After reading this guide on .htaccess you will feel confident about creating your own .htaccess files and using beginner to intermediate directives. Here is a brief overview of what will be discussed:
- Block IPs
- Custom Error Pages
- Password Protect Directories
- Disable Hot Linking & Fight Back
- Block Referrers
- Change Default index page
- Redirecting Pages
- Disable .htaccess File Access
- Hide Directory Listing
But first, let us discuss how .htaccess works and is applied to the file structure of a Web Server. The great thing about .htaccess is that it can be directory specific or directory all-inclusive, which simply means that an .htaccess file can be applied to one directory or a multitude of directories. Take the following [figures] for example:
figure 1.
- An .htaccess file in the public_html directory would apply to every directory in the entire website (if it was in fact the only .htaccess file).
domain.com/.htaccess
figure 2.
- You do not have to place an identical .htaccess file in every single directory that you want it applied. Instead, you can put it in the main directory as illustrated in figure 1. above.
domain.com/images/.htaccess
domain.com/scripts/.htaccess
figure 3.
- This figure (figure 3.) illustrates how you would place different .htaccess within different directories. You will notice that in this example the .htaccess files each begin with a letter... this is only to portray a visual representation and help us understand that the withing the following .htaccess files are differences. In reality you would never name an .htaccess file because an .htaccess file has no name and only the extenison, htaccess.
domain.com/images/A.htaccess
domain.com/images/hires/apples/B.htaccess
Knowing that .htaccess files control the directory in which it is in and the directory's sub-directories, File A, controls the image directory and the hires sub-directory. If file A happend to be the only .htaccess file, it would control the apples directory as well. But, in this case, File B controls the apples directory and any sub-directories that may be in it.
Now that you know the very basics let's move on to some of the features. Don't worry, the features will increase in difficulty but as they do you will build core platform of understanding how to make .htaccess files work for you.
Custom Error Pages
We've all seen them on our own website and other's. Yes they serve a great purpose by notifying us of varying issues but they also look very dull. In an era where keeping visitors within the confines of your website at all times is soo important, .htaccess files can help you turn a potentially dull moment(seeing an error page) for a visitor into a better experience.
figure 1.
- Let's say that a visitor visits a certain page on your website only to see the error 404 Not Found. What if you could turn that 404 page into a page that allows your visitor to search what he/she was looking for? This is completely possible through .htaccess. In fact, .htaccess will let you either redirect traffic to a page on your site, or a page on a completely separate domain.
figure 1.a
- figure 1.a illustrates how you can add 1 line of code to your existing .htaccess file and have an error page redirect to another page within your website.
ErrorDocument 404 /404error.html
The / in the above example represents your public_html folder.
figure 1.b
- figure 1.b illustrates how you can add 1 line of code to your existing .htaccess file and have an error page redirect to another page outside of your website.
ErrorDocument 404 http://www.otherdomain.com/404error.html
Redirects
Redirects are another great thing .htaccess can do for you. You have to be careful though... otherwise you can create an infinite loop which could mean Ultimate Mayhem Death and Destruction for your Server. Figure 1 will show you the correct way to redirect pages and Figure 2 will show you an easy way to get your account suspended for not being careful.
figure 1.
Redirect /images/ http://www.domain.com/gallery.html
The first / in the above example represents your public_html folder. In this example, any call to any file in the image directory or any of its sub-directories will be redirected to http://www/domain.com/gallery.html. If you want to be creative you can even redirect users to different files like mp3s telling them they shouldn't be nosing around in your images directory etc...
figure 2.
Warning: The following is an example of what you should NOT do. The following creates an infininte loop and can cause excessive cpu load depending on certain circumstances.
Redirect /images/ http://www.domain.com/images/
The first / in the above example represents your public_html folder. In this example, any call to any file in the image directory or any of its sub-directories will be redirected back to the images directory causing an infinite loop.
Block IPs
Every once and a while and for some people more than others, there are people that like to cause trouble and or countries that are known for causing trouble. With .htaccess you can block individual IP addresses as well as a range of them. Although, like every singe security measure there is no guarantee of 100% protection. However, if you'd like to know hwo to block IP addressses through .htaccess please proceed.
figure 1.
order allow,deny
deny from 104.123.8.
deny from 104.123.8.120
allow from all
The above example will block access from IP addresses 104.123.8.0 to 104.123.8.120. Be careful though, you don't want to block out a huge chunk of your audience unintentionally.
Disable Hot Linking and Fight Back
Most webmasters have fallen victim to hot linking somewhere down the line. Heck, most of us are even guilty of it (e.g., linking to an image on another website for a forum/profile post). The Linkage adds up and translates into wastes bandwidth/money. The most common/popular form of hotlinking occurs with images. A growing trend in this day an age is hotlinking .js and other related scripting files. While the file sizes of scripts may be lower than most of images, hotlinking still affects the server that is being used and getting nothing in return.
Through .htaccess there are ways to block all sorts of file-types from being hotlinked. This includes, images, music files, scripts, and movies. To preven hotlinking through .htaccess you must have mod_rewrite enabled on your server.
figure 1.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]
Line 1: Establishes that the Rewrite Engine should be on.
Line 2: Establishes that any referrer is barred from hotlinking.
Line 3: Establishes your Domain name.
Line 4: Establishes the file-types to prevent hotlinking. Currently, gifs, jpgs, js scripts, and css files are blocked from hotlinking. You could easily add mp3 to the list. Line 4 would then look something like this:
 RewriteRule \.(gif|jpg|js|css|mp3)$ - [F] 
Wait... didn't this topic mention something about Fighting Back? Oh yes, yes it did. You can set .htaccess to recognize a hotlinking attempt and instead, serve alternate content chosen by you. You can surprise your attacker by linking to any url. Perhaps you want hotlinkers to see a disturbing image or one that links back to your site. Maybe, you want to get a little creative and have an mp3 play of how angry you are with someone trying to steal your bandwidth. All of this is possible with .htaccess.
figure 2.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css|mp3)$ http://www.yourwebsite.com/middlefinger.gif [R,L]
Line 1: Establishes that the Rewrite Engine should be on.
Line 2: Establishes that any referrer is barred from hotlinking.
Line 3: Establishes your Domain name.
Line 4: Establishes the file-types to prevent hotlinking. And, redirect link to alternative media.
Change Default Index Page
.htaccess has a little known feature that lets you change the name of the default index page. Even if you have just been designing websites for a small amount of time, you know by know that the default name of the main web page is index. It just so happens that you can change it to whatever you want. Maybe you want to change your default main page name to darkchocolate.
figure 1.
DirectoryIndex darkchocolate.html
Line 1: Establishes that the default main page is now set to darkchocolate.html. If you'd like to expand the extensions you could do something like this:
DirectoryIndex darkchocolate.html darkchocolate.htm darkchocolate.php
