What is .htaccess file?

Website Development

A .htaccess file allows you to manage the operation of your website or a particular folder within it. For instance, placing a .htaccess file in your root directory will impact your whole site (www.myonlinefurniture.com). If you add it to a /content folder, its effects will be limited to that specific directory (www.myonlinefurniture.com/content).

.htaccess is compatible with all Linux hosting accounts.

Some examples of what a .htaccess file can be used for are:

  • Customize the error pages for your site
  • Protect your site with a password
  • Enable server-side includes
  • Deny access to your site based on IP
  • Change the default page (index.html) that is loaded for your site
  • Redirect visitors to another page
  • Prevent directory listing
  • Add MIME types

A .htaccess file is a basic text file named .htaccess. It does not use a typical file extension like .html or .txt; the complete name is .htaccess. This file serves as a distributed configuration tool and is how Apache applies configuration modifications on a directory-by-directory basis.

Below are different configurations and a fundamental .htaccess file to repair a damaged .htaccess file (for instance, one caused by a malfunctioning plugin).

Basic .htaccess file for WordPress

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

General Configurations

1. Options

Any options that have a + before them are included with the options currently in effect, while options marked with a – are excluded from the options currently in effect.

The possible values for the Options directive can be any combination of:

None

All options are turned off.

All

All options except for MultiViews. This is the default setting.

ExecCGI

Execution of CGI scripts using mod_cgi is permitted.

FollowSymLinks

The server will follow symbolic links in this directory.

Includes

Server-side includes provided by mod_include are permitted.

IncludesNOEXEC

Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled.

Indexes

URL maps to a directory, and no DirectoryIndex, a formatted listing of the directory.

MultiViews

Content negotiated “MultiViews” are allowed using mod_negotiation.

SymLinksIfOwnerMatch

Only follow symbolic links where target is owned by the same user id as the link.

This will disable all options, and then only enable FollowSymLinks, which is necessary for mod_rewrite.

Options None
Options FollowSymLinks

2. DirectoryIndex

DirectoryIndex sets the file that Apache will serve if a directory is requested.

Several URLs may be given, in which case the server will return the first one that it finds.

DirectoryIndex index.php index.html /index.php

3. DefaultLanguage

DefaultLanguage will cause all files that do not already have a specific language tag associated with it will use this.

DefaultLanguage en

4. Default Charset

Set the default character encoding sent in the HTTP header.

AddDefaultCharset UTF-8

Set Charset for Specific Files

AddType 'text/html; charset=UTF-8' .html

Set for specific files

AddCharset UTF-8 .html

5. ServerSignature

The ServerSignature directive permits the setup of a footer line at the end of documents generated by the server. It can optionally include a line that displays the server version and the virtual host name on pages generated by the server (such as internal error documents, FTP directory listings, and outputs from mod_status and mod_info), but this does not apply to CGI-generated documents or custom error pages.

On

adds a line with the server version number and ServerName of the serving virtual host

Off

suppresses the footer line

Email

creates a “mailto:” reference to the ServerAdmin of the referenced document

SetEnv SERVER_ADMIN admin@site.com
ServerSignature Email

6. Force Files to be Downloaded

The following will lead to requests for files with the specified extensions not being shown in the browser, but will instead trigger a “Save As” dialog, allowing the client to download the file.

AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4

7. HTTP Compression

The AddOutputFilter directive associates a specific filename extension with the filters that will modify server responses prior to delivery to the client. This works alongside any filters established in other locations, such as SetOutputFilter and AddOutputFilterByType. This association will combine with any existing mappings, superseding any previous ones for the same extension.

AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript 
text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

Force Compression for certain files

SetOutputFilter DEFLATE

8. Send Custom HTTP Headers

The Header directive allows you to transmit HTTP headers for every request or only for certain files. You can examine a website’s HTTP Headers using Firebug, Chrome Dev Tools, Wireshark, or an online service.

Header set X-Pingback "http://www.askapache.com/xmlrpc.php"
Header set Content-Language "en-US"

9. Unset HTTP Headers

This will unset HTTP headers, using always will try extra hard to remove them.

Header unset Pragma
Header always unset WP-Super-Cache
Header always unset X-Pingback

10. Password Protect Login

This is very useful for protecting the wp-login.php file. You can use this htpasswd generator.

Basic Authentication

AuthType Basic
AuthName "Password Protected"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy All

Digest Authentication

AuthType Digest
AuthName "Password Protected"
AuthDigestDomain /wp-login.php https://www.askapache.com/wp-login.php
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy All

11. Require Specific IP

This is a way to only allow certain IP addresses to be allowed access.

ErrorDocument 401 default
ErrorDocument 403 default

Order deny,allow
Deny from all
Allow from 198.101.159.98 localhost

12. Protect Sensitive Files

This denies all web access to your wp-config file, error_logs, php.ini, and htaccess/htpasswds.

Order deny,allow
Deny from all

13. Require SSL

This will force SSL, and require the exact hostname or else it will redirect to the SSL version. Useful in a /wp-admin/.htaccess file.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.wordpress.com"
ErrorDocument 403 https://www.wordpress.com

Thanks for visiting. For queries and suggestions, emails are welcome at learnweb@hostingcolumn.com.

Subscribe to Hosting Column for the latest updates and posts.