What is .htaccess file?


I am sure as a blogger you all are aware of htaccess. The .htaccess is the abbreviation of Hypertext Access, and is a server configuration file that is mostly used by apache based web server. HTACCESS generally controls the directory it live in and the other directories underneath its parent directory.

In this article I’m going  to talk more about .htaccess  file which is a very important file both search engine optimization  and security of your website.

What is .htaccess file?

Supported by most web servers, htaccess file is a server configuration file that overrides the web server configuration for the directory that it is in, and all sub-directories within the directory.

HTACESS files are simple ASCII files with the extension .htaccess and no file name. Many people find it confusing for the strange naming structure but it is easy to create with any text editor.

.htaccess is a configuration file for use on web servers running the Apache Web Server software.

Whenever any request is sent to the server it always passes through .htaccess file. There are some rules are defined to instruct the working.

The file remains hidden in your web server until you force your FTP client to show hidden files.

Here is an example of what you might include in a .htaccess file.

AuthName “Member’s Area Name”
AuthUserFile /path/to/password/file/.htpasswd
AuthType Basic
require valid-user
ErrorDocument 401 /error_pages/401.html
AddHandler server-parsed .html

Sample .htaccess Code for wordpress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Well if you are in windows you can create a text file  and name it as .htaccess . Remember there should not be any file name (filename.htacess). But it should be only .htaccess.

Why is it called .htaccess?

These files were first used to control user access on a per-directory basis for security reasons.

Using a subset of Apache’s http.conf settings directives, it allowed a system administrator to restrict access to individual directories to users with a name and password specified in an accompanying .htpasswd file.

While .htaccess files are still used for this, they are also used for a number of other things which we’ll cover in this guide.

How to use the .htaccess file?

The .htaccess file is a very powerful tool when it comes to website security and search engine optimization. Things like Rewriting URLs, Customized error responses, Cache Control, Directory listing, server-side includes, blocking IPs can be performed by configuring the htacces files.

However any single mistake in writing the code can cause server errors and leave your site in not showing up. So you must take a great care while editing the codes.

How to edit .htaccess file?

As mentioned earlier, .htaccess files are text files and can be edited as a text file in general. But you must take a back up of the initial file before you upload the changed one.

So, you have it. Stay tuned for next part of the article where we will discuss more about the different htaccess codes to use for your specific requirement and SEO purpose.

Why can’t I find my .htaccess file?

File names that begin with a dot ( . ) are basically hidden files in most file systems,. Which means they are not typically visible by default.But they aren’t hard to get to.

You can  “show hidden files.” through your FTP client or File Manager. This will be in different places in different programs, but is usually in “Preferences”, “Settings”, or “Folder Options.” Sometime you’ll find it in the “View” menu too.

Error Handling

Using .htaccess files one of the simplest things you can do with this feature to specify error documents.

When a request is made to a web server, it tries to respond to that request, by delivering the requested file or accessing an application in a content management system.

If something goes wrong, for example the request file is not found or an error is generated .htaccess file is used for handed the error in the server. If you don’t specify any type of error handling, the server will simply return the message to the browser, and the browser will display a generic error message to the user. This is usually not ideal.

Different types of errors have different error codes. The common one is 404 error, which is returned if the document cannot be found on the server. We create an HTML document for each error code you want to handle. You can name these whatever you like, but it’s helpful to name them something that will help you remember what they’re for, like not-found.html or simply 404.html.

There are many other error codes that a server can respond with.

 Some Common Errors

400 — Bad Request
401 — Authorization Required
402 — Payment Required (not used yet)
403 — Forbidden
404 — Not Found
405 — Method Not Allowed
406 — Not Acceptable (encoding)
407 — Proxy Authentication Required
408 — Request Timed Out
409 — Conflicting Request
410 — Gone
411 — Content Length Required
412 — Precondition Failed
413 — Request Entity Too Long
414 — Request URI Too Long
415 — Unsupported Media Type.

Server Errors

500 — Internal Server Error
501 — Not Implemented
502 — Bad Gateway
503 — Service Unavailable
504 — Gateway Timeout
505 — HTTP Version Not Supported.

Password Protection With .htaccess

The original purpose of .htaccess files was to restrict certain access to directories on a per-user basis (hence the name, hyper text access).

Usernames and passwords for the .htaccess system are stored in a file name .htpasswd.

These are stored each on a single line, in the form:


for example:jsmith:F418zSM0k6tGI

So the password stored in the file is  a cryptographic hash of the password.

This means that the password has been run through an encryption algorithm, and the result is stored. When a user logs in, the plain-text password is entered and run through the same algorithm. If the input is the same, the passwords match and the user is granted access.

Storing passwords this way makes them more secure — if someone were to gain access to your .htpasswd file, they would only see the hashed passwords, not the originals. And there is no way to reconstruct the originals from the hash — it is a one way encryption.

IP Blacklisting and IP Whitelisting

You can use .htaccess to block users from a specific IP address (blacklisting). This is useful if you have identified individual users from specific IP addresses which have caused problems.

You can also do the reverse, blocking everyone except visitors from a specific IP address (whitelisting). This is useful if you need to restrict access to only approved users.

Blacklisting by IP

To block specific IP addresses, simply use the following directive, with the appropriate IP addresses:

order allow,deny
deny from
deny from 789.56.4.
allow from all

The first line states that the allow directives will be evaluated first, before the deny directives. This means that allow from all will be the default state, and then only those matching the deny directives will be denied.

If this was reversed to order deny,allow, then the last thing evaluated would be the allow from all directive, which would allow everybody, overriding the deny statements.

Notice the third line, which has deny from 789.56.4. — that is not a complete IP address. This will deny all IP addresses within that block (any that begin with 789.56.4).

You can include as many IP addresses as you like, one on each line, with a deny from directive.

Whitelisting by IP

The reverse of blacklisting is whitelisting — restricting everyone except those you specify.

As you may guess, the order directive has to be reversed, so that that everyone is first denied, but then certain addresses are allowed.

order deny,allow
deny from all
allow from
allow from 789.56.4.

Domain names instead of IP addresses

You can also block or allow users based on a domain name. This can be help block people even as they move from IP address to IP address. However, this will not work against people who can control their reverse-DNS IP address mapping.

order allow,deny
deny from example.com
allow from all

This works for subdomains, as well — in the previous example, visitors from xyz.example.com will also be blocked.

If your .htaccess file does not work, contact your hosting administrator or system admin to ensure they have enabled .htaccess within your account. Some web hosting companies do not allow use without permission.