How to Get The Most Out of Your .htaccess File

If you’ve been a web designer for any length of time, chances are you’ve run across the mysterious “.htacess” file at one point or another. Others may ask, what’s an “ht” and why do I need access to it? Whether a beginner or pro, though, knowing what the htaccess file does and can do for you, can enhance a site’s performance, security and more.

Standing for “hypertext access,” the htaccess file is simply a configuration file sitting on the directory level of your website that lets you manage the server’s configuration. In WordPress installations, one of the file’s key jobs is simply to tell the server to recognize and run WordPress. But here’s what else this nifty little jumble of code can do for you. And beginner or pro, ALWAYS backup the file before you proceed.

1. Prohibit directory browsing

While being able to browse directories can be useful, leaving them open for everyone to browse poses some pretty big security risks. Stopping directory browsing is as simple as adding the following to your htaccess file somewhere between “# BEGIN WordPress” and “# END“:

Options All -Indexes

2. Stop Hotlinking

Text pirates who copy your website’s content are bad enough for all sorts of reasons, but image hijackers are equally bad although they don’t actually steal your graphic content, but borrow it by linking to and loading images from your site. Again, it’s a practice that gives rise to a number of security concerns and uses up your bandwidth, too. Prevent it by adding the following to your htaccess file, replacing “” with your own.

RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?*$ [NC]
RewriteRule .(gif|jpg|swf|flv|png)$ /feed/ [R=302,L]

3. Display a custom error page

There are all sorts of reasons for displaying custom error pages. While many WordPress themes let you easily set custom pages, you can also quickly do it in your htaccess file by adding one or more of the following:

ErrorDocument 404 /404.html
ErrorDocument 403 /403.html
ErrorDocument 500 /500.html

Of course, you’ll also need to create and load the custom pages as well.

4. SEO optimized 301 permanent redirects

Anytime you change the URL structure of website during a redesign or server migration, you may need to redirect old pages. Just add the following with the old address followed by the new address to preserve a page’s SEO rank.

Redirect 301

5. Block unwanted visitors from referring domain

While no webmaster usually wants to block traffic to a site, there are times when it’s necessary. The following added to the htaccess file will block traffic from a specific domain.

RewriteCond %{HTTP_REFERER} [NC]
RewriteCond %{HTTP_REFERER} [NC]
RewriteCond %{HTTP_REFERER} baddomain. [NC]
RewriteRule .* - [F]

The first line checks if the referrer is, the second for subdomains, and the third for any domain extensions such as .org, .net., etc.

6. Block visitors from specified IP addresses

You can also block specific IP addresses or blocks of addresses. The following, for instance, blocks traffic from and subdomains of the IP block 012.43.4.

allow from all
deny from
deny from 012.43.4.

7.Allow accessonly from certain IP addresses

Use the following to allow visitors from specific IPs or a range.

deny from all
allow from 128.338.488.011
allow from 496.742.011

This code denies access to everyone except users with an IP address of 123.456.789.012 or in the range

8. Changing a directory’s default page

Need something other than index.php or index.html to be the default page of your website? Then add this line to your htaccess file

Directory Indexnewpage.html

9. Specify upload limit for PHP

If you’ve ever run into issues with large files being uploaded to your site, use the htaccess file to set parameters. The first value in the following refers to the maximum file size that can be uploaded, the second the maximum size of post data, the third the maximum number of seconds a script can run before being terminated, and the last the maximum time a script can parse input data.

php_value upload_max_filesize 30M
php_value post_max_size 30M
php_value max_execution_time 400
php_value max_input_time 400

10. Force file caching

Speed up your website for repeat visits by telling visitors’ browsers that content won’t change for a set period of time. The following sets three different time spans for different type files (all times in seconds).

# 1 year
<filesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
Header set Cache-Control "max-age=31536000, public"
# 2 days
<filesMatch ".(xml|txt)$">
Header set Cache-Control "max-age=172800, public, must-revalidate"
# 2 hours
<filesMatch ".(html|htm)$">
Header set Cache-Control "max-age=7200, must-revalidate"

Note that the revalidation prompt forces browsers to check for changes after the initial period.

11. Add a trailing slash

Some experts say a trailing slash helps SEO while others say it doesn’t. But since it doesn’t hurt:

RewriteCond %{REQUEST_URI} /+[^\.]+$ 
RewriteRule ^(.+[^/])$ %{REQUEST_URI}/ [R=301,L]

12. Add expires headers

Like forced caching, expires headers tell browsers files won’t change for a certain time, meaning those browsers don’t have to reload them each time.

ExpiresByType text/html "access plus 2 days" 
ExpiresByType image/gif "access plus 60 days"
ExpiresByType image/jpg "access plus 60 days"
ExpiresByType image/png "access plus 60 days" 
ExpiresByType application/x-javascript "access plus 60 days"
ExpiresByType text/css "access plus 60 days"
ExpiresByType image/x-icon "access plus 360 days"

While the default time is specified in seconds, you can also use minutes, hours, days, weeks, months and years.

13.Password protect directories

You’ll need to first create a text file called “.htpasswd” and place it above your root directory so it won’t be accessible at In this file you’ll add password information for your site with the username followed by the password:


Next create a new “.htaccess” file and upload it to the directory you want to protect with the following:

AuthUserFile /path/to/htpasswd/file/.htpasswd
AuthGroupFile /dev/null
AuthName "name of directory"
AuthType Basic
require valid-user

The first line is the full server path to your htpasswd file. If you want a specific user only to have access, you would replace the last line with:

require user username1

14. Password protect individual files

To block an individual file, you’ll need to create or add to your existing htpasswd file and create and upload an htaccess file to the directory in which the file you want to protect resides:

AuthUserFile /path/to/htpasswd/file/.htpasswd
AuthName "Name of Page"
AuthType Basic
<Files "thepage.html">
require valid-user

15. Protect htaccess files

For an added layer of security, protect your htaccess file with the following:

<Files .htaccess>
Order Allow,Deny
Deny from all

A 403 error file will be displayed. The file name can be changed to whatever file you wish to protect as long as it is in the same directory as a specific htaccess file.

16. Disable display of download request

If you don’t want visitors to have the option of viewing or downloading certain file types, add the following so files automatically download:

AddType application/octet-stream .pdf
AddType application/octet-stream .zip
AddType application/octet-stream .mov

17. Compress with mod_deflate

Speed up downloads and loading times for visitors with Apache mod_deflate module that compresses output by as much as 70%.

<filesmatch ".(js|css|.jpg|.gif|.png|.tiff|.ico)$"="">
SetOutputFilter DEFLATE

18. Remove category from a URL

Want to shorten a url like to just Add the following:

RewriteRule ^category/(.+)$$1 [R=301,L]

19. Google Text Translation

Need certain pages on your site to translate to another language? The following redirects pages ending in “.fr,” “.de,” etc., to the Google translation for that language.

Options +FollowSymlinks
RewriteBase /
RewriteRule ^(.*)-(fr|de|es|it|pt)$$2&sl=en&u=$1 [R,NC]

20. Use a different file extension

Want to change your file extensions from .php to .wow or anything else for that matter? Add:

Options +FollowSymlinks
RewriteBase /
RewriteRule ^(.+)\.zig$ /$1.php [NC,L]

21. Delete file extension

This example removes the .php file extension

Options +FollowSymlinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php –f
RewriteRule ^(.+)$ /$1.php [L,QSA]

Like the article? Share it.

LinkedIn Pinterest


  1. I really need this tutorials, It is great and very good to know that there is so many things I can do with htaccess. Actually I am trying to learn more about making subdomain using htaccess file and I found this is also more interesting.

  2. Thanks a lot for this useful tutorial about “.htacess”. Your code is really helpful for me.

  3. Thanks for your nice tutorial.

    I think i found an mistake

    in point 8 you wrote:

    there is an space missing

    • You are correct… Thanks for pointing that out. Article updated!

      • I think the space was between Index and newpage.html, not between Directory and Index ;)

        The correct line should be:
        DirectoryIndex newpage.html

        Also with more than one file, specifying the order in which to look for the pages:
        DirectoryIndex page1.php page2.html page3.htm

        Cheers :)

  4. Great tutorial. It was well organized, nicely sorted and easy to read. I find this tutorial quite a help for better understanding of .htaccess files. Hope to hear from you about .htaccess again.

Leave a Comment Yourself

Your email address will not be published. Required fields are marked *