The .htaccess file is a well-known subject between Internet novices and professionals alike, however, it is also the subject of many debates. It is likely that this simple text file can do much more than you may already imagine. Yes, it can be used to create password-protected directories and it can also be used to create custom error pages. It has many more uses than these and learning its successful implementation can make a difference to numerous aspects of your site. For the purpose of this article we will deal with these two uses, as they are the simplest but still highly effective uses. Done incorrectly it can leave your website and your server open to attack making the uneducated use of a .htaccess file a security risk.

Naming And Storing

The naming and storage of the .htaccess file is vital. Named incorrectly it certainly won’t work in the way you expected and by storing it incorrectly or setting it up incorrectly on your host server it is possible that others will be able to read it and access your website and your server. Created in a standard text file it should be saved to your website directory exactly as “.htaccess” with no additions or changes made. If you have used a text editor to create your .htaccess file then you will almost certainly need to remove the file extension that the editor has added. In most cases this just means deleting the .txt from the end 

Word Wrap

When using a text editor ensure that you disable any word wrap feature that might be included. .htaccess commands should be entered on separate lines with each command only spanning a single line. With text wrap or word wrap features enabled your editor will force a line break each time you reach the end of a particular line. This will mean that the file will not do as you intended. Once completed you must save the file as ASCII code and not binary. Whereabouts you save it to on your server will depend on how you intend to keep the file contents secure and its uses. For instance it can be saved to the public HTML section of your server if you include htaccess commands that prevent the file from being read by a browser.

Htaccess Denied

One final note or word of warning before you begin is that some hosts and websites do not allow the use of htaccess files. This is partially because of the security compromise that can be associated with its incorrect use and partially because of the load that some htaccess commands can place on the server. If your host doesn’t allow the use of htaccess then don’t do it. If something goes wrong you could be liable.

Custom Error Pages Using Htaccess

Custom error pages are all the rage. They provide you with another way of communicating with your customers and some marketers have even found they offer value in marketing terms. While some servers give the option to create your own custom error pages, others don’t and that’s where your htaccess file comes in.

The first step is to create your own custom error page or pages and then save them somewhere on your server ensuring that you can view in your browser. Then simply add the appropriate code to your htaccess file and save it once again.

ErrorDocument 404 /customerrors/custom404.html

Change the 404 at the beginning of the code to match the error page you have customized. Everything from the first “/” onwards is the path of your customized page and will depend on where you have saved and what you have named your file. Once done, when a browser attempts to access the appropriate error page it will first access the htaccess file and follow the redirect.

Password Protecting Your Website Directories

The other commonly attributed use of the htaccess file is for password protection. Using an htaccess command to password protect a directory on your site is actually one of the most secure and certainly one of the easiest methods to increase security for your site. We already know just how simple an htaccess file is to set up for custom error pages and password protection really isn’t that much more difficult.

In the same way that you created a file named “.htaccess” you now need to create one called “.htpasswd”. In this file you should include the username and password in the following format:

username:password

Obviously, replacing username and password to the appropriate entries. The .htpasswd file should then be saved to your directory, however, it should not be web accessible and should instead be placed above the public_html folder (it may be named differently on your server). This prevents the file from being read by browsers and makes it impossible for the file to be read by anyone with the capability to backwards engineer security files.

Once done, you should add an .htaccess file to the directory that you wish to be password protected. The file should contain the following:

authUserFile /enter/full/server/path/.htpasswd

authGroupFile /dev/null

authName MeaningfulName

authType Basic

require valid-user

We’ll work through this one line at a time-

• AuthUserFile is the full path on your server. This is not a URL and if you haven’t added scripts to your site before then you may need to ask your host for the exact path.
• AuthGroupFile is the location that you would use if there were a list of authorized users. If you have a long list of authorized users, though, it is advised that you don’t use this method because it can take a long time.
• AuthName is simply the name of the area where access is being controlled. This name is given to the user wishing to gain access so that they are aware of the username and password they need to use.
• AuthType is the type of authentication being used. Because this file system is only basic authentication we need to enter basic as the AuthType on this occasion.
• Require valid-user enables anybody listed in the htpasswd file to access this page or directory using their appropriate passwords. By entering “require user example_username” it is possible to restrict entry to only one name on that list.

Htaccess Conclusion

These two simple examples of an htaccess file show how useful htaccess can really be. Considering the applications they are being used for they are also an incredibly simple method of implementing custom error page redirects and also to password protect a single or multiple directories.

Note that saving an htaccess file to a directory also has the same effect on all subdirectories associated with that directory. For instance adding the password protect htaccess file (the last example) to the root directory of your website would completely prevent access to anybody that did not have the required username and password. This is highly unlikely to be the desired outcome. Instead of adding the required htaccess file to every suitable directory though it is possible to add it to the root directory and then override it in each directory where it is not require. In some cases this can a simpler and less cumbersome method.

Htaccess Blocking Users ...