Everything you need to know about .Htaccess
The .htaccess file is a well-known subject between
Internet novices and professionals alike, however, it is
also the subject of many debates. It is likely that this
simple text file can do much more than you may already
imagine. Yes, it can be used to create
password-protected directories and it can also be used
to create custom error pages. It has many more uses than
these and learning its successful implementation can
make a difference to numerous aspects of your site. For
the purpose of this article we will deal with these two
uses, as they are the simplest but still highly
effective uses. Done incorrectly it can leave your
website and your server open to attack making the
uneducated use of a .htaccess file a security risk.
The naming and storage of the .htaccess file is vital.
Named incorrectly it certainly won’t work in the way you
expected and by storing it incorrectly or setting it up
incorrectly on your host server it is possible that
others will be able to read it and access your website
and your server. Created in a standard text file it
should be saved to your website directory exactly as
“.htaccess” with no additions or changes made. If you
have used a text editor to create your .htaccess file
then you will almost certainly need to remove the file
extension that the editor has added. In most cases this
just means deleting the .txt from the end
When using a text editor ensure that you disable any
word wrap feature that might be included. .htaccess
commands should be entered on separate lines with each
command only spanning a single line. With text wrap or
word wrap features enabled your editor will force a line
break each time you reach the end of a particular line.
This will mean that the file will not do as you
intended. Once completed you must save the file as ASCII
code and not binary. Whereabouts you save it to on your
server will depend on how you intend to keep the file
contents secure and its uses. For instance it can be
saved to the public HTML section of your server if you
include htaccess commands that prevent the file from
being read by a browser.
One final note or word of warning before you begin is
that some hosts and websites do not allow the use of
htaccess files. This is partially because of the
security compromise that can be associated with its
incorrect use and partially because of the load that
some htaccess commands can place on the server. If your
host doesn’t allow the use of htaccess then don’t do it.
If something goes wrong you could be liable.
Pages Using Htaccess
Custom error pages are all the rage. They provide you
with another way of communicating with your customers
and some marketers have even found they offer value in
marketing terms. While some servers give the option to
create your own custom error pages, others don’t and
that’s where your htaccess file comes in.
The first step is to create your own custom error page
or pages and then save them somewhere on your server
ensuring that you can view in your browser. Then simply
add the appropriate code to your htaccess file and save
it once again.
Change the 404 at the beginning of the code to match the
error page you have customized. Everything from the
first “/” onwards is the path of your customized page
and will depend on where you have saved and what you
have named your file. Once done, when a browser attempts
to access the appropriate error page it will first
access the htaccess file and follow the redirect.
Protecting Your Website Directories
The other commonly attributed use of the htaccess file
is for password protection. Using an htaccess command to
password protect a directory on your site is actually
one of the most secure and certainly one of the easiest
methods to increase security for your site. We already
know just how simple an htaccess file is to set up for
custom error pages and password protection really isn’t
that much more difficult.
In the same way that you created a file named
“.htaccess” you now need to create one called “.htpasswd”.
In this file you should include the username and
password in the following format:
Obviously, replacing username and password to the
appropriate entries. The .htpasswd file should then be
saved to your directory, however, it should not be web
accessible and should instead be placed above the
public_html folder (it may be named differently on your
server). This prevents the file from being read by
browsers and makes it impossible for the file to be read
by anyone with the capability to backwards engineer
Once done, you should add an .htaccess file to the
directory that you wish to be password protected. The
file should contain the following:
We’ll work through this one line at a time-
AuthUserFile is the full path on your
server. This is not a URL and if you haven’t added
scripts to your site before then you may need to ask
your host for the exact path.
AuthGroupFile is the location that you
would use if there were a list of authorized users. If
you have a long list of authorized users, though, it
is advised that you don’t use this method because it
can take a long time.
AuthName is simply the name of the area
where access is being controlled. This name is given
to the user wishing to gain access so that they are
aware of the username and password they need to use.
AuthType is the type of authentication
being used. Because this file system is only basic
authentication we need to enter basic as the AuthType
on this occasion.
Require valid-user enables anybody
listed in the htpasswd file to access this page or
directory using their appropriate passwords. By
entering “require user example_username” it is
possible to restrict entry to only one name on that
These two simple examples of an htaccess file show how
useful htaccess can really be. Considering the
applications they are being used for they are also an
incredibly simple method of implementing custom error
page redirects and also to password protect a single or
Note that saving an htaccess file to a
directory also has the same effect on all subdirectories
associated with that directory. For instance adding the
password protect htaccess file (the last example) to the
root directory of your website would completely prevent
access to anybody that did not have the required
username and password. This is highly unlikely to be the
desired outcome. Instead of adding the required htaccess
file to every suitable directory though it is possible
to add it to the root directory and then override it in
each directory where it is not require. In some cases
this can a simpler and less cumbersome method.