20+ .htaccess Hacks Every Web Developer Should Know About
Posted by JP on January 22nd, 2010 in Coding | 72 Comments
Apache's .htaccess(hypertext access) configuration file can be a very powerful tool in a web developer's toolkit if used properly. It can be found in the webroot of your server and can be easily edited using any text editor. In this article I'm going to show you 20 .htaccess hacks and how to use them.
Before I start with this article I'd like to start by saying that abusing the .htaccess file will hurt the performance of your website. The .htaccess file should only be used if you have no other way to achieve certain things.
Make sure to back up your current .htaccess file before applying any of the following hacks.
1. Prevent Hotlinking
Tired of people using your bandwidth by putting the images hosted on your server on their website? Add the following code at the bottom of your .htaccess file to prevent hotlinking.
Options +FollowSymlinks
#Protect against hotlinking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?domainname.com/ [nc]
RewriteRule .*.(gif|jpg|png)$ http://domainname.com/img/stop_stealing_bandwidth.gif[nc]
NOTE: The following article explains better methods to "prevent" hotlinking:
Link building secrets by Maurizio Petrone
2. Block All Requests From User Agents
It's possible to block all unwanted user agents that might be potentially harmful or perhaps just to keep the server load as low as possible.
#Block bad bots SetEnvIfNoCase user-Agent ^FrontPage [NC,OR] SetEnvIfNoCase user-Agent ^Java.* [NC,OR] SetEnvIfNoCase user-Agent ^Microsoft.URL [NC,OR] SetEnvIfNoCase user-Agent ^MSFrontPage [NC,OR] SetEnvIfNoCase user-Agent ^Offline.Explorer [NC,OR] SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR] SetEnvIfNoCase user-Agent ^Zeus [NC]Order Allow,Deny Allow from all Deny from env=bad_bot
3. Redirect Everyone Except Specified IPs
If for some reason you would want to deny everyone or allow only a specific group of IP addresses to access your website, add the following code to your .htaccess file:
ErrorDocument 403 http://www.domainname.com Order deny,allow Deny from all Allow from 124.34.48.165 Allow from 102.54.68.123
4. SEO Friendly 301 Redirects
If you've transferred domain names or wish to redirect a specific page or pages without getting penalty from search engines such as Google, use the following code:
Redirect 301 /d/file.html http://www.domainname.com/r/file.html
5. Creating a Custom Error Page
Are you as tired as me of the default layout of 404 error pages? Well now you can easily create your own and refer to it like this:
ErrorDocument 401 /error/401.php ErrorDocument 403 /error/403.php ErrorDocument 404 /error/404.php ErrorDocument 500 /error/500.php
6. Create an IP Banlist
Tired of getting the same bs comments specific user over and over again? Just ban the bastard like this by adding the following code to your .htaccess file:
allow from all deny from 145.186.14.122 deny from 124.15
7. Set Default Email Address For Server Admin
Using the following code you can specify the default email address for the server's admin.
ServerSignature EMail SetEnv SERVER_ADMIN default@domain.com
8. Disable Display of Download Request
Usually when downloading something from a web site, you'll be prompted if you wish to open the file or save it on your hard-disk. To prevent the server from prompting users wether they wish to open or save the file and to just save the file, use the following code:
AddType application/octet-stream .pdf AddType application/octet-stream .zip AddType application/octet-stream .mov
9. Protect a Specific File
The following code allows you to deny access to any file you wish by throwing an 403 error when it is trying to be accessed. In the following example I've chosen to protect the .htaccess file by adding an extra layer of security.
#Protect the .htaccess Fileorder allow,deny deny from all
10. Compress Components With mod_deflate
As an alternative to compressing files with Gzip, you can use mod_deflate(which is supposively faster). Place the following code at the top of your .htaccess file(tip: you can also add .jpg|.gif|.png|.tiff|.ico mod_deflate those):
SetOutputFilter DEFLATE
11. Add Expires Headers
The following code shows you how to add an expiration date on the headers.
Header set Expires "Wed, 21 May 2010 20:00:00 GMT"
12. Setting the Default Page
You can set the default page of a directory to the page of your choice. For example in this code the default page is set as about.html instead of index.html
#Serve Alternate Default Index Page DirectoryIndex about.html
13. Password Protect Your Directories and Files
You can enable password authentication for any directory or file on your server by using the following code:
#password-protect a fileAuthType Basic AuthName "Prompt" AuthUserFile /home/path/.htpasswd Require valid-user # password-protect a directory resides AuthType basic AuthName "This directory is protected" AuthUserFile /home/path/.htpasswd AuthGroupFile /dev/null Require valid-user
14. Redirect an Old Domain to a New Domain
By using the .htaccess file you can redirect a old domain name to a new domain by adding the following code into the htaccess file. Basically what it does is it will remap the old domain to the new one.
#Redirect from an old domain to a new domain RewriteEngine On RewriteRule ^(.*)$ http://www.domainname.com/$1 [R=301,L]
15. Force Caching
The following code will not directly increase the loading speed of your website. What it will do is, load the content of your site faster when the same user revisits your website by sending 304 status when requested components have not been modified. You can change the cache expiry by changing the number of seconds(it's currently set at 1 day).
FileETag MTime Size ExpiresActive on ExpiresDefault "access plus 86400 seconds"
16. Compress Components By Enabling Gzip
By making use of Gzip you can compress files in order to make your website load faster.
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4.0[678] no-gzip BrowserMatch bMSIE !no-gzip !gzip-only-text/html
17. Remove "category" from a URL
To transform this url: http://yourdomain.com/category/blue to -> http://yourdomain.com/blue, just add the following code at the bottom of your .htaccess file.
RewriteRule ^category/(.+)$ http://www.yourdomain.com/$1 [R=301,L]
18. Disable Directory Browsing
To prevent people from accessing any directories that might contain valueble information or reveal security weaknesses(e.g. plugin directories of wordpress), add the following code to your .htacess file:
Options All -Indexes
19. Redirect WordPress Feeds to FeedBurner
The following snippet redirects WordPress' default RSS feed feedburner's feed.
#Redirect wordpress content feeds to feedburnerRewriteEngine on RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC] RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC] RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/yourfeed [R=302,NC,L]
20. Deny Comments from No Referrer Requests
The problem is that bots just post comments about how to increase your private parts all naturally to your blogs without coming from any other site. It's like they fall from the sky. This neat hack prevents people from posting if they did not come from somewhere else(they can comment just fine if they came from e.g. google).
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Source: How to: Deny comment posting to no referrer requests
21. Remove File Extension From URL
Thanks to Kartlos Tchavelachvili for this one. What the following code does is, it removes the .php extension(you can change it to whatever you like e.g. html) in a url. It makes the URL prettier & SEO friendlier.
RewriteRule ^(([^/]+/)*[^.]+)$ /$1.php [L]
22. Remove www from URL
Thanks to Mahalie for the following 2 .htaccess codes.
If you wish to take out the www from your website's URL and transform it from http://www.example.com into http://example.com, add the following to your .htaccess.
#remove www from URI
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [L,R=301]
23. Add Trailing Slash to URL
Some search engines remove the trailing slash from urls that look like directories - e.g. Yahoo does it. But - it could result into duplicated content problems when the same page content is accessible under different urls. The following code makes sure there's a slash at the end of your URL:
#trailing slash enforcement
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]
24. Remove the www. from your website's URL
Below I've provided a simple htaccess snippet to forcefully remove the "www" from your website's URL.
# Redirect if www.yourdomain.com to yourdomain.com
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) http://example.com/$1 [R=301,L]
The Definitive Guide to Apache mod_rewrite
I highly suggest reading the The Definitive Guide to Apache mod_rewrite if you're interested in knowing more about editing the .htaccess file. If you just want to read one book to get to know all about mod_rewrite, this one is it.
More articles about .htaccess:
- Avoiding the use of .htaccess for performance
- Comprehensive guide to .htaccess
- Stupid htaccess Tricks
Related Articles
- 10 Basic SEO Tips Every Web Developer Should Follow
- 10 Ways to Instantly Speed Up Your Website
- 12 Recently Released Free WordPress Themes Released Worth Checking Out
- Getting the Most Out of Your Blog’s RSS Feed
- Automatically Create a Bit.ly URL for WordPress Posts
Jan 22, 2010 at 12:48 pm
I tried Remove “category” from a URL, but it does’nt anything
Jan 22, 2010 at 1:48 pm
Useful rewrite rules. This one is also cool:
RewriteRule ^(([^/]+/)*[^.]+)$ /$1.php [L]
It removes file extension(.php)
Jan 22, 2010 at 2:06 pm
@Eveevans: If you’re using WordPress, I don’t recommend doing this via .htaccess, just change your permalink structure.
Otherwise, make sure that the access to the .htaccess file is 644 so the server can access the file.
@Kartlos: That’s a nice one! I’ll add it to the post as well :D
Jan 22, 2010 at 3:24 pm
Would the rewrite that loses the file extension not lead to a duplicate content penalty with google? The page is still accessible with the .php extension, so there are now duplicate ways to address the same content.
Jan 22, 2010 at 3:32 pm
@aljuk: you can use robots.txt and the sitemap.xml files to restrict which links are crawled by the search engine spiders.
More Info: SEO Issues with Duplicate Content: Htaccess, Robots and URLs – Part 2
Jan 22, 2010 at 4:38 pm
@JP thanks for the link, and yes that makes perfect sense stopping those urls being crawled.
My ideal (if it’s possible) would be that any page addressed with .php (eg. I type in ‘example.php’) would always resolve to a url without .php (‘example’) in the address bar. In fact, even more awesome would be if it were possible to readress a request with any extension (eg. ‘example.php’ or ‘example.html’ or ‘example.asp’) to ‘example’ in such a way that nobody could actually tell what server language was serving the html. Wishful thinking?
What got me thinking about this was the issue of stats. If a user can get to the same content with ‘example’ and ‘example.php’ those URLs will surely record separately in analytics, and it would feel cleaner all round to me if it was possible to simply disappear the .php from use/view altogether.
Jan 22, 2010 at 5:01 pm
This list is amazing. I especially am in need of the compression commands. I usually manually set a file with gzip compression using php. I’ll still need to do this when installing on a client’s server but I’ll certainly use it for my server.
Thank you so much!
Jan 22, 2010 at 5:02 pm
valueble…
Jan 22, 2010 at 5:34 pm
@Aljuk: yep I agree.. it can be done though by only allowing 1 type of link to display the content etc. You’ll have to do some research..
@Matthew: You’re welcome man!
Jan 23, 2010 at 12:11 am
This is a really great post! I’ve bookmarked it and will definitely be referring back to it :) Thanks
Jan 23, 2010 at 12:13 am
Thanks Mike
Jan 24, 2010 at 1:38 am
It looks like there is a formatting issue with several of the code snippets above, making them invalid if copied and pasted for use.
Several have some extra =”"> bits (2,9,10,11,13,19). Some are also using typograhic “curly quotes” instead of straight quotes (13 and 5).
Jan 24, 2010 at 1:39 am
Ugh.
That should be (13 and *15*).
Jan 24, 2010 at 1:55 am
Thanks a lot for noticing this Mary! I’ve fixed the typographic curly quotes.
I don’t get what you mean by “Several have some extra =””> bits (2,9,10,11,13,19)” though. Mind explaining?
Jan 24, 2010 at 3:20 am
Thanks 4 the share
Jan 24, 2010 at 6:10 am
i testes RewriteRule ^(([^/]+/)*[^.]+)$ /$1.php [L] but it didn’t work through my htaccess page on server.
Not working even on localhost.
Could you please help me?
Jan 24, 2010 at 7:22 am
@mitendra: You need to have Apache’s mod_rewrite rule enabled in order to use this one. WAMP/XAMP/MAMP etc all have mod_rewrite turned off by default.
Also, I’m not sure if it works for localhost(i’ll have to look into this one).
Jan 24, 2010 at 9:39 am
@aljuk
…I think this article is about htaccess Hacks and not about SEO optimization :)
@mitendra
That rule comes direct from my sites .htaccess file.
http://www.eclipsedesign.eu/contact
http://www.eclipsedesign.eu/contact.php
As you can see it works perfectly for me.
Jan 24, 2010 at 10:37 am
It’s very interesting article. Thank you for information.
Jan 24, 2010 at 10:44 am
@Kartlos: welcome back man!
@Elina: You’re welcome! Don’t forget to subscribe to the RSS feed
:DJan 24, 2010 at 2:27 pm
great article :)
Very helpful for us…
Thanks
SV
Jan 24, 2010 at 3:45 pm
These are great, really love removal of category – excellent for those of us using Expression Engine. Here’s an additional one I use a lot – removing www from urls and enforcing trailing slashes (for URI consistency which helps with SEO).
#remove www from URI
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [L,R=301]
#trailing slash enforcement
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !#
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ http://domain.com/$1/ [L,R=301]
Jan 24, 2010 at 4:20 pm
@mahalie: thanks a lot for those! I’ve added them to the article as well :)
Jan 24, 2010 at 5:06 pm
Thanks for this list JP. I have bookmarked it as well and will have to read it over more carefully later. I have always been a little leery about mussing with the htaccess.. I will give it a try.
Jan 24, 2010 at 5:48 pm
@Kevin: You’re welcome, don’t forget to subscribe to the RSS feed, lots of more good articles are coming up.
Jan 24, 2010 at 7:52 pm
thank you for share
Jan 24, 2010 at 9:20 pm
Thanks JP. It’s working. I think that was cache problem. Don know but nice script. :)
Jan 24, 2010 at 10:45 pm
You’re welcome :)
Jan 25, 2010 at 12:35 pm
@JP These are really good. I use several of them already. Mod_Rewrite is so powerful! Since the rules are fairly cryptic and can get so complex that it is nice to have these handy. Thanks!
Jan 26, 2010 at 11:13 am
The “Remove File Extension From URL” rule (#21 in your list) is pretty, but wrecks 403 error addressing. If a user tries to browse a directory (eg. /example/), the server assumes the user is trying to call a file (in this case example/.php) and incorrectly throws a 404.
I wonder if there’s a workaround, or a better way of writing the rule?
@Kartlos – since htaccess rules can massively affect seo, the subjects are not mutually exclusive, hence “It makes the … SEO friendlier” in the article. Perhaps you should read more carefully :)
Jan 26, 2010 at 1:10 pm
@Pete J: Can you show me an example of this Pete? I find what you’re saying a bit hard to believe.
If it’s true I’ll look into it to see if there’s a work around for it.
Jan 26, 2010 at 1:53 pm
awesome tips! thanks for sharing :)
Jan 27, 2010 at 12:09 am
This post is definitely going into my ‘resources’ link folder! Thanks!
Jan 27, 2010 at 1:58 am
@soratofx & jami: You’re welcome guys! Don’t forget to grab the rss feed to get more useful resources in the future.
Jan 27, 2010 at 11:03 pm
thanks for share,,,
Jan 28, 2010 at 12:28 pm
Hi, this post was today referred in BHW. Title is “23 htaccess Hacks Everyone Should Know!”.
My question is, how we can force www to non www?
Thanks in advance…
Jan 28, 2010 at 1:47 pm
@John: Hey I’ve provided the code to forcefully remove the www from your website’s url.
Jan 29, 2010 at 3:22 am
Very useful posts on your site. I’ve had to learn more then half of these processes in the last few months. I spent about two hours today setting up redirects for a client that were way more complex and used way more reg exp than I had anticipated. I’m sure this will be a great reference to others.
Jan 30, 2010 at 6:47 am
thanks for sharing :)
Jan 30, 2010 at 10:01 am
thanks a lot….
Jan 30, 2010 at 5:39 pm
I’m going home to …’s place,
Feb 01, 2010 at 1:13 pm
Nice brief and this enter helped me alot in my college assignement. Gratefulness you seeking your information.
Feb 02, 2010 at 1:26 am
Keep posting stuff like this i really like it
Feb 03, 2010 at 6:00 am
Nice idear thanks !
Just don’t abuse of htaccess rules because it can really slow down your web site: all the rules are checked each time a file is uploaded : css, js, jpg, html…
Mixing php rules, when you can, with these will be better for perf.
Feb 03, 2010 at 10:28 pm
@JP.. sorry, I asked wrong question actually..
I want to force non www to http://www...
Example: http://google.com to http://www.google.com
I got answer from this page.. those who want the same thing, you can check here: http://www.htaccessbasics.com/force-www-nonwww-domain/
Thanks again JP
Feb 04, 2010 at 1:53 am
@John: You’re welcome :)
Feb 06, 2010 at 3:25 pm
Just wanted to mention that it’s spelled “supposedly”, not “supposively”. Great article, though.
Feb 08, 2010 at 12:52 pm
some of the examples have some extra ‘=”"‘. for example the #11 mod_deflate
the code is:
but it should be:
I get the same error when passing the right code to my blog post bout it. somehow the syntax highlighting plugin adds this extra ‘=”"‘ stuff
quite annoying and I do not know any fix by now
Feb 08, 2010 at 12:53 pm
great the code doesn’t show up in my comment!
again:
see code #11
that should be ‘mod_deflate.c’ without the =”"
Feb 22, 2010 at 1:08 pm
Thanks for sharing ;)
Feb 22, 2010 at 5:08 pm
The first hack won`t work. You are blocking .gif images so stop_stealing_bandwidth.gif will be blocked as well
Mar 08, 2010 at 10:26 am
If I add this line to my .htaccess:
RewriteCond %{HTTP_USER_AGENT} ^Zeus
some pages of my joomla get down, so I suppose Im infected with zeus!! How can I detect it? where can I find info o soft to remove it?
Please help!!
Thanks
Mar 30, 2010 at 10:15 am
Hi,
I did not think we were to put in like this (123 etc)
1 #Protect the .htaccess File
2
3 order allow,deny
4 deny from all
5
So I omitted the numbers at the left side. Its broke my site. Now I can login but nothing else.
Parse error: syntax error, unexpected ‘<' in /home/newdream/public_html/spotlightonsarawak/wp-admin/admin-header.php on line 129
I removed it but now I will have to put in a request to my host because its still broke.
No worries, we'll get this fixed DevMoose.
WordPress by the way.
Mar 31, 2010 at 9:31 am
@Kate: which of the hacks were you trying to implement?
Can’t help you if you’re not being specific.
Mar 31, 2010 at 11:48 am
Hi Dev,
It was this but after removing it nothing worked.
1 #Protect the .htaccess File
2
3 order allow,deny
4 deny from all
5
The 1-5 numbers I did’nt use but the rest I did use.
K
It may be it was’nt the script because according to my host my sites had been compromised, he sent that this afternoon.
It should have been ok taking out and saving the script but I could’nt get logged in to cpanel either.
I have always been worried about adding to the files now its even more worrying for me lol
I’m sure ages ago I got a stop robots from you and all was fine then.
Don’t worry Dev.
Delete my last two posts please under normal circumstances your stuff probably works fine, I believe it was at this end where the problem lay.
May 03, 2010 at 9:21 am
Niksshiz say: I agree with told all above. Let’s discuss this question. Here or in PM.
_____________
{cealis
insurance online
0
May 13, 2010 at 12:08 pm
This is a really great post! I’ve bookmarked it and will definitely be referring back to it :) Thanks
Jun 18, 2010 at 11:27 pm
I found your site via google thanks for the post. I will save it for future reference. Thanks
Jun 20, 2010 at 1:57 am
@Kulfoldi: I’m glad you like it. :) I’ll be posting new articles again soon.
Jul 12, 2010 at 9:25 pm
At least one of your “responses” seems to have been done by a robot. I got the same wording on my WordPress blog (“I found your site via google thanks for the post. I will save it for future reference.”). Several others look suspicious, too, just generic praise and thanks. Do you intentionally leave these in? Is there a way to stop them, other than by telling WordPress that it is a spam, and thus keeping it off the blog? Try Googling this response to your blog: “Nice brief and this enter helped me alot in my college assignement. Gratefulness you seeking your information.” See how often it appears!
Jul 23, 2010 at 7:30 am
it was very interesting to read.
I want to quote your post in my blog. It can?
And you et an account on Twitter?
Oct 22, 2010 at 12:19 pm
it’s a great resourches, thanks a lot
Feb 02, 2011 at 3:12 am
the one i was looking for finally found here…
“remove file extension”
this is great
Thankyou for sharing!!!
Feb 18, 2011 at 11:51 am
JP Number 13 Password protect your files and directories? Will this stop people from being able to right click and copy your website, content? Much obliged for the codes by the way, nice to find something different and useful.
Mar 03, 2011 at 1:41 am
@Business Host: Nope, this is to prevent certain folders from being accessed by requiring a password(e.g. devmoose.com/pics would require a password if I use the .htaccess code).
Apr 11, 2011 at 9:33 am
Very Nice website. I just finished mine and i was looking for some ideas and your website gave me some. The website was developed by you? Thanks!
Apr 28, 2011 at 9:43 am
Yeah thanks for this post very usefull, i have try and apply in my htaccess. Thanks
May 18, 2011 at 12:17 pm
The code to prevent Hotlinking was very usefull again an attack today
Sep 20, 2011 at 2:31 pm
Nice list… .htaccess tips look great, i find the error code one great :P
Oct 30, 2011 at 11:21 am
Thank you so mouch.
Nov 17, 2011 at 12:58 pm
How do allow access to my site for a specific user-agent??
It’s currently disallowing access for a user-agent by default & I want to allow access.
I’m a beginner.
Please help
Dec 14, 2011 at 6:24 am
It’s really a great and helpful piece of info. I am glad that you shared this helpful info with us. Please keep us informed like this. Thanks for sharing.