.htaccess Configuration Guide

Control your Apache server configuration with .htaccess

What is .htaccess?
Accessing .htaccess File
Basic .htaccess Rules
Custom Error Pages
Security Rules
Performance Optimization
URL Rewriting
Hotlink Protection
WordPress-Specific Rules
Troubleshooting
Best Practices

What is .htaccess?

.htaccess (hypertext access) is a configuration file used by Apache web servers. It allows you to control server behavior on a per-directory basis without accessing the main server configuration.

Common Uses:

URL redirects and rewrites
Force HTTPS connections
Password protect directories
Custom error pages
Block IP addresses
Enable/disable directory browsing
Set file compression
Control caching

Accessing .htaccess File

Method 1: cPanel File Manager

Log in to cPanel
Go to File Manager
Navigate to public_html (or your website directory)
Click "Settings" (top right) and enable "Show Hidden Files"
Look for .htaccess file
Right-click and select "Edit" to modify

Method 2: FTP/SFTP

Connect via FTP client (FileZilla)
Navigate to public_html
Enable "Show hidden files" in client settings
Download .htaccess to edit locally
Upload after making changes

Important: Always backup .htaccess before editing! A syntax error can break your entire website.

Basic .htaccess Rules

Force HTTPS (SSL):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Force www Version:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

Remove www:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

Redirect Single Page:

Redirect 301 /old-page.html https://yourdomain.com/new-page.html

Redirect Entire Directory:

RedirectMatch 301 ^/old-directory/(.*)$ https://yourdomain.com/new-directory/$1

Custom Error Pages

ErrorDocument 404 /404.html
ErrorDocument 403 /403.html
ErrorDocument 500 /500.html

Security Rules

Block Specific IP Addresses:

<RequireAll>
    Require all granted
    Require not ip 192.168.1.1
    Require not ip 10.0.0.0/8
</RequireAll>

Protect .htaccess File:

<Files .htaccess>
    Require all denied
</Files>

Prevent Directory Browsing:

Options -Indexes

Block Access to Sensitive Files:

<FilesMatch "\.(env|log|sql|md|txt|sh)quot;>
    Require all denied
</FilesMatch>

Disable PHP Execution in Uploads:

# Place in /wp-content/uploads/.htaccess
<Files *.php>
    Require all denied
</Files>

Performance Optimization

Enable Gzip Compression:

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
    AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
</IfModule>

Browser Caching:

<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    
    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    
    # HTML
    ExpiresByType text/html "access plus 1 hour"
</IfModule>

URL Rewriting

Clean URLs (Remove .html):

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]+)$ $1.html [L]

Remove Trailing Slash:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [R=301,L]

Add Trailing Slash:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*[^/])$ $1/ [L,R=301]

Hotlink Protection

Prevent other sites from directly linking to your images:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [F,L]

WordPress-Specific Rules

Default WordPress .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Protect wp-config.php:

<Files wp-config.php>
    Require all denied
</Files>

Troubleshooting .htaccess Issues

500 Internal Server Error

Common causes: Syntax errors, unsupported directives, conflicting rules

Solution: Rename .htaccess to .htaccess.bak, add rules back one section at a time

Redirect Loop

Check for conflicting redirect rules, ensure RewriteCond conditions are correct, clear browser cache

Rules Not Working

Verify mod_rewrite is enabled, check rule order (top to bottom), ensure [L] flag is used to stop processing

Best Practices

•Always backup: Keep copy of working .htaccess
•Comment your code: Use # for comments explaining rules
•Test thoroughly: Verify each change before adding more
•Keep it organized: Group related rules together
•Use L flag: Stop processing with [L] when match found
•Minimize rules: Only include what you need
•Check syntax: Use online validators
•Monitor performance: Complex rules can slow site

Security Considerations

• Protect .htaccess from public access
• Don't include sensitive information (passwords, API keys)
• Use IP whitelisting for admin areas
• Block malicious bots and scrapers
• Disable PHP execution in upload directories
• Set appropriate file permissions (644)

When Not to Use .htaccess

While .htaccess is powerful, consider alternatives when:

Server config access: Main config is faster
Complex logic: Use application code instead
Performance critical: .htaccess is checked on every request
VPS/Dedicated: Nginx or server-level config preferred