The htaccess file The Ultimate Guide

The htaccess file: The Ultimate Guide

When exploring the file manager in your cPanel or hosting account, you might have come across a file labeled .htaccess. This file is instrumental in managing many configuration parameters for Apache Web Servers, which is server software widely employed across various operating systems.

The .htaccess file, while its syntax might initially seem puzzling, is endowed with remarkable capabilities. Among its functions are URL redirection, password protection, and limiting access under specific conditions, reinforcing the htaccess meaning. This guide aims to help you understand how to set up an .htaccess file and utilize some of its most common applications.


Initial Notes and Setup

htaccess file

The .htaccess file, often referred to as a “dot file” because it begins with a period, is usually a configuration file. This is not to be confused with httaccess, which is a common misspell. Dot files, which can be associated with an operating system or a specific software, are typically hidden by the operating system in system file managers or finder windows.  To reveal these hidden files, you might need to adjust your operating system’s preferences to display hidden files, or employ the ‘ls -a’ command in the command line to expose all files.

You can have numerous .htaccess files on a server, each with its unique htaccess codes, and each file operates recursively. In simpler terms, each .htaccess file influences the directory it’s housed in, as well as all of its files and subdirectories.

When uploading your .htaccess file to a server using FTP, it’s crucial to transfer it in ASCII mode. While most FTP clients default to transferring data in BINARY mode, this mode doesn’t support dot files effectively. Your FTP client should provide an option to adjust the transfer mode.

Once your .htaccess file has been uploaded to the server, ensure that it’s functioning as expected. If it appears that your modifications have not taken effect, this could be due to incorrect file permissions. The file permissions for the .htaccess file should be set to 755. You can modify these permissions in your FTP client under the “File Permissions” option, or you can use the command ‘chmod 755 .htaccess’ in the terminal.

In conclusion, the .htaccess definition encompasses a powerful configuration file that is integral to the operation of your website. It’s important to understand its functions and handle it with care to optimize its effectiveness and avoid potential issues.

Server Configuration Files

Utilizing the .htaccess file, a critical component of server configuration files, enables you to set up personalized error pages. This capacity can significantly enhance your site’s user experience, especially when visitors encounter error messages. It’s not uncommon for users to be taken aback by error notifications such as “404 File Not Found,” “401 Unauthorized Access,” or “500 Internal Server Error.” Providing a means for users to return to their intended destination can be invaluable.

You can tailor-make HTML pages for each typical error type. These custom pages should be stored in a directory named ‘error_pages’ in your root directory for easy access. Each error page should be labeled solely by its error code (such as 401, 404, etc.) followed by the .html extension.

Incorporating these personalized error pages into your website involves adding the relevant code to your .htaccess file. This is a critical demonstration of the .htaccess file’s role as a distributed server configuration file, enabling configurations that enhance the user experience and overall website functionality.


Page Redirection

Page Redirection Another common use of .htaccess is for page redirects. You can direct from any relative path within your site director. You can also redirect to either an absolute path on your site, or somewhere else entirely on the Internet. The basic syntax to use in your .htaccess file is:

Redirect /directory_to_redirect_from/ https://mysite.com/new_directory/index.html 

You should always use a relative path as the source directory. An absolute path should be the directory to re-direct to.


htaccess file: Adding password protection

Implementing password protection on your website, whether for the whole site or just for particular directories, is a task that the .htaccess file handles effectively. A website or directory fortified with password protection will demand a username and password for access. When a user lands on a password-protected page, a login pop-up will surface on the browser. The Apache HTTP server ensures that all passwords in the .htaccess file are encrypted for extra security.

To add password protection to a specific directory, create a new .htaccess file within that directory, highlighting the role of the .htaccess file in restricting access to a folder. If you’re looking to password protect your entire website, place the .htaccess file in the root directory. It’s important to remember that the .htaccess file applies password protection recursively to all files and subdirectories contained in the main directory.

Below is the basic syntax for implementing password protection:

AuthName "Authorized Access Only"
AuthUserFile /htpassword-filepath/.htpasswd
AuthType Basic
require valid-user

The directive “AuthName ‘Authorized Access Only'” sets the name of the protected directory, which appears in the login pop-up.

The “AuthUserFile /htpassword-filepath/.htpasswd” command informs the Apache server of the location of the .htpasswd file. Replace “/htpassword-filepath/.htpasswd” with the actual file path of your .htpasswd on your server.

The “AuthType Basic” directive signals the use of Basic HTTP authentication, which is the most prevalent type and adequate for most purposes.

Lastly, “require valid-user” stipulates that a valid username and password are needed to access the directory. If access is to be limited to a specific user, replace this with “require user name”, substituting ‘name’ with the specific username. This is particularly useful for admin sections of a website that should only be accessed by specific individuals.

Here’s a cool video showing how to create & edit an .htaccess file by Zac Gordon.



You can place .htpasswd in any directory on most servers, so long as you place the absolute pathway for the file in .htaccess. Using a relative pathway or a URL will not locate the file. In some instances .htpasswd will need to be in the same directory as .htaccess, however. Additionally, you can name .htpasswd something else. Although this is a naming convention that Apache will automatically understand.

To add a password to .htpasswd, use the following syntax:


You can have multiple usernames and passwords saved in a single .htpasswd file, each on their own line. Each username and password pair should be on the same line with no spaces, separated only with a colon.

Linux servers require that you use a password encryption service to encrypt the password. There are many such applications and websites that can do this for free. One option worth mentioning is ionix’s DirectoryPass.

Keep in mind that .htaccess does not allow for logout functionality. Once the correct login credentials have been input they get saved in the web browser’s cache until you quit the browser. Re-opening the page after quitting the browser will require that you enter the credentials again.

Denying access by IP address

Denying access by IP address One useful tool offered by .htaccess is the ability to block visitors based on their IP address. In this way, you can block certain visitors altogether.  Alternatively you can block from certain sections of the site, by only adding an .htaccess file to a specific directory.

In order to block visitors based on their IP address, use the following syntax:

order allow,deny
deny from 345.4.5.0
deny from 754.53.8.
allow from all

The code in the example instructs Apache to deny access from the IP addresses 345.4.5.0 and 754.53.8. In the third line, the IP address 754.53.8 does not include a fourth group of digits, so any IP address that matches the first three would get blocked. This means that 754.53.8.2, 754.53.8.4, etc. would all get denied access to the site.

If you only want to allow access from specific IP addresses, rather than blocking, the syntax is very similar. You can use the code below:

order allow,deny
allow from 345.4.5.0
deny from all

In this code, the only IP address that can access the site is 345.4.5.0 — all other IP’s will get denied.

In both cases (setting allowed or blocked IP addresses), you can add as many records as you like, each on its own line.

When an IP gets blocked, visitors will get shown a ‘403 Forbidden’ error message. As we saw before, you can customize Error Pages in order to provide more human-readable information to the visitor.

Preventing Hot linking

When another site sources assets from your site (such as images, video, CSS files, etc.), this unnecessarily uses up your bandwidth. This can lead to higher hosting costs without any attribution or benefit to you.

Fortunately, .htaccess has a way of circumventing this from happening, disallowing other domains from displaying your content:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mycoolsite.com/.*$ [NC]
RewriteRule \.(png|jpg|mp4)$ - [F]


Above,.htaccess disallows .png, .jpg or .mp4 files to get linked from a domain other than https://www.mycoolsite.com. You can specify other file formats to disallow (such as .css, .mp3, etc.). Of course, you will want to switch out the code with your own domain name.

To take it a step further, in the advent that an external site tries to link to your content, you can provide an alternative image or message to be displayed in its place (such as an image that says “Sorry, the content you are trying to access is from mycoolsite.com”):

If an external site tries to link to your content, you can provide an alternative image or message to get displayed in its place. An example is an image that says “Sorry, the content you are trying to access is from mycoolsite.com”.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mycoolsite.com/.*$ [NC]
RewriteRule \.(png|jpg|mp4)$ https://www.mycoolsite.com/hotlink-error-message.jpg [R,L]

This will display hotlink-error-message.jpg whenever someone tries to link to .png, .jpg, or .mp4 files from mycoolsite.com.

htaccess Redirect to HTTPS

When you add an SSL certificate to your site, your server will continue to serve the HTTP version of all your web pages. This is why you need to redirect HTTP to HTTPS, forcing SSL on your site.

Note that one important function that you can perform through .htaccess is the 301 redirects, and this can permanently redirect an old URL to a new one. It is simple to activate the feature in order to force HTTPS on all the traffic coming to your site by following these easy steps:

  1. In your hosting panel, go to File Manager and open .htaccess in the public_html folder. And if you cannot locate it, you should create or unhide it.
  2. After that, scroll down to find RewriteEngine On and then insert these lines of code just below;
  3. htaccess Redirect to HTTPS Now save the changes.

htaccess WordPress

You should know that in WordPress, .htaccess is one of the special configuration files that can control how your webserver runs and manages your site. The htaccess file is one of the most powerful configuration files and can control SSL connections, 301 redirects, password protection, the default language, and a lot more on your WordPress website.

It is worth noting that the use of .htaccess configuration files became more popular as they could be easily used to override international server settings pertaining to access to directories. In recent times, however, .htaccess can override several other configuration settings.

htaccess File Examples

you will be happy to know that a vast amount of configuration possibilities can be easily achieved within the .htaccess file.

Block IP Addresses

Are you receiving spam traffic? Perhaps, your site is suffering from hacking attempts or abuse from specific IP addresses. If that is the case, you can take action with your .htaccess file. You can easily block traffic from that IP address using a code in your .htaccess file.

To block a particular or specific domain, you can add the following to your website’s root .htaccess file:

Deny from

After that, change the IP address as well as netmask values in order to match the domain that you wish to block.

Prevent Image Hotlinking

You should know that image hotlinking happens when somebody embeds an image on your site into their own. And this can be very problematic (not merely from a copyright perspective) since it means that your server has to potentially work overtime in order to serve up images on somebody else’s website.

The best thing is that you can easily stop this by using your .htaccess file and block a person from embedding your copyrighted images on their site.

By entering the following lines into an .htaccess file, you can easily prevent hotlinking to your site:

htaccess-file-Block IP Addresses

You can also use the following code:

htaccess-file-Block IP Addresses

Where is the htaccess File?

Did you know that almost all websites, including WordPress websites, have a .htaccess file that you can find in the central (or root) directory? And this htaccess file is hidden and does not have an extension.

Although the file is usually hidden, the .htaccess file location is often found in your site’s public_html folder.

What should be in a .htaccess File?

The file should contain rules that give your site’s server various instructions. Keep in mind that just about every website has an .htaccess file, and it is located in the central directory or ‘root.’

Advantages and Disadvantages

You will be happy to know that .htaccess files are timely read on every request. As a result, any changes you make to these files result in instant effect.

This is unlike global settings, which usually require the server to restart. Also, note that the .htaccess files enable each user to quickly set their permissions for a server that has many users.

However, there’s a big catch. As all requests require the server to read all of the .htaccess files, note that it is likely to lead to moderate to severe performance issues if there’s considerable load.

And that is not all; decentralizing all the settings to various users may lead to multiple security issues, particularly if these .htaccess files aren’t configured correctly.

Things to Look Out for

While a .htaccess file can be immensely useful, and you can use it to make a marked improvement to your website, there are two things that it may influence.


The .htaccess files may slow down your web server. Note that for most servers, it will likely be an imperceptible or minor change. This is simply because of the location of the page.

You should know that the .htaccess file affects all the pages in its directory as well as all of the directories under it. This means that each time a page loads, the webserver scans its directory and all above it until it finally reaches the .htaccess file or the highest directory.


Did you know that the .htaccess file is considerably more accessible compared to the standard apache configuration? Also, the changes are made instantly. Note that granting users the permission to make alterations and changes in the .htaccess file gives them too much control over the web server itself.

Editing htaccess Files

Editing htaccess Files Did you know that editing the .htaccess file is risky? This is because you could delete code you should not. You could also add incorrect code or make some other mistake that breaks your website. In order to mitigate these risks, it is vital to take at least one precautionary step before making any direct edits to your htaccess file.

You can backup your website so that you can easily restore an earlier version of your website if you make a mistake. On the other hand, you can use a staging website to test your edits before you push them live on your public-facing website.

It is best to create a backup .htaccess file and then download it to a computer. This ensures that if your edits in your default .htaccess file do cause any problems or issues, you can rely on and upload the backup file.



It is no secret that learning to work directly with your site’s files is a vital step in your journey to becoming a reliable web developer. And the .htaccess file is an excellent place to start, as it is a simple file that you can use for a wide variety of applications.

Note that every time you understand and learn more about what happens behind the scenes with your website, you get closer to becoming an effective webmaster and have the potential to streamline and enhance your website’s functionality.


angelo frisina sunlight media

Author Bio

Angelo Frisina is a highly experienced author and digital marketing expert with over two decades of experience in the field. He specializes in web design, app development, SEO, and blockchain technologies.

Angelo’s extensive knowledge of these areas has led to the creation of several numerous award winning websites and mobile applications, as well as the implementation of effective digital marketing strategies for a wide range of clients.

Angelo is also a respected consultant, sharing his insights and expertise through various podcasts and online digital marketing resources.

With a passion for staying up-to-date with the latest trends and developments in the digital world, Angelo is a valuable asset to any organization looking to stay ahead in the digital landscape.

One Comment

  • soundos October 17, 2021 at 7:58 am

    Good article an excellent way to articulate. Keep it up