35 .htaccess Hacks for Web Developers

Print View Mobile View

A htaccess (hypertext access) file is a simple but powerful ASCII file which allows you to improve your website’s security, reduce bandwidth and increase usability. It can be created through a simple text editor such as Notepad and allow you to make quick changes to the apache web server configuration without having to restart apache. The ‘.htaccess’ itself is simply an extension with no file name. This makes it hidden on almost all web servers.

In this post there are 35 .htaccess hacks, you can use to optimize and speed up your site.

Change Directory Index Page
The default page of a directory is index.html or index.php. With the below code you can set the default page of your choice:

DirectoryIndex index2.html

Change Default Page
If there are multiple index files in a directory, with the below code you can set a default page.

DirectoryIndex index.php index.htm index.html

Order is followed.

Change Script Extensions
If you have some php script in a html file, with this code the html file will be parsed as a php file.

AddType application/x-httpd-php .html

Remove File Extention from URLs

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /$1.php [L,QSA]

Disable Directory Browsing
Prevent viewing contents of a directory with the following code:

Options All -Indexes

Enable Directory Browsing
If you wish to block viewing of only some specific file types from a directory, use the following code:

Options +Indexes
IndexIgnore *.css *.js

Force Download File
When downloading something from a web site, you are prompted either to open the file or save it. With the following code you can force users to directly download files:

AddType application/octet-stream .mp3 .mpg .avi .mov .pdf .xls

Adding MIME types
If your server does not support a file type, you can add support for it using the following code:

AddType application/x-shockwave-flash swf

View a list of common MIME types.

Display scripts as plain text
If you want, you can display scripts such as PHP, ASP, etc. as plain text in the browser rather than executing them using the Remove Handler function.

RemoveHandler cgi-script .php .asp .html
AddType text/plain .php .asp .html

Set Timezone of the Server

SetEnv TZ America/Los_Angeles

Set Default Email Address of Server Admin

ServerSignature EMail
SetEnv SERVER_ADMIN [email protected]

To remove the server signature, use the following code:

ServerSignature Off

Limit Simultaneous Connections
You can limit the number of simultaneous connections to your website using the below code:

MaxClients < number-of-connections>

If you place the htaccess file in a directory with the code, it will limit connections to that directory and its sub-directories only.

Limit File Upload Size
The below code limits upload file size to 10 MB.

LimitRequestBody 10240000

Permanently Redirect a Single Page

Redirect 301 /oldpage.html http://www.yoursite.com/newpage.html
Redirect 301 /page.html http://www.yoursite.com/folder/

Permanently Redirect an Entire Site

Redirect 301 /http://newsite.com/

Redirect to Maintenance Page
While you’re upgrading your site or doing some major changes, you can temporarily show your visitors a maintenance page while you still have access to the site.

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]

Replace “/maintenance.html” with any page you want and put your own IP address on third line.

Deny Access to Everyone Except Specific IPs
The below code will deny access to everyone except to the IPs specified.

Order deny,allow
Deny from all
Allow from
Allow from

Deny Access to a specific IP or IP range

allow from all
deny from
deny from 23.124

Redirect Everyone Except Specified IPs
This code will redirect everyone to another domain you specify and allow access to only those whom you want.

ErrorDocument 403 http://www.domain.com
Order deny,allow
Deny from all
Allow from
Allow from

Custom Error Pages

ErrorDocument 400 /errors/badrequest.php
ErrorDocument 401 /errors/authreqd.php
ErrorDocument 403 /errors/forbid.php
ErrorDocument 404 /errors/notfound.php
ErrorDocument 500 /errors/serverr.php

Redirect WordPress Feeds to FeedBurner Feeds

# temp redirect wordpress content feeds to feedburner
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/nometech [R=302,NC,L]

via Perishable Press

Block Spam Comments
Spam bots usually have no referring URL, this code will block all those commenter which doesn’t have a referring URL and keep your website clean:

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

via Perishable Press

Block Referring Domains
This code allows you to block referrals coming from a particular site.

#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} bad-site.com [NC]
RewriteRule .* – [F]

Remove WWW from URL

RewriteEngine on
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^www\.yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://yoursite.com/$1 R=301,NC]

Add WWW to URL

RewriteEngine On
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^yoursite.com [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [L,R=301]

Add Trailing Slash to URL

RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://yoursite.com/$1/ [L,R=301]

Disable hotlinking
This code will block hotlinking of images from your site and optionally show an alternate image on those sites using your images

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ - [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Allow search engines access to your images:

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|png)$ /transparent.gif [L]

Set Canonical URL

RewriteEngine On
RewriteCond %{HTTP_HOST} ^yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [R=301,L]

Block Requests From User Agents
It’s possible to block all unwanted user agents that might be potentially harmful or perhaps just to keep the server load as low as possible.

#Block bad bots
SetEnvIfNoCase user-Agent ^FrontPage [NC,OR]
SetEnvIfNoCase user-Agent ^Java.* [NC,OR]
SetEnvIfNoCase user-Agent ^Microsoft.URL [NC,OR]
SetEnvIfNoCase user-Agent ^MSFrontPage [NC,OR]
SetEnvIfNoCase user-Agent ^Offline.Explorer [NC,OR]
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]
SetEnvIfNoCase user-Agent ^Zeus [NC]
Order Allow,Deny
Allow from all
Deny from env=bad_bot


Protect WordPress Blog From Script Injections

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Use PHP compression

php_value zlib.output_compression 16386

Use Gzip Compression
The below code will compress the follwing file types: text, html, xml, css, js

AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/x-javascript application/javascript

Set Expires
Setting “expires” tells browsers to use the cache instead of downloading the same file a second time. This will speed up page load time and reduce load on your server.

ExpiresActive On
ExpiresDefault "access plus 10 days"
ExpiresByType text/css "access plus 1 week"
ExpiresByType text/plain "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 week"
ExpiresByType application/x-icon "access plus 1 year"

Turn ETags Off

Header unset ETag
FileETag None

Password Protect Folder(s)
Add the below code in a .htaccess file and put it in the directory you want to protect:

AuthType Basic
AuthName "Name" //it’s the directory name you wish to protect
AuthUserFile /full/path/to/.htpasswd // absolute path of the .htpasswd file
Require valid-user

The .htpasswd file, which contains the username and password, should be kept in a directory which is not directly accessible by users.


You can create the code for your unique username and password here.

Protect the .htaccess File
With all the configurations saved in the .htaccess file, it is necessary to protect it. This code will do it:

<files .htaccess>
order allow,deny
deny from all

11 thoughts on “35 .htaccess Hacks for Web Developers”

Comments are closed.