The Beginner’s Guide to .htaccess
.htaccess – the scary word everyone that owns a website has heard every now and then. While the name itself makes it seem like it is too technical to comprehend, it is a powerful tool to have in your arsenal. By getting a grip on .htaccess, how it works and possible use cases, there is more than enough things that you can effortlessly do with it. Let’s dive in on what it is, how you can use it to your benefit, and get the most useful examples and explanations for the most common uses of .htaccess!
What is .htaccess?
The short for “hypertext access”, the .htaccess is a configuration file, which can help you out with controlling the Apache Web Server software. You can create the .htaccess file and add it to the directory so that it will be loaded and later executed by the Apache Web Server.
To put it simply, you can use this file to enable or disable any functionality that the Web Server has to offer. From basic redirecting or hotlink prevention, there are multiple benefits to getting your grip on working with .htaccess.
What does the .htaccess file look like?
The .htaccess file is what you make of it. It could contain only one line or multiple ones, depending on the purpose of the file. There are many things you can write in the file to do so many things, some of the examples you will find as you read on.
Do I have one already?
In most cases, if you have a website, you likely have a .htaccess file already. You can usually find it in your website’s root folder. Just head on to the folder that has all the content of your website, and look for Public_HTML folder, or a folder named www. If you have subdirectories for multiple sites, you will find one in each subdirectory.
If you don’t manage to find it, do not worry. It does not mean you don’t have it – it could just be hidden. This is usually the case with files that begin with a dot, just like .htaccess does. By default, they aren’t usually easy to spot.
Just go ahead to your File Manager, or FTP client, and look for the “show hidden files” option. Don’t leave any option unturned, especially “Preferences”, “Settings” or “Options”.
It seems I don’t have one.
Still, no sweat, because you can effortlessly create one. What you would need is a regular text editor and some eye for detail. You can use Microsoft WordPad, or TextPad for example. The tricky part, though, is making sure to name and save your .htaccess file properly.
First, you need to save it in the proper format. It should be in ASCII format, so resist the temptation to save it as UTF-8, or any other formats.
Secondly, make sure that it is called .htaccess. This sounds pretty straightforward, but this is actually where the eye for detail comes into play. You want to make sure to keep the dot at the beginning. The next step is to make sure not to include any file extension. Saving it as “htaccess.txt” will not make it to the finishing line. Add the dot, and remove the extension!
Lastly, you want to upload it to the appropriate directory. You can go back in the guide and save it in one of the directories mentioned above. To do so, you can use FTP or any other browser-based file manager you are comfortable with.
What can I do with .htaccess?
There are multiple things you can achieve with .htaccess and a bit of know how. Here are some of them:
Handling Errors
The first thing, and one of the simplest at that, that you can do with .htaccess, is making sure that your visitors see a friendly and custom error message, instead of the scary one.
What you want to do is create an HTML document first. It is recommended that it contains the error description, for example, “Not Found” for 404 errors, or “Bad Gateway” for 502 errors. Though, the truth is, you can display any content you would like.
You should also make sure to name it properly so that you know which document it is. If it is handling 404 error, the common way to save it is as 404.html. You also want to save it to the error_pages directory, which should hold any all error documents.
Once that is ready, you should pop open your .htaccess file in a preferred editor, and type in something like this:
ErrorDocument 404 /error_pages/404.html
This line will tell your website server to display the designated document whenever a 404 error occurs. You can further repeat this process with any error documents you would like, to make sure your visitors do not get frustrated by the overly simple and generic message they would normally get.
Simple Redirects
While WordPress may have many plugins to do this for you, you can also redirect your visitors using the .htaccess file. Getting your visitors to the page you specified instead of the one they asked for is another simple task. By entering another line to the file, you can redirect your visitors either to another place within your website or even to another website as well.
To redirect them, here is an example of what you could add to the .htaccess file. You should, of course, edit it a bit to fit your needs.
Redirect /old_dir/ http://www.yourdomain.com/new_dir/index.html
Let’s explain this so that you know how to customize this to make sure your visitors end up where you want them to end up.
First, what would the /old_dir/ be? It is a directory or document located under your domain, or, more precisely, it would be located at ‘http://www.yourdomain.com/old_dir/’. This is the point your visitors will try to access. The rest of the file specifies where they should end up instead. In this case, they will end up on the index page of the /new_dir/ on your website.
As you can see, unlike with starting point, the page you want your users to end up on is a full URL. This helps when redirecting to another domain, as you can use any URL and add it instead of the one in the example. Piece of cake, isn’t it?
Password Protection
If you are looking to build a community around your website, offering a member’s area, and having visitors log in can be just the trick. While the community is a great thing to do regarding your marketing efforts and sales, it can also help with generating the idea of who your users are, and for collecting the much-needed information about your customers.
As long as you are GDPR compliant, you could use this neat trick to edit your offer based on the information you gather, and in the end – sell more!
How to password protect?
The opportunity to add a password to anything on your website is the most common way to use .htaccess files. It is also rather simple to do, and still, you can password-protect a directory or few. This will cause users to have a valid username and password to access it, which can be rather useful in a variety of situations.
If you set up password protection for directories, the login procedure will be rather simple, and your web browser will handle it automatically. It will show up as a browser’s pop-up interface. The passwords are also encrypted, so the login credentials will also be secure.
If you know which directory you want to password protect, go ahead and create a .htaccess file. Please keep in mind that all subdirectories will end up a password protected too! The same rules apply here, too, yet you would want to include the following:
AuthName “Member’s Name”
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
Let’s break it down so that you know how to modify it if needed. In the first line, this .htaccess file specifies the name of the directory which you would like to protect. In this case, it is “Member’s Name” directory, but you should modify this to fit the name of a directory which needs to be under a password.
The second line specifies the password file, or to be more precise, where the server can find the password file. The third one is the authorization type you are using. In the example, it is a basic, standing for basic HTTP authentication.
The last line stands for the requirements for log-in. In this example, it requires valid login credentials. You can here specify what is needed to be valid, depending on what you are trying to password protect.
The Password File
Now, you need to figure out the password file. While it could be located anywhere on your web server, it is recommended to have the password file located in the same directory as the .htaccess file. This is because some of the servers require this to be set up. You should use the full path to the directory, that has the password file in it, in the second line.
Of course, this also means that you must have the password file ready. In the example, it is called .htpasswd, but you can call it anything you would like. Still, if you name it the same, the good news is that the server will recognize this filename and hide it from the visitors automatically. The password file should contain something along the lines of:
username:encryptedpassword
john_smith:oCF9Pam/MXJg2
Deny Access to Visitors
Even with websites, there are persona-non-grata. With the right .htaccess file, you could limit someone’s access. Or, on the other hand, allow specific access to a specific visitor. The first is rather useful if you are looking to protect your website, and the latter is perfect if you want to have full control over the specific aspect of your site.
You can deny access to visitors in two ways. Deny access to your visitors depending on their IP address, or you can make a selection based on the referrer.
Denying by IP
If you are looking to put some IP down in the blacklist, you can do so effortlessly with a bit of help from your .htaccess file. Create a new one, following the same rules, and then add the following text.
order allow,deny
deny from XXX.X.X.X
deny from XXX.XX.X.
allow from all
Of course, you should replace the Xs with the IP address you would like to block. Add as many as you need, and this file will let the Web Server know that these IP addresses are not welcome on your site. Make sure to add allow from all, as this line stands to say that other visitors are more than welcome to your website.
On the other hand, if you want to be the only one with access, you should include the following text instead:
order allow,deny
allow from XXX.0.0.0
deny from all
Of course, you should replace the Xs with your own IP address. This one will tell the server that only you should have access to a specific spot.
Denying by referer
Looking at your logs, you notice suspicious activity. Why don’t you just add the referrer to the blacklist and get the worry off your hands? Here is how you can do it with .htaccess.
Just create the file as you would normally do. The input should look like this:
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC]
RewriteRule .* – [F]
This should do the trick! You should check whether the ‘mod_rewrite’ is enabled on your server, though, as it might be disabled due to the fact that it could place quite a big demand on the resources. If it is, you should check it up with your hosting provider.
In essence, these lines let the server know that no one from otherdomain\.com is welcome on your website. Of course, you should add the appropriate domain here, instead. The ‘[NC]’ part at the end is also very important, as it lets it know that the domain name you provided is not case-sensitive. Which means that “OtherDomain” is off limits as well.
If you are looking to block multiple troublemakers, add ‘[NC,OR]’ instead, and then just go ahead and add another one in the same way:
RewriteCond %{HTTP_REFERER} anotherdomain\.com
You can keep doing this until you are happy, but don’t forget to add ‘[NC,OR]’ at the end of each one, except for the last one.
Preventing Bad Bots from scanning your website
Another perfect reason to use .htaccess is to prevent crawlers on your website. While there are harmless ones, which download whole content for browsing it offline, there are those with malicious intentions. Namely, the internet is filled with bad bots, looking for email addresses to fill with spam emails, security holes or simply, to source content.
While this is a bit more advanced than the previous examples, you should definitely give it a go. Preventing these bad bots from doing you any harm is a must, this way or another.
Just create another .htaccess file as you did for previous examples. What you would need to write in it is similar to this:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot
RewriteRule ^.* – [F,L]
The truth is, the list should be much longer, as it should include all the well-known bat bots. You can find such a list here. The more of them you include, the better.
Still, make sure to rename it – use bot’s name instead of BlackWidow or SuperBot. Always include [OR] at the end of each one, but make sure not to use it with the last one. Voila! Your website is free from all those malicious crawlers!
Is there more?
Of course, there is. As said, this is a beginner’s guide, after all. There are many additional things you could do with .htaccess files.
For example, you could use .htaccess files to set server timezone or to change its signature. If your website is relying heavily on media, you can use it to make sure that all the media files are downloaded, instead of being played. Or, you can use it to prevent requests which include invalid characters, and so much more.
While even trying to spell .htaccess is trouble, using one, as you can see is a piece of cake, while you can still accomplish so much with it!
What you have to keep in mind when creating and editing your file, is to thoroughly test it after you have made any changes before you push it to go live. You don’t want to provide your users with 500 internal server error, do you?
The last piece of advice
Even if something doesn’t work properly, don’t get overly frustrated. Check for typos, this usually does the trick! If it doesn’t, check support forums!
- The Beginner’s Guide to .htaccess - October 25, 2023
- Best WordPress Christmas Deals and New Year Discounts 2019 - December 17, 2019
- Get The Best Performing Online Store With WooCart - November 25, 2019
Where Should We Send
Your WordPress Deals & Discounts?
Subscribe to Our Newsletter and Get Your First Deal Delivered Instant to Your Email Inbox.