If you are a new person to the WordPress hosting, you might not be heard about the .htaccess file.
If you are mid-level user of WordPress, you might not much familiar with WordPress.
People who have their site hosted on Wordpress CMS don't like to mess with .htaccess.
This is due to the following things
- They don't know how to work with .htaccess
- They did something on .htaccess and the site went down.
- Don't know what it is(newbies)
Today, I am going to show you what is .htaccess and how to use that to secure and speed up your website.
What is .htaccess file?
.htaccess is the short form of Hypertext Access. It is a configuration file used in apache web server to enable or disable additional functionality or feature in the web server.
The .htaccess file helps you to configure the details of the website without changing the server configuration.
The .htaccess files will be hidden under the folder to which you have uploaded it.
The .htaccess file controls the directory where it is placed and also affects the subdirectories inside that directory.
So, you have to be aware of where you are placing the .htaccess file.
What is the use of .htaccess file?
The .htaccess file can improve the website performance if you use that in a recommended way. The .htaccess file can affect two things of a website.
.htaccess slow downs the server. But it is unidentifiable most of the time.
This is because, when the server loads a page each time, it also read all of its directories until it reaches the top directory or until reaching the .htaccess file.
Even if the .htaccess file does not exist in the folder, the process will continue due to the allow override permission to access the .htaccess file.
The primary concern about a website is its security.
The .htaccess file is powerful and it can be easily accessible to the user.
If you add any directive in the .htaccess file, it will be considered as they are added to Apache configuration file.
The changes can take effect even without restarting the web server. So, you have to be more careful about giving the access to the user as it gives control over the Server.
Apache does not encourage giving the access to the .htaccess since the user can directly reach apache's configuration file.
How to activate a .htaccess file?
You should have access to the server settings to make changes in the configuration file to allow the .htaccess override.
Now, your next step is to open the Apache default configuration file. To do this, you need sudo user privileges.
$ sudo nano /etc/apache2/sites-available/default
Once you opened the file, find the following section in that.
<Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory>
Here replace None to All. Now the file should look like
<Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
Save the file and Restart the Apache.
$ sudo service apache2 restart
Creating the .htaccess file
Creating the .htaccess file is easy. You can create the .htaccess file in a text editor on your local system and upload it to the web server directory through a FTP client.
Or else, you can create .htaccess file using the terminal command line.
Here is the command to create your .htaccess file on the terminal. Here:
Replace yourdomain.com with your website name.
$ sudo nano /var/www/yourdomain.com/.htaccess
Use of the .htaccess page
Mod_Rewrite: This is one of the best features in the .htaccess file.
You can use Mod-Rewrite to designate and alter How your web page and URL in your website has to be displayed to the user.
Here the .htaccess file does not require more permissions same as accessing the Apache web configuration requires.
You can still make a lot of effective changes to the website. One of the important changes you can make is setup a password to the certain portion of a web page.
So, the user has to enter the password to access the section.
The .htaccess password will be stored in the .htpasswd file.
Create the file and save it outside of the web directory for some security reasons.
When you create the .htpasswd file, add space between the name and password. Also, add all the username and password for the users to whom you want give access to the specific part of the webpage.
Encrypt the password using the site
Add the username and password. The tool will give you the encrypted password.
If you enter username: selva and password:therealworld, you will get the following encrypted password.
You can add more user as much as you want. Don't add all users in a single line, use a new line for each user.
If you created the .htpasswd file, the next step is to make .htaccess file to use this password.
To do that, add the following line in the .htaccess file.
AuthUserFile /usr/local/username/safedirectory/.htpasswd AuthGroupFile /dev/null AuthName "Please Enter Password" AuthType Basic Require valid-user
Here, let me explain what each of the lines instructs.
AuthUserFile: This line set the server path to the .htpasswd file.
AuthGroupFile This line is used to locate the author group file. Since we have not created any such file, we have to /dev/null.
AuthName: The text you entered here will be displayed at the prompt. you can choose the name with your choice.
AuthType: This field indicates what type of authentication has to be used to check the password.
You should not change the AuthType. It should remain Basic.
Require valid-user: This line indicates that there are a lot of people who are permitted to enter into password protected area( If you have added many username and password in .htpasswd file, then add this line)
If there is only one user permitted to enter into password protected area, add "require user username" to indicate the specified person who is allowed to enter.
Custom Error Pages:
The .htaccess let you create the custom error pages for your website. The custom errors are
Client Request Errors
400 - Bad Request
401 - Authorization Required
403 - Forbidden
404 - Not Found
405 - Method Not Allowed
406 - Not Acceptable (encoding)
407 - Proxy Authentication Required
408 - Request Timed Out
409 - Conflicting Request
410 - Gone
411 - Content Length Required
412 - Precondition Failed
413 - Request Entity Too Long
414 - Request URI Too Long
415 - Unsupported Media Type
500 - Internal Server Error
501 - Not Implemented
502 - Bad Gateway
503 - Service Unavailable
504 - Gateway Timeout
505 - HTTP Version Not Supported
These custom error pages allow you design your own page and add it to the error page list.
By default, the server shows an error page.
We could use our own error page with this custom design.
Once you designed a page for custom error, upload it to the web directory and add the location of the page in .htaccess file.
I am going to use 401 error page.
ErrorDocument 404 /new404.html
The Apache looks for error page at the root directory.
If you have added the error page in any of the subfolders, you have to specify the exact path for .htaccess to access the page.
ErrorDocument 404 /error_pages/new404.html
MIME Types: If you are using some application files which are not handled by your web server, you can add them to your apache configuration file using the following code.
AddType audio/mp4a-latm .m4a
You can replace the application and extensions in the above code with your choice of applications.
The extensions that has to be added to the Apache Web Server.
SSI: SSI(Server Side Includes) is used to make bulk updates to the web page.
It saves a lot of time for you. ( If you want to make any changes and that has to reflect in all pages, you can use SSI).
You can enable the SSI by adding the following code in the .htaccess file.
AddType text/html .shtml AddHandler server-parsed .shtml
These commands instruct the .htaccess that the .shtml is valid and the second instructs the server to parse all files ending with .shtml for all SSI commands.
If you have a large number of html pages and you don't want to rename them with .shtml, then there is an option which will make the server to parse all .html files for SSI commands.
The option is using the XBitHack.
If you add this line to the .htaccess file, then the Apache will check all the .html files with permissions for SSI.
You have to make the SSI eligible for XbitHack, use this command.
chmod +x pagename.html
The .Htaccess files have a lot of functions which can give the flexibility to your website.
The functions of .htaccess files can't be explained in a single article.
Just subscribe to the blog so that you can get the upcoming article about .htacess file.
This article explained you the basic necessity thing about the .htaccess.
If you have any questions, please feel free to ask them in the comments.