.Htaccess Guides

What is .htaccess?

.htaccess is a web server configuration file that provides directives or syntactic commands for controlling the Apache Web Server without interfering with the main server records. The file extension is identified by default name .htacess.

One more thing to note is the varieties of task you can perform with .htaccess using different directives (semantic commands) to change the way your server actually behave, the following under-listed tasks are few of what you can do with it.

  • Control the access to HTTP
  • Reconfigure the entire webpage files
  • Control the access for HTTP using password protection, 301 Redirect.
  • Rewrites the way the web server behave (decentralization of web server)
  • Controls the access to all files on a website
  • Disable access from server files
  • Enforce scripts
  • Enable SSI and CGI
  • Password-protect files and directories
  • Prevent access to the php.ini file
  • Allow debugging of the web server
  • Smoothen website management
  • Modify the mod-rewrite rules and intensify the protection rendering to the website without touching the files on the server.

Where .htaccess file resides

This file (.htaccess) is usually located in the root directory of the web server identified with .htaccess extension as a default name.  Every change made on it has an automatic impact on the entire site. Meanwhile, the directive argument that impacts how the .htaccess behaves precede with # comment and immediately follow by the command or instruction.


Working with a .htaccess file via FTP can be a little bit challenging if you are not comfortable with regex command, nonetheless, you can still give it a shot, though with care to ensure you don’t mess up your server setting.

Important: Always backup your file before you embark in modifying or working on any .htaccess. 

1. Redirect to the unencrypted domain with www-version

The directives below signal a redirect to an unencrypted domain starting with www version

RewriteEngine on
# Redirect to domain with www.
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

2. Redirect to the encrypted domain with www

The configuration below signal a redirect to an encrypted domain starting with www version

# Same for HTTPS:
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

3. Redirect to the unencrypted domain without www

The configuration below signal a redirect to an unencrypted domain starting without – www version

# Redirect to domain without www.
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule .* http://%1%{REQUEST_URI} [R=301,L]

4. Redirect to the encrypted domain without www

The configuration below signal a redirect to an encrypted domain starting without www version

RewriteEngine on
# Same for HTTPS:
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule .* https://%1%{REQUEST_URI} [R=301,L]

5. Prevent forcing a redirect to a specific domain for http/https

If the protocol is an unencrypted http

RewriteEngine on
# Redirect to another domain:
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^(www\.)?testdomain\.com$ [NC]
RewriteRule .*{REQUEST_URI} [R=301,L]

If the protocol is an encrypted https

RewriteEngine on
# Same for HTTPS:
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^(www\.)?testdomain\.com$ [NC]
RewriteRule .*{REQUEST_URI} [R=301,L]

5. Adding a trailing slash

A trailing slash is an identifier that helps to identify the pointing path of a file in a directory. If a pathname does not have a trailing slash, then it’s a file.


RewriteEngine on
# Ensure all directory URLs have a trailing slash.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\/$
RewriteCond %{REQUEST_URI} !\/[^\/]*\.[^\/]+$
RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}/ [L,R=301]


RewriteEngine on
# Same for HTTPS:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\/$
RewriteCond %{REQUEST_URI} !\/[^\/]*\.[^\/]+$
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}/ [L,R=301]

6. 301 Redirect URLs

A 301 redirect is a permanent redirect of a file to another file, learn more about the impact it has on SEO if not implemented correctly. The example below shows the oldpath and the newpath directive indicating a redirect to newpath file as a result of the non-existence of the file.

Note oldpath could be anything with an extension .html, .php e.t.c such as And the newpath could be something similar to 

# 301 Redirect URLs.
Redirect 301 /oldpath.html /newpath.php

7. Redirect to directory

You can configure to redirect the entire old directory including the embedding files to the new directory via .htaccess like so

#301 Redirect Entire Directory.
RedirectMatch 301 ^/olddirectory/(.*)$ /new-directory/$1

8. Prevent Hotlinking

Hotlinking prevents websites from using and linking to your images. Use the code snippet below to effect the prevention.

# Stop hotlinking.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^https?://([^/]+)/ [NC]
RewriteCond %1#%{HTTP_HOST} !^(.+)#\1$
RewriteRule \.(jpg|jpeg|png|gif|swf|svg)$ - [NC,F,L]

The code prevents images with extension jpg, jpeg, png, gif, swf, and SVG. You can add more extension if you would.

9. Set Website to Maintenance Mode

Webmaster can configure .htaccess when to make a website available to the public by changing the mode from a live to maintenance mode using the code snippet below:

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^56\.52\.138\.190$ #the remote address
RewriteCond %{REQUEST_URI} !^/maintenance/sorrypage\.html$ [NC] #link pointing to
RewriteRule .* /maintenance/sorrypage.html [R=302,L] #the redirect rule

You can modify the directory and file name to what you feel like, ensure to place the folder “maintenance” in the root directory like so:


10. Custom Error Pages

Rewrite the new path for error documents response from HTTP status codes such as 400, 401, 403, 404, 500 and 503 server errors. 

# Custom error pages.
ErrorDocument 400 /mynew400path
ErrorDocument 401 /mynew401path
ErrorDocument 403 /mynew403path
ErrorDocument 404 /mynew404path
ErrorDocument 500 /mynew500path

11. Block The Public from Viewing HTACCESS File

# Prevent viewing of htaccess file.
order allow,deny
deny from all

12. Compress Text, HTML, Javascript, CSS, XML Files

# Compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

13. Denies POST Request using a Proxy Server

Apply this code if you host your website on WordPress platform.

#Denies POST Request using a Proxy Server.
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]

14. Denies Access to Non-Existing in Wp-comments-post File

#Denies POST attempt made to a non-existing wp-comments-post.php[
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]

15. Denies Request to Badly Formed HTTP Protocol

#Denies any badly formed HTTP PROTOCOL 
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .? - [F,NS,L]

16. Grant Access to Specific IP and Deny Every Other IP 

ErrorDocument 403
Order deny,allow
Deny from all
Allow from

 17. Rewrite the URL Rules Dynamically 

RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6}) [NC]
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]

18. Limit File Upload to Prevent Dos Attack

LimitRequestBody 10240000

19. Protect PHP.CGI File

PHP.CGI(common gateway interface) is an interface between a web server and an external installed application that is responsible for any dynamically generated contents.

#Protect your php.cgi file
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny, Allow
Deny from All
Allow from env=REDIRECT_STATUS

20. Deny Spam Attack and Login Attempts

Comment is great though, but when it’s purpose is abused by bot or spammers, you want to take the next route to defend your website from being struck with gabbage of unwanted comments, and not leaving out unathorized login attempts.

Use the code below to stop the attack

 RewriteEngine On
 RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.*
 RewriteCond %{HTTP_REFERER} !.** [OR] #change to your site
 RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]

The snippet contains 6 unique line of codes, here is what it does actually line by line:

  • Line 1 – starts the command
  • Line 2 – detects the status of the request, in this case, its POST
  • Line 3 – checks if the post request is made on wp-comments-post or wp-login php file
  • Line 4  detects the referer status and source, if from you or external source
  • Line 5 – the command send spam bot or related attack attempt back to the referrer address

21. Deny Spammed Attempt

#Deny comment attempt from being spammed
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .? - [F,NS,L]

The subtle way to affect any file via FTP of a web server is through the .htaccess, even though it’s got great functionalities to perform some task in a flash. The impact on the entire website can be overwhelming, if not monitored during the transition. So, It is pertinent to always back-up your files before you make any changes. ” …My word 

    Leave Your Comment Here


    Need A Creative Design?

    Customer Satisfaction Guarantee!
    Click Me
    error: Content is protected !!