What is htaccess and what does it do?
Posted on 05. Mar, 2009 by Kimberly in Web Dev
What are .htaccess files? They are “invisible”" plain text files that can be found or placed in the root folder of your server or in the subfolders that can be altered to control how your visitors/robots interact with your site, or if they can at all.
For instance you could enable a web robot to index (log and quantify) your entire site or keep them from “seeing” the contents of certain folders. You might have a more private area that you want password protected so no one, not even the robots can get there. As well, you might want to enter code that allows the images in a certain folder to only be viewable on that domain and no where else. You have to be wary of what you do in the little-big file as one change can alter your entire site.
Although you could add “gobs” of code in this file, you might not really want to as it may cause a delay in loading sections or your entire site. Think of it this way: “Do I really need to do that or is it just a bell and whistle?” or “Will this benefit me more than the cost of the delay in loading time?” Sometimes the delay is negligible, sometimes not, depending on what you’ve added there.
Wikipedia answers the question, “When .htaccess files should be used?” by stating “.htaccess files are read on every request, therefore changes made in these files take immediate effect as opposed to the main configuration file which requires the server to be restarted for the new settings to take effect.
For servers with multiple users, as is common in shared web hosting plans, it is often desirable to allow individual users the ability to alter their site configuration. In general, .htaccess files should be used by users who do not have access to the main server configuration files.” see more here http://en.wikipedia.org/wiki/Htaccess
Okay, actually before we continue, I need to state: please backup all of your files and your existing .htaccess file BEFORE following, adjusting or testing anything I have included in this post. Okay, there, I said it. The world of web access now rests on your shoulders.
To find out if .htaccess is enabled on your server, put a test php file in the root and then attempt to view it in the browser of your choice. If you get a 500 error (the “I have a boo-boo page”), then it is not enabled for your server and you should contact your host company. This error will also occur if you put some funky thing in your .htaccess file that the server does not understand.
Put the following in the test php file:
<ifModule mod_php4.c>
php_value default_charset utf-8
</ifModule>
* used so it is not functional code, but please remember to remove them. 
(Note: only if PHP is loaded, will this directive have any effect (switch the 4 for a 5 if using php5)
Now, I am on a MAC and I use Tramsmit as my ftp client. I love the app because I can set in my preferences for it to view hidden files and then I can edit the .htaccess files via a textedit, BBEdit, TextMate, Coda or whatever I like. The simpler, the better. Please note that .htaccess files must be uploaded as ASCII mode, not BINARY.
You may need to CHMOD the htaccess file to 644 or (RW-R–R–). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. (For example, if you have password protected directories, if a browser can read the htaccess file, then they can get the location of the authentication file and then reverse engineer the list to get full access to any portion that you previously had protected. There are different ways to prevent this, one being to place all your authentication files above the root directory so that they are not www accessible, and the other is through an htaccess series of commands that prevents itself from being accessed by a browser.
Ever wanted a specific directory in your site to be available only to people who you want it to be available to? Ever got frustrated with the seeming holes in client-side options for this that allowed virtually anyone with enough skill to mess around in your source to get in? .htaccess is the answer!
The first thing you will need to do is create a file called .htpasswd. It is the same idea behind naming the htaccess file itself. In the htpasswd file, you place the username and password (which is encrypted) for those whom you want to have access:
somebody:something
(user is somebody, something is password) – DO NOT use the same name for user and password, please!
Then in your .htaccess file put:
* AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basicrequire user someone *
* used so it is not functional code, but please remember to remove them.
This will force the username and password to enter anything in the same folder as that .htaccess file.
Now there is so much more I will be adding over the next few blog posts about .htaccess files but in closing to this one, I need to put a specific instruction for wordpress users. When you develop a wordpress site, wordpress generally creates a .htaccess file with the information specific to WP sites. As well, many are using WP-Cache or WP-Super Cache as plugins to speed up the loading and caching (and ability of your site to take the hits so to speak).
The WP .htaccess file generally looks like this to start:
*# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]# END WordPress *
* used so it is not functional code, but please remember to remove them.
Now let’s up the anty with the doamain name url:
*1. # If subdomain www exists, remove it first
2. RewriteCond %{HTTP_HOST} ^www.([^.]+.[^.]+)$ [NC]
3. RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
*
This way you do not have to add uls manually if you reuse this.
Then let’s add some other refinements for wordpress:
1. # If requested resource does not exist as a file
2. RewriteCond %{REQUEST_FILENAME} !-f
3. # and does not end with a period followed by a filetype
4. RewriteCond %{REQUEST_URI} !..+$
5. # and does not end with a slash
6. RewriteCond %{REQUEST_URI} !/$
7. # then add a trailing slash and redirect
8. RewriteRule (.*) $1/ [R=301,L]
9.*
Then the final .htaccess for WP would be:
1.
2. RewriteEngine On
3. # If subdomain www exists, remove it first
4. RewriteCond %{HTTP_HOST} ^www.([^.]+.[^.]+)$ [NC]
5. RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
6. # If requested resource does not exist as a file
7. RewriteCond %{REQUEST_FILENAME} !-f
8. # and does not end with a period followed by a filetype
9.
10. RewriteCond %{REQUEST_URI} !..+$
11. # and does not end with a slash
12. RewriteCond %{REQUEST_URI} !/$
13. # then add a trailing slash and redirect
14. RewriteRule (.*) $1/ [R=301,L]
15.
16.
17. # BEGIN WordPress
18.
19. RewriteEngine On
20. RewriteBase /
21. RewriteCond %{REQUEST_FILENAME} !-f
22. RewriteCond %{REQUEST_FILENAME} !-d
23. RewriteRule . /index.php [L]
24.
25.
26. # END WordPress
Then from there is you use the WP-Cache or WP-Supercache, it will add its own commands at the top of your .htaccess file itself (do not mess with what they add as they are required for the cache rules to work properly)
So, there you have it. Part 1 of the .htaccess informational post. Stay tuned for Part 2.
Kimberly Beaven is a Web Designer and Creative Director of BlueWave Media. She is is truly a gadget girl who loves architecture, photography, design and coding. Learn more via twitter or her Google Profile. If you enjoyed this post, please subscribe to our RSS feed.
21 Responses to “What is htaccess and what does it do?”
Speak Your Mind
Tell us what you're thinking...and oh, if you want a pic to show with your comment, go get a gravatar!
Leave a Reply
Hi guys,
I searched so many websites in these 2 days but still I couldn’t find a solution, I know it’s not a forum, but maybe you can help mewith this.
Actually I want to use mode rewrite for masking my URLs, thing is that I have URLs like http://www.mysite.com/index.php?page=news&newsID=23, I already created this in .htaccess:
RewriteRule (.*)-(.*) index.php?page=$1&newsID=$2
result: http://www.mysite.com/news-23
but the thing is that I want to pass title of that news to my URL instead of 23 (like http://www.mysite.com/first-news), I don’t know how can I do that.
I really appreciate any help in advanced
Cheers. (my email is amirrezaa.farhadi@gmail.com
You’ve got it – just remember to put the real domain in there and you are set to go.
Back again. So if I’m using www-canonicalization, the .htaccess file should look like this, correct? With my url in both domain.com spots, correct?
<code>RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [R=301,L]
RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
RewriteRule ^(.*)$ http://www%{HTTP_HOST}/$1/ [R=301,L]
RewriteCond %{REQUEST_URI} !..+$
# and does not end with a slash
RewriteCond %{REQUEST_URI} !/$
# then add a trailing slash and redirect
RewriteRule (.*) $1/ [R=301,L]
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress</code>
Thanks for answering all my questions, Kimberly. You’re one classy lady.
Wow, blew me away with that one! You are so very welcome – I have enjoyed this learning experience for myself too as it is good to get this stuff out of my mind and on “paper.” Makes me push myself farther too. You have been awesome.
And for where you put in domain.com should I put in the url for my site?
You’ve got it! I put that there for the explanation but yes that is where you would put your domain/url that you are working on.
This is a great exchange – thanks Yael!
What the starting WP .htaccess I have is:
<code># BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress</code>
Is that different from what you stated, which is:
<code># BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress</code>
Not really different – you have the which just signifies to look for any re-write rules, so you are good to go.
To clarify, the above code is if I’ve been using www and want to now get rid of it, correct?
What if I want the cannonization to be http://www.mysite.com?
Correct. If you want it to be with the www, use
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.domain.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [R=301,L]
RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
RewriteRule ^(.*)$ http://www%{HTTP_HOST}/$1/ [R=301,L]
This will make sure the www is included if someone leaves it off
So if I wanted it with www what lines of code get changed and what are the changes?
To have the rewrite to get rid of the www you need the code:
This broken apart:
tells the serve rto get rid of the wwww and break it down to the basic domain – so from http://www.domain.com to domain.com.
It is done through a 301 redirect ie. the R=301 as above that tells it to take out the www if anyone puts it in so all analytics, pages and ect will be found at the root of the domain for all.
Does that make sense?
I forgot to mention that WordPress seems to prefer to end all urls with a / — so much so that I couldn’t get a link to work without the /. So I use this to stop those shennigans?
Yes, that is a bit aggravating as well and this will work to fix that – it is a nice quick fix that tells the server how to interpret the url when someone asks for it in their browser. because it is at the root of the site, it fixes a lot of those nagging things.
And is that cannonization without www? Because I prefer with www.
Yes you can do it with or without, but I have it listed as without as many prefer that way.
So is .htpasswd necessary for the security of a WP site? What would the code look like for it?
Are you saying that you made the .htaccess do the cannonization of urls that Google is now talking about?
Actually the .htpasswd is not necessary – but you had asked me originally about in a sense hiding a site or a directory, so this is a great way to do that. Unless you want a site or a sub site hidden and password protected, you do not need this at all.
Yes, this is a quickie way of letting the .htaccess do the canonization of the urls for you.
Good questions!
Hi Yael, thank you for your comments and questions.
yes, set the permissions to 644 correct.
the .htpasswd file is to be used if you want to add a password and username entrance into a main root of a domain or just a subfolder. You put it in the folder that you want to make sure no one can get into unless they have the username and password. Contolled entry. I have used this for clients that have a staff only area of their site in a subfolder of their domain.
The code I shared for WP is the main one that is naturally created and then a bit of added for those who have permalink problems or want to make sure al of the urls on their domain are handled correctly – basically telling the server how to interpret the domain urls. This is great for people getting 301 errors and need to redirect to a www or without www in their domain. Some people prefer not using the www at all, and so tell the server is someone puts a www infront of the domain to get to their site, reinterpret it to remove it so they do not get any “page not found errors.” So this is not needed but an added if you have any problems with your site getting a lot of page not found errors.
Does that help a bit?
Kimberly, thanks for doing this and I look forward to part II.
On to the questions:
You’re saying the file permission for the .htaccess file should be 644, correct?
I’m confused about the .htpasswd file. What’s it’s purpose? What does the code look like to tell it what is the user and the password? What file permission should it be?
I’m also confused about the code you shared for a WordPress .htaccess file. What is it suppose to do? Why do you feel it’s needed?