A htaccess (hypertext access) file is a simple but powerful ASCII file which allows you to improve your website’s security, reduce bandwidth and increase usability. It can be created through a simple text editor such as Notepad and allow you to make quick changes to the apache web server configuration without having to restart apache. The ‘.htaccess’ itself is simply an extension with no file name. This makes it hidden on almost all web servers.
In this post there are 35 .htaccess hacks, you can use to optimize and speed up your site.
Change Directory Index Page
The default page of a directory is index.html or index.php. With the below code you can set the default page of your choice:
DirectoryIndex index2.html
Change Default Page
If there are multiple index files in a directory, with the below code you can set a default page.
DirectoryIndex index.php index.htm index.html
Order is followed.
Change Script Extensions
If you have some php script in a html file, with this code the html file will be parsed as a php file.
AddType application/x-httpd-php .html
Remove File Extention from URLs
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /$1.php [L,QSA]Disable Directory Browsing
Prevent viewing contents of a directory with the following code:
Options All -Indexes
Enable Directory Browsing
If you wish to block viewing of only some specific file types from a directory, use the following code:
Options +Indexes IndexIgnore *.css *.js
Force Download File
When downloading something from a web site, you are prompted either to open the file or save it. With the following code you can force users to directly download files:
AddType application/octet-stream .mp3 .mpg .avi .mov .pdf .xls
Adding MIME types
If your server does not support a file type, you can add support for it using the following code:
AddType application/x-shockwave-flash swf
View a list of common MIME types.
Display scripts as plain text
If you want, you can display scripts such as PHP, ASP, etc. as plain text in the browser rather than executing them using the Remove Handler function.
RemoveHandler cgi-script .php .asp .html AddType text/plain .php .asp .html
Set Timezone of the Server
SetEnv TZ America/Los_Angeles
Set Default Email Address of Server Admin
ServerSignature EMail SetEnv SERVER_ADMIN [email protected]
To remove the server signature, use the following code:
ServerSignature Off
Limit Simultaneous Connections
You can limit the number of simultaneous connections to your website using the below code:
MaxClients < number-of-connections>
If you place the htaccess file in a directory with the code, it will limit connections to that directory and its sub-directories only.
Limit File Upload Size
The below code limits upload file size to 10 MB.
LimitRequestBody 10240000
Permanently Redirect a Single Page
Redirect 301 /oldpage.html http://www.yoursite.com/newpage.html Redirect 301 /page.html http://www.yoursite.com/folder/
Permanently Redirect an Entire Site
Redirect 301 /http://newsite.com/
Redirect to Maintenance Page
While you’re upgrading your site or doing some major changes, you can temporarily show your visitors a maintenance page while you still have access to the site.
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]Replace “/maintenance.html” with any page you want and put your own IP address on third line.
Deny Access to Everyone Except Specific IPs
The below code will deny access to everyone except to the IPs specified.
Order deny,allow Deny from all Allow from 123.124.61.67 Allow from 95.44.8.129
Deny Access to a specific IP or IP range
allow from all deny from 23.124.61.67 deny from 23.124
Redirect Everyone Except Specified IPs
This code will redirect everyone to another domain you specify and allow access to only those whom you want.
ErrorDocument 403 http://www.domain.com Order deny,allow Deny from all Allow from 123.124.61.67 Allow from 95.44.8.129
Custom Error Pages
ErrorDocument 400 /errors/badrequest.php ErrorDocument 401 /errors/authreqd.php ErrorDocument 403 /errors/forbid.php ErrorDocument 404 /errors/notfound.php ErrorDocument 500 /errors/serverr.php
Redirect WordPress Feeds to FeedBurner Feeds
# temp redirect wordpress content feeds to feedburner
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/nometech [R=302,NC,L]via Perishable Press
Block Spam Comments
Spam bots usually have no referring URL, this code will block all those commenter which doesn’t have a referring URL and keep your website clean:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]via Perishable Press
Block Referring Domains
This code allows you to block referrals coming from a particular site.
#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} bad-site.com [NC]
RewriteRule .* – [F]Remove WWW from URL
RewriteEngine on
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^www\.yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://yoursite.com/$1 R=301,NC]Add WWW to URL
RewriteEngine On
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^yoursite.com [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [L,R=301]Add Trailing Slash to URL
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://yoursite.com/$1/ [L,R=301]Disable hotlinking
This code will block hotlinking of images from your site and optionally show an alternate image on those sites using your images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC]#RewriteRule \.(gif|jpg)$ - [F] RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]
Allow search engines access to your images:
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|png)$ /transparent.gif [L]Set Canonical URL
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [R=301,L]Block Requests From User Agents
It’s possible to block all unwanted user agents that might be potentially harmful or perhaps just to keep the server load as low as possible.
#Block bad bots SetEnvIfNoCase user-Agent ^FrontPage [NC,OR] SetEnvIfNoCase user-Agent ^Java.* [NC,OR] SetEnvIfNoCase user-Agent ^Microsoft.URL [NC,OR] SetEnvIfNoCase user-Agent ^MSFrontPage [NC,OR] SetEnvIfNoCase user-Agent ^Offline.Explorer [NC,OR] SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR] SetEnvIfNoCase user-Agent ^Zeus [NC] Order Allow,Deny Allow from all Deny from env=bad_bot
Protect WordPress Blog From Script Injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]Use PHP compression
php_value zlib.output_compression 16386
Use Gzip Compression
The below code will compress the follwing file types: text, html, xml, css, js
# BEGIN GZIP AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/x-javascript application/javascript # END GZIP
Set Expires
Setting “expires” tells browsers to use the cache instead of downloading the same file a second time. This will speed up page load time and reduce load on your server.
# BEGIN EXPIRES ExpiresActive On ExpiresDefault "access plus 10 days" ExpiresByType text/css "access plus 1 week" ExpiresByType text/plain "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 month" ExpiresByType application/javascript "access plus 1 week" ExpiresByType application/x-icon "access plus 1 year" # END EXPIRES
Turn ETags Off
Header unset ETag FileETag None
Password Protect Folder(s)
Add the below code in a .htaccess file and put it in the directory you want to protect:
AuthType Basic AuthName "Name" //it’s the directory name you wish to protect AuthUserFile /full/path/to/.htpasswd // absolute path of the .htpasswd file Require valid-user
The .htpasswd file, which contains the username and password, should be kept in a directory which is not directly accessible by users.
SumTips:$apr1$rkx2R/..$2eclvBTamxghkjSvqs9Xd1
You can create the code for your unique username and password here.
Protect the .htaccess File
With all the configurations saved in the .htaccess file, it is necessary to protect it. This code will do it:
<files .htaccess> order allow,deny deny from all </files>
11 thoughts on “35 .htaccess Hacks for Web Developers”
hmmm very interesting.
More?
Will post more tips in a later post.
okease link the new tips here, thanks!
Is it possible to detect and redirect ip of a specific iphone to another URL through .htaccess? I don´t want to redirect all iphones, only specific ones. Is that possible?
If you know the IP, and if it’s not a dynamic one, it can be done.
Hi, i have set up htaccess and got it working. I am now trying to forget the password when exiting? I have read some script that when you use a logout button is asks if you want to close the window, say yes and the window closes. when you reload the page it does ask for the password again. I thought GREAT, however, it does not work with google chrome or the ipad?
I would be grate full of any help with this.
Steve
If I understood right, you want a prompt to close window before logging out from WordPress?
Hi, thanks for replying. Basically i have an area on the site for staff. I have set up htaccess as security. It works but when you leave the site and go back it remembers the details. I have seen a script using Java where you create a logout button. This is working in internet explorer, but does not work in google chrome of the ipad. I am trying to set it up so that search engines forget the login details?
Steve
Hi, I am not an expert in htaccess, but I don’t think search engines have access to your htaccess login details, and you can easily set rules which prevents them from indexing a directory you don’t want.
Now for your question, as you have used HTTP authentication, there is usually no way to ‘logout’ except for closing the browser, as HTTP is stateless and there is no user session to log into or out of.
For a solution that work in all browsers, you can use PHP to logout. These may help:
http://www.off-topic.ca/2011/02/18/how-to-force-htaccess-deauthentication-logout-through-php/
http://www.php.net/features.http-auth
http://www.helionet.org/index/index.php?showtopic=9176
http://www.ssi-developer.net/htaccess/htaccess_logout.shtml