A htaccess (hypertext access) file is a simple but powerful ASCII file which allows you to improve your website’s security, reduce bandwidth and increase usability. It can be created through a simple text editor such as Notepad and allow you to make quick changes to the apache web server configuration without having to restart apache. The ‘.htaccess’ itself is simply an extension with no file name. This makes it hidden on almost all web servers.
In this post there are 35 .htaccess hacks, you can use to optimize and speed up your site.
Change Directory Index Page
The default page of a directory is index.html or index.php. With the below code you can set the default page of your choice:
DirectoryIndex index2.html
Change Default Page
If there are multiple index files in a directory, with the below code you can set a default page.
DirectoryIndex index.php index.htm index.html
Order is followed.
Change Script Extensions
If you have some php script in a html file, with this code the html file will be parsed as a php file.
AddType application/x-httpd-php .html
Remove File Extention from URLs
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ /$1.php [L,QSA]
Disable Directory Browsing
Prevent viewing contents of a directory with the following code:
Options All -Indexes
Enable Directory Browsing
If you wish to block viewing of only some specific file types from a directory, use the following code:
Options +Indexes IndexIgnore *.css *.js
Force Download File
When downloading something from a web site, you are prompted either to open the file or save it. With the following code you can force users to directly download files:
AddType application/octet-stream .mp3 .mpg .avi .mov .pdf .xls
Adding MIME types
If your server does not support a file type, you can add support for it using the following code:
AddType application/x-shockwave-flash swf
View a list of common MIME types.
Display scripts as plain text
If you want, you can display scripts such as PHP, ASP, etc. as plain text in the browser rather than executing them using the Remove Handler function.
RemoveHandler cgi-script .php .asp .html AddType text/plain .php .asp .html
Set Timezone of the Server
SetEnv TZ America/Los_Angeles
Set Default Email Address of Server Admin
ServerSignature EMail SetEnv SERVER_ADMIN mail@your-site.com
To remove the server signature, use the following code:
ServerSignature Off
Limit Simultaneous Connections
You can limit the number of simultaneous connections to your website using the below code:
MaxClients < number-of-connections>
If you place the htaccess file in a directory with the code, it will limit connections to that directory and its sub-directories only.
Limit File Upload Size
The below code limits upload file size to 10 MB.
LimitRequestBody 10240000
Permanently Redirect a Single Page
Redirect 301 /oldpage.html http://www.yoursite.com/newpage.html Redirect 301 /page.html http://www.yoursite.com/folder/
Permanently Redirect an Entire Site
Redirect 301 /http://newsite.com/
Redirect to Maintenance Page
While you’re upgrading your site or doing some major changes, you can temporarily show your visitors a maintenance page while you still have access to the site.
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]
Replace “/maintenance.html” with any page you want and put your own IP address on third line.
Deny Access to Everyone Except Specific IPs
The below code will deny access to everyone except to the IPs specified.
Order deny,allow Deny from all Allow from 123.124.61.67 Allow from 95.44.8.129
Deny Access to a specific IP or IP range
allow from all deny from 23.124.61.67 deny from 23.124
Redirect Everyone Except Specified IPs
This code will redirect everyone to another domain you specify and allow access to only those whom you want.
ErrorDocument 403 http://www.domain.com Order deny,allow Deny from all Allow from 123.124.61.67 Allow from 95.44.8.129
Custom Error Pages
ErrorDocument 400 /errors/badrequest.php ErrorDocument 401 /errors/authreqd.php ErrorDocument 403 /errors/forbid.php ErrorDocument 404 /errors/notfound.php ErrorDocument 500 /errors/serverr.php
Redirect WordPress Feeds to FeedBurner Feeds
# temp redirect wordpress content feeds to feedburner
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/nometech [R=302,NC,L]
via Perishable Press
Block Spam Comments
Spam bots usually have no referring URL, this code will block all those commenter which doesn’t have a referring URL and keep your website clean:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
via Perishable Press
Block Referring Domains
This code allows you to block referrals coming from a particular site.
#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} bad-site.com [NC]
RewriteRule .* – [F]
Remove WWW from URL
RewriteEngine on
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^www\.yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://yoursite.com/$1 R=301,NC]
Add WWW to URL
RewriteEngine On
Options +FollowSymLinks
RewriteCond %{HTTP_HOST} ^yoursite.com [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [L,R=301]
Add Trailing Slash to URL
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://yoursite.com/$1/ [L,R=301]
Disable hotlinking
This code will block hotlinking of images from your site and optionally show an alternate image on those sites using your images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ - [F] RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]
Allow search engines access to your images:
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mydomain\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|png)$ /transparent.gif [L]
Set Canonical URL
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yoursite\.com$ [NC]
RewriteRule ^(.*)$ http://www.yoursite.com/$1 [R=301,L]
Block Requests From User Agents
It’s possible to block all unwanted user agents that might be potentially harmful or perhaps just to keep the server load as low as possible.
#Block bad bots SetEnvIfNoCase user-Agent ^FrontPage [NC,OR] SetEnvIfNoCase user-Agent ^Java.* [NC,OR] SetEnvIfNoCase user-Agent ^Microsoft.URL [NC,OR] SetEnvIfNoCase user-Agent ^MSFrontPage [NC,OR] SetEnvIfNoCase user-Agent ^Offline.Explorer [NC,OR] SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR] SetEnvIfNoCase user-Agent ^Zeus [NC] Order Allow,Deny Allow from all Deny from env=bad_bot
Protect WordPress Blog From Script Injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Use PHP compression
php_value zlib.output_compression 16386
Use Gzip Compression
The below code will compress the follwing file types: text, html, xml, css, js
# BEGIN GZIP AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/x-javascript application/javascript # END GZIP
Set Expires
Setting “expires” tells browsers to use the cache instead of downloading the same file a second time. This will speed up page load time and reduce load on your server.
# BEGIN EXPIRES ExpiresActive On ExpiresDefault "access plus 10 days" ExpiresByType text/css "access plus 1 week" ExpiresByType text/plain "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 month" ExpiresByType application/javascript "access plus 1 week" ExpiresByType application/x-icon "access plus 1 year" # END EXPIRES
Turn ETags Off
Header unset ETag FileETag None
Password Protect Folder(s)
Add the below code in a .htaccess file and put it in the directory you want to protect:
AuthType Basic AuthName "Name" //it’s the directory name you wish to protect AuthUserFile /full/path/to/.htpasswd // absolute path of the .htpasswd file Require valid-user
The .htpasswd file, which contains the username and password, should be kept in a directory which is not directly accessible by users.
SumTips:$apr1$rkx2R/..$2eclvBTamxghkjSvqs9Xd1
You can create the code for your unique username and password here.
Protect the .htaccess File
With all the configurations saved in the .htaccess file, it is necessary to protect it. This code will do it:
<files .htaccess> order allow,deny deny from all </files>