.htaccess files allow you to control access to parts of your website. There are many ways in which to use .htaccess, including password protection of directories, URL rewriting with mod_rewrite, custom error 404 pages, redirection, and banning undesirable spiders. .htaccess files can only be used on our Linux hosting accounts.
.htaccess files can do more harm than good if used incorrectly and should only be used by experienced users. There are many other ways in which to control access to your site with Perl (CGI) or PHP scripting (users of Windows hosting accounts can also use ASP). If you need to use .htaccess files on your site and do not have experience of creating and using them, you should employ someone that does have that experience.
Any use you make of .htaccess is entirely at your own risk. We will not correct errors in your code and we provide no further support for your use of .htaccess than the content on this page.
Uploading, Modifying and Deleting .htaccess Files
.htaccess and other files beginning with a '.' will not normally be visible in your FTP client. Create and save your files on your computer as plain text files such as htaccess.txt. You can then transfer these in ASCII mode to the correct directory and use your FTP client to rename them. Renaming htaccess.txt to .htaccess will replace your existing .htaccess file.
You can modify your .htaccess files by uploading the modified htaccess.txt file with FTP and then renaming it to .htaccess. This should replace the existing file. Because you cannot see .htaccess files with your FTP client, you will be unable to delete them via FTP. Rather than removing them, you could try uploading an empty text file and renaming it to .htaccess. You could also use the Perl unlink() function within a perl / CGI script to completely delete the file.
Password Protected Directories
You can use .htaccess to password protect directories on your account. Your .htaccess file should look something like this:
AuthName "Secure Directory"
<limit GET PUT POST>
AuthName can be any name you like for the secure area. This will be shown on the dialogue box that requests the username and password. AuthUserFile is the full path to and filename for your .htpasswd file containing your list of usernames and passwords. SITENAME will either be your domain name (ie www.yourdomain.com)or the site number (ie site24). You can find the site number by connecting to your site with WS_FTP and clicking DirInfo.
You also need to create a .htpassword file. This contains the list of usernames and encrypted passwords which look like this:
You can create encrytped passwords using the Encrypt UNIX Password tool available from http://www.magsys.co.uk/. You can copy and paste the usernames and passwords into htpasswd.txt, FTP the file to your account and rename it to .htpasswd.
If you need password protection on more than one directory, you can create separate .htpasswd files with different names. Ensure you reference these correctly from your .htaccess files.
As an alternative to using .htaccess for password protection, you can use PHP or Perl / CGI scripting. You will need a database or table with usernames and passwords and a log in page with username and login boxes. You can use sessions or cookies to control how long the user is logged in for by adding a small piece of code to the top of each page to test whether the user is logged in (session is active or cookie is set). If you do not know how to do this in Perl or PHP, you will either need to learn these or employ a web developer with these skills.
Custom Error Pages
.htaccess allows you to use your own custom error pages very quickly and easily. Any time some tried to access a page that does not exist or a page they are not permitted to view, present them with a custom error page that matches the style of your site. Custom error pages can be used for many errors, but we'll demonstrate the use of the custom 404 error page.
Create a custom 404 error page in HTML and upload it to the root directory of your site as error404.html. Create a text file called error.txt with the following content:
ErrorDocument 404 error404.html
Upload error.txt to your root directory in ASCII mode and rename it to .htaccess. Now whenever someone attempts to access a page on your site that does not exist, they will be presented with your own custom 404 error page.
You can use similar terminology for other errors. You can use any name that suits you for the error page. You don't even need to use an HTML page - you can use HTML and text instead of an error page. You can also redirect users to other pages on your site, even other domains. The following are just some examples of how to use custom error pages:
|Error||Meaning||Example Code To Use|
|400||Bad Syntax||ErrorDocument 400 error400.html|
|401||Unauthorised||ErrorDocument 401 unauthorised.html|
|402||Not Used||ErrorDocument 402 error402.html|
|403||Forbidden||ErrorDocument 403 forbidden.html|
|404||Not Found||ErrorDocument 404 "<h1>Sorry, that page does not exist</h1>"|
|500||Internal Error||ErrorDocument 500 http://www.anothersite.com/anotherpage.html|
|501||Not Implemented||ErrorDocument 501 error501.html|
|502||Overloaded||ErrorDocument 502 error502.html|
|503||Gateway Timeout||ErrorDocument 503 error503.html|
One final point is that your .htaccess file will affect all directories below it. If you only want to use custom error pages only in one subdirectory, place the .htaccess file and the error page in that subdirectory and ensure the path in your .htaccess file points to the correct error page.
Redirecting users to other pages or directories is very easy and useful if you remove pages or reorganise your site. To redirect a user from pagename.html to newfile.html in another directory, simply use code similar to this in your .htaccess file:
Redirect /olddirectory/pagename.html /newdirectory/newfile.html
To redirect all users attempting to access any part of a directory, use the directory name without a trailing slash or pagename. To redirect users to another domain, you can use the full URL of http://www.anothersite.com
Rewriting URLs is a technique used by webmasters to create search engine friendly URLs for forums, shopping carts and other dynamic sites. Search engines can often be unable to spider dynamic URLs with ?, &, = and other symbols necessary for your dynamic site to function correctly. URLs are rewritten using the Apache mod_rewrite module.
Rewriting URLs is a very advanced technique that should not be extensively tested on a private (test) site prior to use with a live site. We will not provide full information here, just a very brief guide to what mod_rewrite can do and why it is used.
A shopping cart or forum page might normally have a URL of say
which is not very search engine friendly. mod_rewrite allows you to use a displayed URL of say
which is search engine friendly. When the second (friendly) URL is entered, mod_rewrite converts it invisibly to the first so that the script (in this case search.cgi) can process it.
The scripts will also need to be modified to output search engine safe URLs that can be processed by mod_rewrite. Sometimes you will need to use multiple lines in .htaccess to force rewriting of URLs with different numbers of parameters.
For more information on rewriting URLs and sample code, see the following sites:
Apache mod_rewrite guide
Ralf Engelschall's URL rewriting guide
Access Control and Banning Spiders
You may wish to exercise control over which browsers or spiders can access your site. For example, you may wish to ban "undesirable" spiders such as those that ignore your robots.txt file or only exist to gather email addresses in order to send spam.
You can do this using mod_rewrite. Ralf Engelschall's page as listed above has a section about banning robots.
If you are banning robots and spiders, you also need to know which user agents to block. Check your Webalizer statistics for user agent strings that you don't recognise and search for that string on a search engine. This should return some information about that user agent. If it appears to be undesirable, add it to your .htaccess file.
Remember to test your .htaccess script on a private (hidden) area of your site to ensure everything works as it should prior to using your script on your main site.
.htaccess files have many more uses than we have listed here. If you need more information about .htaccess files and their uses, use a search engine. Please remember that we do not provide any further information or support for your use of .htaccess. Any use you choose to make of .htaccess is entirely at your own risk.