101Geek

What is .htaccess File? How do you find it and use it – Beginner’s Guide

A .htaccess file is basically nothing more than a plain text file. You can use it to control the configuration of the Apache web server without having direct access to the main configuration file (httpd.conf) of the web server.

The configurations in the .htaccess file always refer to the entire contents of the current directory. That is, all files and subfolders that are located in it.

The .htaccess file is often used when a directory needs access protection.

In this article I will explain how you can use this configuration option and for what purpose it is still used.

This article is about a very technical topic, but of course I will give my best to make it easy for you: we will talk about the great possibilities of the .htaccess file. All the major configuration instructions for your webserver and rules for web directories can be set and stored in this file.

This means that the rules defined in the .htaccess always apply to the directory in which this file is located. Normally, most configurations are stored in the .htaccess file of the main directory, as this applies to this entire folder including subfolders, whereby WordPress enforces .htaccess rules for the entire blog.

In this article I will show you some cool code snippets to make your blog faster and safer. These code snippets must be inserted in the .htaccess of your main directory, on your web server.

Using .htaccess files correctly in WordPress

Before we get started, I have a few little things to explain to you about this particular file.

The .htaccess is a very powerful file you can use to do a lot of good but also bad things. Because of its power it is often targeted by hackers.

Protection of .htaccess

WordPress .htaccess Set file permissions

Set the file permissions of the .htacces to 644

So before we get started, you should first define the file permissions for the .htaccess. WordPress suggests (and I can only endorse this) that you set permission 644.

To do this, log on to your web server with your FTP program, right-click on the .htaccess file in your root directory, and then click on “File permissions” or similar. Now you enter 644 as the permission and protect the file from external changes.

Standard contents

WordPress needs only one rule in the .htaccess to work. This rule is there to allow you to change the URLs in WordPress. You need this, for example, to create talking URLs. So this should already be in your .htaccess, if not, make sure you insert it:

 BEGIN WordPress
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 END WordPress 

Before you make any changes: Attention!

Be sure to backup your .htaccess first. You can do this simply by downloading the current file via FTP and saving it on your computer. If something goes wrong, you can simply upload the saved file again and overwrite the changed one. Everything will be running smooth again.

One last little thing before we finally go to work:
Insert the code snippets either before “#BEGIN WordPress” or after “#END WordPress”. I have commented on each code snippet with a line at the beginning, so that you can keep track and know which code has which effects. Comments always start with a # and are not interpreted by browsers, but serve only for clarity.

Also the .htaccess has to be loaded by the browser first, so make sure to keep it as light as possible and only insert the codes you really need.

So, here we go: πŸ™‚

Allow Wp-admin only for selected IPs

With this snippet you can block the login page for all users except those that are coming from IPs you entered. Logically, you can use this very effectively to prevent someone from tampering with the login page.

The whole thing only works if you and the other users have a static IP address. With a dynamic IP, a new IP is assigned each time you connect to the internet. If this is the case with you or your users, you cannot use this trick.

You can easily find out your IP address by going to Google and search for “what is my ip address”.

The IP addresses of the allowed users are entered in the .htaccess. So you have to ask each new user for his IP address and add it to the .htaccess.

Access to wp-admin only for given IPs

order deny,allow
deny from all
allow from IP address1
allow from IP address2

Lock Wp-config.php for all

The wp-config.php file contains your database data, access data to WordPress and other very sensitive data. To prevent anyone from simply looking into the file and tampering with the data, you can lock it using .htaccess.

 Prohibits all access to wp-config
 
<files wp-config.php>  
order allow,deny  deny from all  
</files>   

Prevent your images from being hotlinked

So-called image hotlinking is abused time and again. This means that someone inserts one of your images on their website, but retrieves it from your server. This will generate additional bot traffic to your site, which can affect the speed of your blog. In addition, many hosting packages are limited to a certain amount of traffic per month, which can cause you problems with image hotlinking.

This code snippet in the .htaccess allows you to set up an image that will be displayed instead of an image that somebody tries to hotlink from your server.

Note: In some cases this code will prevent images from being displayed in RSS readers. If you don’t offer RSS or can do it without the images, that’s no problem. In other cases, just add the code and check if the images are still displayed.

 Prevents image hotlinking. Replace the last URL with an image link.
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} !^$
 RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?deinblog.de [NC]
 RewriteRule .(jpg|jpeg|png|gif)$ http://deinbild.jpg [NC,R,L] 

Enable Browser Caching

Here is a little tip for speed optimization with the help of the WordPress .htaccess file.

This somewhat longer code activates the so-called browser caching. When a page is opened, a browser first saves all files offline and then displays them. This is what is behind the loading time of a website. Browser caching allows the browser to simply retrieve these already downloaded files the next time the page is opened, without having to download them again.

To make this work, browsers are given the maximum permitted storage time for different file types. This means that the files are refreshed after the specified time if changes have been made.

Enable Browser Caching

ExpiresActive On
  ExpiresByType image/jpg "access 1 year"
  ExpiresByType image/jpeg "access 1 year"
  ExpiresByType image/gif "access 1 year"
  ExpiresByType image/png "access 1 year"
  ExpiresByType text/css "access 1 month"
  ExpiresByType application/pdf "access 1 month"
  ExpiresByType text/x-javascript "access 1 month"
  ExpiresByType application/x-shockwave-flash "access 1 month"
  ExpiresByType image/x-icon "access 1 year"
  ExpiresDefault "access 2 days"

Enable GZIP compression

Activate WordPress .htaccess GZIP

GZIP compression reduces loading time

Another tip for optimizing the speed of your blog. You can activate the so-called GZIP compression with a short code snippet.

GZIP is a web standard to compress files. You can imagine this as a .zip or .rar archive on your computer.
The files are shrunk as much as possible and then unpacked again by the browser. This makes your blog much more efficient and faster to load.

After activation, go to checkgzipcompression.com and enter the URL of your blog. You will now see if GZIP is activated and what is saved.

 <IfModule mod_deflate.c>  
SetOutputFilter DEFLATE  
</IfModule> 

Prevent access to .htaccess

In addition to setting the file permissions, you should block .htaccess from being accessed from outside using .htaccess. Sounds strange, but it works πŸ™‚

As I mentioned before, .htaccess has a big impact on the way your blog works and can do a lot of damage. For this reason, you should do everything you can to protect it as much as possible.

#Prevent .htaccess accesses
 <files ~Β "^.*\.([Hh][Tt][Aa])"> 
  order allow,deny  
deny from all  
satisfy all   
 </files> 

Exclude certain users

Getting rid of spammers and eliminating hackers sounds great, doesn’t it?
Is does and and can be done with the .htaccess quite simply.

In the case of spam comments, the IP address of the commenter is displayed directly in WordPress. For hacking attempts it is a bit more complicated, but still possible to get the IP address. For this you either have to look into the logfiles of your server or work with a plugin like iThemes Security.

The IP addresses you find out can then all be entered into this code snippet in .htaccess, so they no longer have access to your blog. Just replace the X with the IP address.

 exclude users by IP addresses
 <Limit GET POST>  
order allow,deny  
deny from XXX.XXX.XX.X  
deny from XXX.XXX.XX.X  
allow from all  
</Limit> 

301 Redirects

If you’re moving your blog to another domain, moving entire articles or pages to a new URL, or need to create a redirect for some other reason, WordPress makes it easy with .htaccess.

A 301 redirect ensures that when users click on a link that points to an old page, they are redirected to the new page. This is extremely important not only for your users, but also for Google, because you won’t lose link power, as the old link would lead to empty or 404 page if you didn’t setup a redirect.

After the “Redirect 301” you first enter the old URL, make a space behind it and put the new URL behind it.

 #301 Redirects
 Redirect 301 /oldsite.html http://newsite.com/newurl
 Redirect 301 / http://newsite.com/ 

Prevent reading of user names

Did you know that you can easily find out your username by appending /?author=1 to your domain? Try it out, WordPress will immediately redirect you to the author page of user one. This makes it easy for hackers to find out your username for login.
Sure, they won’t get far with that, but you should make it as hard as possible for hackers to crack your website.

If you have this code in your .htaccess, entering /?author=X will display the home page of your blog.

 #Prevents easy reading of usernames
 RewriteEngine On
  RewriteBase /
  RewriteCond %{QUERY_STRING} .author=(.+.?) 
[NC]  RewriteRule (.) /blog/?author= [NC,L,R=301] 

Do you have any other .htaccess codes that you can use to improve your blog? Just comment and share it with us πŸ™‚

Your Header Sidebar area is currently empty. Hurry up and add some widgets.