The .htaccess file is a powerful configuration file used on Apache-based web servers to manage and modify settings at the directory level. By modifying .htaccess file, you can control many aspects of your website’s behavior without needing to alter server-wide settings.
Below are 25 essential .htaccess tricks and tips that can help improve your site’s security, performance, and SEO.
1. Redirect HTTP to HTTPS
If your site supports HTTPS, it’s important to redirect all traffic from HTTP to HTTPS to improve security and boost search engine rankings.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
2. Set a Custom 404 Error Page
First, you need to create the HTML file that will serve as your custom 404 error page under your website’s document root directory, then add this line to specify your custom 404 page. This page helps retain users who land on non-existent pages.
ErrorDocument 404 /404.html
3. Force File Downloads
To force a file to download instead of displaying it in the browser, use this directive:
<FilesMatch ".(pdf|zip|doc)$">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>
This will make files like PDFs or ZIPs download automatically when accessed.
4. Block Specific IP Addresses
To block users from certain IP addresses, add the following lines:
<Limit GET POST>
order allow,deny
deny from 123.456.789.000
allow from all
</Limit>
5. Redirect Old URLs to New Ones
If you have changed the structure of your site, redirecting old URLs to new ones is critical for maintaining SEO.
Redirect 301 /old-url.html https://yourdomain.com/new-url.html
This sends a permanent redirect (301) from the old URL to the new one.
6. Password Protect a Directory
You can protect directories with a password by adding this to your .htaccess file:
AuthType Basic AuthName "Restricted Area" AuthUserFile /path/to/.htpasswd Require valid-user
Create a .htpasswd file for storing usernames and passwords.
htpasswd -c .htpasswd username
7. Disable Directory Browsing
By default, users may be able to see a list of files in a directory without an index page, but you can prevent this by disabling directory browsing.
Options -Indexes
This will show a 403 Forbidden error instead of the file list.
8. Restrict Access to .htaccess File
To protect your .htaccess file from unauthorized access, add this rule:
<Files .htaccess>
order allow,deny
deny from all
</Files>
This ensures that no one can view the contents of your .htaccess file.
9. Block Hotlinking
Hotlinking occurs when another site directly links to your images, consuming your bandwidth. To prevent this, use:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www.)?yourdomain.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ - [F]
Replace yourdomain.com with your domain name.
10. Custom 403 Forbidden Page
Like custom 404 pages, you can create a custom 403 Forbidden page.
ErrorDocument 403 /403.html
This page appears when users try to access restricted content.
11. Prevent Image Hotlinking With a Warning Image
You can replace hotlinked images with a custom warning image:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www.)?yourdomain.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ https://yourdomain.com/warning.jpg [R,L]
Replace warning.jpg with your custom warning image.
12. Set Cache-Control Headers
To improve site performance, use .htaccess to set cache control for static resources like images and scripts:
<FilesMatch ".(jpg|jpeg|png|gif|js|css)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
This tells browsers to cache these files for 30 days (2592000 seconds).
13. Deny Access to Certain File Types
You may want to block access to certain file types, such as configuration files:
<FilesMatch ".(ini|log|conf)$">
Order allow,deny
Deny from all
</FilesMatch>
14. Enable Gzip Compression
Gzip compression reduces the size of files sent to the browser, improving load times:
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
AddOutputFilterByType DEFLATE application/javascript
</IfModule>
15. Redirect to a Maintenance Page
If your site is undergoing maintenance, you can redirect all visitors to a specific maintenance page:
RewriteEngine On
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteRule ^(.*)$ /maintenance.html [R=307,L]
Replace maintenance.html with your maintenance page URL.
16. Limit File Upload Size
To limit the file upload size on your site, use this rule:
php_value upload_max_filesize 10M php_value post_max_size 10M
17. Redirect Non-WWW to WWW
To ensure all traffic is directed to the www version of your domain:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This will redirect visitors from yourdomain.com to www.yourdomain.com.
18. Redirect WWW to Non-WWW
If you prefer the non-www version of your domain, use this code:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteRule ^(.*)$ https://yourdomain.com/ [L,R=301]
This redirects www.yourdomain.com to yourdomain.com.
19. Prevent Access to PHP Files in Specific Folders
You can block access to PHP files in specific directories (like uploads) for security:
<Directory "/path/to/uploads">
<Files "*.php">
Order Deny,Allow
Deny from all
</Files>
</Directory>
Replace /path/to/uploads with the actual folder path.
20. Prevent Image Directory Access
To block access to your image folder while still allowing images to load on your site:
<Directory "/path/to/images">
Order Deny,Allow
Deny from all
</Directory>
21. Block Specific User Agents
If certain bots or scrapers are abusing your site, you can block them:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} badbot [NC]
RewriteRule .* - [F,L]
Replace badbot with the user agent you want to block.
22. Restrict Access by Country
To block visitors from specific countries, you need access to a list of IP ranges for those countries.
Here’s an example for blocking certain IP ranges:
<Limit GET POST>
order allow,deny
deny from 123.456.789.
allow from all
</Limit>
You’ll need to replace the IP ranges with those specific to the countries you want to block.
23. Enable Cross-Origin Resource Sharing (CORS)
To allow CORS for resources like fonts or images, use:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
24. Prevent SQL Injection
You can block common SQL injection attempts:
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C)(script|SELECT|INSERT|UPDATE|DELETE|DROP|UNION|;|--) [NC]
RewriteRule .* - [F]
25. Allow Only Certain File Types in Uploads
You can restrict which file types can be uploaded to your site.
<FilesMatch ".(php|cgi|pl|py)$">
Order Deny,Allow
Deny from all
</FilesMatch>
26. Enable File Access Logs
If you want to track access to specific files for auditing or monitoring purposes, you can enable logging for certain file types:
SetEnvIf Request_URI ".(pdf|doc|mp3)$" requested_file CustomLog /path/to/logfile.log combined env=requested_file
This will log access to .pdf, .doc, and .mp3 files in a separate log file.
27. Custom 500 Internal Server Error Page
If your server encounters an internal error, you can display a custom error page to provide a better user experience.
ErrorDocument 500 /500.html
This way, instead of showing the default server error message, users will see a more user-friendly message that you have customized.
28. Prevent Access to Backup and Source Files
Backup files (like .bak, .old) or source files (like .log) are sometimes left on servers, exposing sensitive information.
To prevent access to these files, add this:
<FilesMatch ".(bak|old|log|sql)$">
Order allow,deny
Deny from all
</FilesMatch>
29. Limit Access by Referrer
You can control which sites are allowed to refer traffic to your website. For example, to block access to your site when the referrer comes from a specific domain.
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://www.baddomain.com [NC]
RewriteRule .* - [F]
Replace baddomain.com with the site you want to block as a referrer.
30. Limit Access to Admin Area by IP Address
If your website has an admin panel (like /admin or /wp-admin), it’s wise to limit access to this section based on IP address for security reasons:
<Files "admin.php">
Order Deny,Allow
Deny from all
Allow from 123.456.789.000
</Files>
Replace 123.456.789.000 with your IP address. Only this IP will be allowed to access admin.php.
31. Custom 401 Unauthorized Error Page
When users attempt to access a restricted page without proper authentication, you can present a custom 401 Unauthorized error page instead of the default server message:
ErrorDocument 401 /401.html
32. Redirect Based on Language Preference
If you have a multilingual website, you can redirect users to the appropriate language version of your site based on their browser’s language settings:
RewriteEngine On
RewriteCond %{HTTP:Accept-Language} ^fr [NC]
RewriteRule ^$ /fr/index.html [L,R=302]
This example redirects users to French (fr) language preference to the French version of your site.
33. Set Default Charset
You can specify the default character encoding for your website to ensure consistent text rendering across different browsers:
AddDefaultCharset UTF-8
This is particularly useful for websites that handle multiple languages or special characters.
34. Limit Request Methods
You can restrict which HTTP request methods (e.g., GET, POST) are allowed on your website to enhance security.
For instance, you might want to block dangerous methods like TRACE or TRACK:
<LimitExcept GET POST>
Order Deny,Allow
Deny from all
</LimitExcept>
35. Restrict Access During Site Maintenance
If you want to put your site into maintenance mode but allow certain IPs (like your own) to access the site, use this:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123.456.789.000$
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteRule ^(.*)$ /maintenance.html [R=302,L]
Replace 123.456.789.000 with your IP address. Only visitors from that IP will be able to access the site while others will see a maintenance page.
36. Set Cache-Control Headers
Caching helps improve the performance of your site by storing copies of files in users’ browsers. You can set cache control headers to tell browsers how long to cache certain types of files:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>
This example sets a longer cache time for images compared to CSS or JavaScript.
Conclusion
These .htaccess tips and tricks can significantly enhance your website’s security, performance, and user experience. Always make a backup of your .htaccess file before making changes and test the configuration to ensure your site behaves as expected.