.htaccess is a configuration file that seems to scare a lot of people when they’re just starting out. Yes, doing the wrong thing can break your site. But, usually the changes you’ll make are quite simple and straightforward.
Knowing how to edit .htaccess is crucial for added site security and performance.
What is .htaccess?
.htaccess is a shortened version of “hypertext access.” It’s the file that helps to control the behavior of your web server. When you’re working with a .htaccess file, you should ensure that the period (.) at the beginning of the filename is not deleted.
By modifying the contents of your .htaccess file, you can limit access to files and directories, change the pages that will load when a user types in a URL, and more.
It’s easy to make a mistake in .htaccess, so it’s important not to edit it on a live website unless you really know what you are doing.
Where is .htaccess Located?
The .htaccess file is typically placed in the folder that holds your website content.
On most web hosting accounts, there is a folder called
public_html that holds all of the files for your website. The .htaccess file should be inside this folder. If you don’t have a
public_html folder, look for a folder called
www, or contact your host for guidance.
In cPanel, you can access this folder via the File Manager icon:
To see the .htaccess file, check the “Show hidden files” checkbox when opening File Manager:
Alternatively, you can access your site’s files through FTP client software, like Filezilla.
Implementing a Redirect With .htaccess
URL redirects are one of the most common reasons you’ll be editing your .htaccess file. For example, if you move a file to a new location, you should use URL redirects to tell visitors’ browsers where to find it.
There are two main redirect types you’ll be using: 301 redirects, and 302 redirects.
301 redirects are used when you permanently move a URL or another resource. This style of redirect is a favorite for many web developers, as it preserves the SEO integrity of the original URL.
The most common redirect will look something like this:
Redirect 301 /relative-url.html http://example.com/full-url.html
The code above has several different parts:
- the 301 redirect command
- the original page URL
- the URL of the new page you’re redirecting to, including the domain name.
The examples here may wrap on your screen. It’s important that you don’t add a line break anywhere in this command.
If you’re moving the page http://mysite.com/about-us.html to http://mysite.com/our-team.html the code will look like this:
Redirect 301 /about-us.html http://mysite.com/our-team.html
You can even redirect an entire site to a new domain in .htaccess, like this:
Redirect 301 / http://mynewsite.com
The 302 redirect is a temporary redirect. 302 redirects can be used for A/B testing a web page, or gaining feedback on a site. But you shouldn’t used a 301 as a permanent redirect.
If you do need to use a 302 redirect, then you can do so with the code below:
Redirect 302 /relative-url.html http://mysite.com/full-url.html
The rules are the same as the 301 redirect above. So if you’re moving your case studies page temporarily to get user feedback, your code would look something like this:
Redirect 302 /case-studies.html http:mysite.com/case-studies-test.html
When you’re done, remember to either remove the redirect rule from .htaccess, or change it to a permanent 301 redirect.
Password Protect Your Directories
.htaccess files were originally used to restrict permissions to certain directories. Now, we have several ways of achieving this.
If you’re using a CMS like WordPress, you can utilize the built-in user management features to restrict access to certain content instead. The .htaccess only makes sense if you need to protect static files on a directory, outside of your CMS.
Assuming this is what you need to do, it’s quite easy to implement password protection with .htaccess. You’ll need to create a separate .htaccess and .htpasswd file for every directory you’d like to protect.
Step 1: Create a .htpasswd file
The .htpasswd file will contain all of the usernames and passwords to access a certain directory. The code will look like this:
username: encrypted password
So, the actual username and password set will look something like this:
aldoushuxley: G78jkdf90TTjo georgeorwell: jk876hyeR98q
The passwords that are stored in your .htpasswd file aren’t the actual passwords users will type to login. They are an encrypted hash of the password. If you need help with the encryption, use this tool from htaccesstools or this tool from Aspiring.org. Both generate a secure password using the MD5 encryption algorithm.
Step 2: Edit the .htaccess file
You now need to edit the .htaccess file to invoke the login box.
Remember: If you don’t create a .htpasswd file as well as changing your .htaccess, the password protection won’t work.
To restrict access enter the following code into your .htaccess file:
AuthName "Name of Secure Area" AuthUserFile /path/to/.htpasswd AuthType Basic <Limit GET POST> require valid-user </Limit>
- The first line names the restricted area. You can call this whatever you want.
- The second line is the location of your .htpasswd file.
- The third line specifies the authentication type.
- The fourth line specifies the users who can access the password-protected directory.
Yours might look something like this:
AuthName “Site Secure Area“ AuthUserFile /home/mysite/safety-area-dir/.htpasswd AuthType Basic <Limit GET POST> require user aldoushuxley require user georgeorwell </Limit>
Doing More With .htaccess
Redirection and password protection are only the tip of the iceberg. You can do much more with your .htaccess file, such as:
- Specifying where users go after landing on a specific 404 page
- Blacklisting certain spam IP addresses or domain names
- Blocking bots and other web scrapers
- Specifying MIME filetypes to specify how downloads are handled
- Disabling and enabling certain file indexes
.htaccess is a powerful tool that lets you redirect domains and password protect your directories. When working with your .htaccess file, remember to thoroughly test any changes you’ve made before making them live, so you don’t end up serving your users a 500 internal server error.