Official Power Up Hosting Blog

Everything about Linux, Windows, and hosting ;)

Selvakumar
Author

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Share


Our Newsletter


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tags


Twitter


Official Power Up Hosting Blog

How to Use the .htaccess File to Improve the Security (For Beginners)

SelvakumarSelvakumar

If you are a new person to the WordPress hosting, you might not be heard about the .htaccess file.

If you are mid-level user of WordPress, you might not much familiar with WordPress.

People who have their site hosted on Wordpress CMS don't like to mess with .htaccess.

This is due to the following things

  • They don't know how to work with .htaccess
  • They did something on .htaccess and the site went down.
  • Don't know what it is(newbies)

So:

Today, I am going to show you what is .htaccess and how to use that to secure and speed up your website.

how to use htaccess

Introduction

What is .htaccess file?

.htaccess is the short form of Hypertext Access. It is a configuration file used in apache web server to enable or disable additional functionality or feature in the web server.

The .htaccess file helps you to configure the details of the website without changing the server configuration.

The .htaccess files will be hidden under the folder to which you have uploaded it.

The .htaccess file controls the directory where it is placed and also affects the subdirectories inside that directory.

So, you have to be aware of where you are placing the .htaccess file.

What is the use of .htaccess file?

The .htaccess file can improve the website performance if you use that in a recommended way. The .htaccess file can affect two things of a website.

they are

Speed:

.htaccess slow downs the server. But it is unidentifiable most of the time.

This is because, when the server loads a page each time, it also read all of its directories until it reaches the top directory or until reaching the .htaccess file.

Even if the .htaccess file does not exist in the folder, the process will continue due to the allow override permission to access the .htaccess file.

Security:

The primary concern about a website is its security.

The .htaccess file is powerful and it can be easily accessible to the user.

If you add any directive in the .htaccess file, it will be considered as they are added to Apache configuration file.

The changes can take effect even without restarting the web server. So, you have to be more careful about giving the access to the user as it gives control over the Server.

Apache does not encourage giving the access to the .htaccess since the user can directly reach apache's configuration file.

How to activate a .htaccess file?

You should have access to the server settings to make changes in the configuration file to allow the .htaccess override.

Now, your next step is to open the Apache default configuration file. To do this, you need sudo user privileges.

$ sudo nano /etc/apache2/sites-available/default

Once you opened the file, find the following section in that.

 <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
</Directory>

Here replace None to All. Now the file should look like

 <Directory /var/www/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
 </Directory>

Save the file and Restart the Apache.

$ sudo service apache2 restart

Creating the .htaccess file

Creating the .htaccess file is easy. You can create the .htaccess file in a text editor on your local system and upload it to the web server directory through a FTP client.

Or else, you can create .htaccess file using the terminal command line.

Here is the command to create your .htaccess file on the terminal. Here:

Replace yourdomain.com with your website name.

$ sudo nano /var/www/yourdomain.com/.htaccess

Use of the .htaccess page

Mod_Rewrite: This is one of the best features in the .htaccess file.

You can use Mod-Rewrite to designate and alter How your web page and URL in your website has to be displayed to the user.

Security

Authentication:

Here the .htaccess file does not require more permissions same as accessing the Apache web configuration requires.

You can still make a lot of effective changes to the website. One of the important changes you can make is setup a password to the certain portion of a web page.

So, the user has to enter the password to access the section.

The .htaccess password will be stored in the .htpasswd file.

Now:

Create the file and save it outside of the web directory for some security reasons.

When you create the .htpasswd file, add space between the name and password. Also, add all the username and password for the users to whom you want give access to the specific part of the webpage.

Encrypt the password using the site

Add the username and password. The tool will give you the encrypted password.

If you enter username: selva and password:therealworld, you will get the following encrypted password.

selva:$apr1$0asD8vnb$vFS96F9.BYKwyaVilWau10

You can add more user as much as you want. Don't add all users in a single line, use a new line for each user.

If you created the .htpasswd file, the next step is to make .htaccess file to use this password.

To do that, add the following line in the .htaccess file.

 AuthUserFile
 /usr/local/username/safedirectory/.htpasswd
 AuthGroupFile /dev/null
 AuthName "Please Enter Password"
 AuthType Basic
 Require valid-user

Here, let me explain what each of the lines instructs.

AuthUserFile: This line set the server path to the .htpasswd file.

AuthGroupFile This line is used to locate the author group file. Since we have not created any such file, we have to /dev/null.

AuthName: The text you entered here will be displayed at the prompt. you can choose the name with your choice.

AuthType: This field indicates what type of authentication has to be used to check the password.

Here:

You should not change the AuthType. It should remain Basic.

Require valid-user: This line indicates that there are a lot of people who are permitted to enter into password protected area( If you have added many username and password in .htpasswd file, then add this line)

If there is only one user permitted to enter into password protected area, add "require user username" to indicate the specified person who is allowed to enter.

Custom Error Pages:

The .htaccess let you create the custom error pages for your website. The custom errors are

Client Request Errors

400 - Bad Request
401 - Authorization Required
403 - Forbidden
404 - Not Found
405 - Method Not Allowed
406 - Not Acceptable (encoding)
407 - Proxy Authentication Required
408 - Request Timed Out
409 - Conflicting Request
410 - Gone
411 - Content Length Required
412 - Precondition Failed
413 - Request Entity Too Long
414 - Request URI Too Long
415 - Unsupported Media Type

Server Errors

500 - Internal Server Error
501 - Not Implemented
502 - Bad Gateway
503 - Service Unavailable
504 - Gateway Timeout
505 - HTTP Version Not Supported

These custom error pages allow you design your own page and add it to the error page list.

By default, the server shows an error page.

But:

We could use our own error page with this custom design.

Once you designed a page for custom error, upload it to the web directory and add the location of the page in .htaccess file.

Here:

I am going to use 401 error page.

ErrorDocument 404 /new404.html

The Apache looks for error page at the root directory.

If you have added the error page in any of the subfolders, you have to specify the exact path for .htaccess to access the page.

For example.

ErrorDocument 404 /error_pages/new404.html

MIME Types: If you are using some application files which are not handled by your web server, you can add them to your apache configuration file using the following code.

 AddType audio/mp4a-latm .m4a

You can replace the application and extensions in the above code with your choice of applications.

The extensions that has to be added to the Apache Web Server.

SSI: SSI(Server Side Includes) is used to make bulk updates to the web page.

It saves a lot of time for you. ( If you want to make any changes and that has to reflect in all pages, you can use SSI).

You can enable the SSI by adding the following code in the .htaccess file.

AddType text/html .shtml
AddHandler server-parsed .shtml

These commands instruct the .htaccess that the .shtml is valid and the second instructs the server to parse all files ending with .shtml for all SSI commands.

But:

If you have a large number of html pages and you don't want to rename them with .shtml, then there is an option which will make the server to parse all .html files for SSI commands.

The option is using the XBitHack.

If you add this line to the .htaccess file, then the Apache will check all the .html files with permissions for SSI.

XBitHack on

Now:

You have to make the SSI eligible for XbitHack, use this command.

chmod +x pagename.html

Conclusion:

The .Htaccess files have a lot of functions which can give the flexibility to your website.

Look:

The functions of .htaccess files can't be explained in a single article.

Just subscribe to the blog so that you can get the upcoming article about .htacess file.

This article explained you the basic necessity thing about the .htaccess.

If you have any questions, please feel free to ask them in the comments.

Selvakumar
Author

Selvakumar

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Comments