLs
If you would like to make your URLs a little easier to read (ie changing content.php?id=92 to content-92.html) you could implement the following ‘rewrite’ rules:RewriteEngine on RewriteRule ^content-([0-9]+).html$ content.php?id=$1
Redirect Browser to https
This is always useful for those who have just installed an SSL certificate:RewriteEngine On RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Activate SSI
If you want to activate SSI for HTML and or SHTML file types, try:AddType text/html .html AddType text/html .shtml AddHandler server-parsed .html AddHandler server-parsed .shtml AddHandler server-parsed .htm
Disable or Enable Directory browsing
# disable directory browsing Options All -Indexes # enable directory browsing Options All +Indexes
Change the Charset and Language headers
For those who want to change the current character set and language for a specific directory use:AddDefaultCharset UTF-8 DefaultLanguage en-GB
Block Unwanted Referrals
If you want to block unwanted visitors from a particular website or range of websites you could use:<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_REFERER} website1.com [NC,OR] RewriteCond %{HTTP_REFERER} website2.com [NC,OR] RewriteRule .* - [F] </ifModule>
Block Unwanted User Agents
With the following method, you could save your bandwidth by blocking certain bots or spiders from trawling your website:<IfModule mod_rewrite.c> SetEnvIfNoCase ^User-Agent$ .*(bot1|bot2|bot3|bot4|bot5|bot6|) HTTP_SAFE_BADBOT SetEnvIfNoCase ^User-Agent$ .*(bot1|bot2|bot3|bot4|bot5|bot6|) HTTP_SAFE_BADBOT Deny from env=HTTP_SAFE_BADBOT </ifModule>
Block Access to a Comprehensive Range of Files
If you want to protect particular files, or even block access to the .htaccess file, try customising the following code:<Files privatefile.jpg> order allow,deny deny from all </Files> <FilesMatch ".(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$"> Order Allow,Deny Deny from all </FilesMatch>
And Lastly …
For reasons of security alone, I think the chance to rename the .htaccess file is very useful:AccessFileName ht.accessIn writing this article I have tried to highlight the range of functions htaccess can be used for. Of course, I haven’t covered everything but as you can see, .htaccess might be an old tool but it still has an important role to play in enhancing your website.
FAQs on Mastering .htaccess for Website Optimization and Security
What is the purpose of an .htaccess file in website development?
The .htaccess file is a configuration file used by Apache-based web servers that allows you to control and modify your website’s behavior without needing to alter the server configuration files. It provides a way to make configuration changes on a per-directory basis. Some of the things you can do with an .htaccess file include redirecting URLs, preventing hotlinking, password protecting directories, enabling or disabling CGI scripts, and more. It’s a powerful tool that can greatly enhance the functionality and security of your website.
How do I create an .htaccess file?
Creating an .htaccess file is straightforward. You simply create a new file and name it “.htaccess”. Note that the file name starts with a dot and there is no file extension. You can create this file using any text editor, but make sure to save it in ASCII format. Once created, you can upload the file to your server using an FTP client. Remember, the .htaccess file should be uploaded to the directory that you want to affect.
How can I use .htaccess for URL redirection?
URL redirection is a common use of .htaccess files. This is often used when a page has been moved and you want to redirect visitors to the new location. Here’s a simple example of how to do this:Redirect 301 /oldpage.html /newpage.html
In this example, any visitor trying to access “oldpage.html” will be automatically redirected to “newpage.html”.
Can I use .htaccess to improve my website’s security?
Yes, .htaccess files can be used to enhance your website’s security. For example, you can use .htaccess to restrict access to certain directories by IP address, or to password-protect directories. You can also use it to disable directory listings, which can prevent unauthorized users from seeing a list of files in your directories.
How can I use .htaccess to prevent hotlinking?
Hotlinking is when another website links directly to files (especially images) on your website, using your server’s bandwidth to display the content on their site. You can prevent this by adding the following code to your .htaccess file:RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
Replace “yourdomain.com” with your actual domain name. This code will prevent any site other than yours from displaying your images.
How can I password protect a directory using .htaccess?
You can use .htaccess to password protect a directory on your website. This involves creating a .htpasswd file that contains the usernames and passwords of authorized users, and then adding code to your .htaccess file to specify the directory to be protected and the location of the .htpasswd file. Here’s an example:AuthType Basic
AuthName "Restricted Content"
AuthUserFile /path/to/.htpasswd
Require valid-user
In this example, replace “/path/to/.htpasswd” with the actual path to your .htpasswd file.
Can I use .htaccess to enable or disable CGI scripts?
Yes, you can use .htaccess to control the execution of CGI scripts. For example, you can add the following code to your .htaccess file to enable CGI scripts in a specific directory:Options +ExecCGI
AddHandler cgi-script .cgi .pl
This code enables the execution of CGI scripts with the extensions .cgi and .pl.
How can I use .htaccess to customize error pages?
You can use .htaccess to display custom error pages instead of the default server error pages. For example, to display a custom 404 error page, you would add the following code to your .htaccess file:ErrorDocument 404 /custom_404.html
In this example, replace “/custom_404.html” with the path to your custom 404 error page.
Can I use .htaccess to control caching?
Yes, you can use .htaccess to control how your website’s content is cached by browsers. This can help to improve your website’s load times. Here’s an example of how to do this:<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/html "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 1 month"
</IfModule>
This code sets different caching times for different types of files.
How can I use .htaccess to improve my website’s SEO?
.htaccess can be used to improve your website’s SEO in several ways. For example, you can use it to implement 301 redirects for moved pages, which can help to preserve your search engine rankings. You can also use it to rewrite URLs to make them more SEO-friendly. Here’s an example of how to do this:RewriteEngine On
RewriteRule ^product/([0-9]+)/?$ product.php?id=$1 [NC,L]
In this example, a URL like “product.php?id=123” would be rewritten as “product/123”. This type of URL is generally considered to be more SEO-friendly.
Jonathan is an independent web developer, server administrator and application programmer and for nearly 20 years he has been working behind the scenes to support companies, organisations and individuals from all over the world to realise their digital ambitions. As a practitioner of many the computer languages Jonathan enjoys all things Linux, writing code, building computers, playing the XBOX, history and getting 'out and about' in the big outdoors. He thrives on new challenges, works around the clock and prides himself on being friendly, honest, reliable and ultimately, the complete professional.