Htaccess Redirect

The .htaccess file is not just another file for our website; it is a "special file" that plays a fundamental role for the most widely used content management systems (CMS) today: WordPress, PrestaShop, Joomla, Drupal, Magento, etc., and in most projects that require hosting. In this post, we teach you what it is and how to configure it step by step.

What is the .htaccess file and how can we configure it? 

The .htaccess file is a file mainly used in hosting services that operate under Apache servers with Linux, and its degree of importance is so high because there is no other file like it in the hosting. With it, you can make various modifications to the website's server configuration.

What is the .htaccess file and why is it so important?

 It is a file that, among other things, allows you to perform all kinds of redirects, create friendly URLs, avoid HotLinking, block certain IP addresses, as well as directories, and even manage PHP values. In fact, there are WordPress plugins that need to insert certain values into the .htaccess file to function. This is the case in WordPress for cache plugins.

How to view the .htaccess file? 

It is a special file, not only because of all the possibilities it offers by concentrating thousands of lines of code with blocks or redirects, but also because it is a hidden file. Yes, you read that right, the dot at the beginning of the file, which doesn't seem to mean much, actually indicates that it is a hidden file, so it is most likely that if we have a Hosting with cPanel control panel, we will never be able to find it, as it is hidden within the Hosting. And not only .htaccess, but all the files that have a dot in front of them mean they are hidden files.

Fortunately, if this were the case, cPanel has an option to make this kind of files visible. At the top right, we can find a gear with the option 'Settings.' In the popup window, we must select the option 'Show hidden files (dotfiles).' In fact, "dot" means dot in English, while "files" means archivos in Spanish, so that checkbox already indicates that it serves to show hidden files that have a dot.

How to create the .htaccess file? 

In principle, we should have the .htaccess file as standard with the rest of the files on our website in the hosting, but it may be the case that we accidentally delete it or that we have migrated from one server to another and have forgotten to import it. Creating the .htaccess file from cPanel or Plesk is very simple. We just have to locate the installation folder where WordPress or the CMS we are using is located (in case it was in the root; with the Plesk control panel it would be within the httpdocs folder, and in case the control panel was cPanel it would be within public_html), and there create a new .htaccess file. Obviously, after creating this new file, we would have to name it .htaccess (without forgetting to put the dot in front).

Modifying the .htaccess file: precautions to consider 

If we have a quite extensive .htaccess file with many configurations, we must be very careful when modifying it, since if we delete something we shouldn't, it can affect the operation of our website, even making it stop working. Therefore, the .htaccess file is much more delicate than it may seem, as long as you have many configurations inside as we indicate. As far as possible, it is advisable not to overload this file with many lines of code, but only with what is strictly necessary to avoid many headaches in the future.

If we keep the original installation .htaccess file without additional lines of code, there is no problem because we can always regenerate it through the main settings of the CMS we are using.

How to configure the .htaccess file in WordPress

The .htaccess file, as we have already mentioned, is a very special file for content management systems (CMS). In the case of WordPress, it is even more important if possible, due to the special features it allows us to configure on the server so that our website can take advantage of them. Without a doubt, .htaccess is one of the most important files for WordPress, alongside wp-config.php (the file that includes all the configuration for WordPress to work).

The .htaccess file allows us to disable or enable certain server features that impact our website. We can include all kinds of redirects, security settings, IP and directory blocks, increase some PHP values to improve the performance of our website, etc., although we insist that as far as possible, we should not overload this file.

For example, if we have a PHP selector where we enter the PHP values we need (more memory, for example), it doesn't make much sense to put a line of code in the .htaccess file for it when we can directly apply this improvement from the hosting itself.

Default .htaccess file in WordPress 

By default, the original .htaccess file of WordPress comes with the following lines of code:

perl

# BEGIN WordPress # The directives (lines) between `BEGIN WordPress` and `END WordPress` are dynamically generated, # and should only be modified via WordPress filters. # Any changes to the directives between these markers will be overwritten. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress

If we delete it, lose it, or anything happens to the original WordPress .htaccess file, it's okay. We can regenerate that original file with the same information from 'Settings → Permalinks', saving the structure changes of the friendly URLs that correspond to our WordPress. Now, if we had more configurations within the WordPress .htaccess file, it would be a real problem, as the system would regenerate it with the most basic information, without any of the additional configurations we had added, which could be a big problem.

Backup of WordPress .htaccess 

In case we have an overloaded .htaccess file with configurations related to WordPress or other platforms, from Axarnet, we recommend making a backup of it, mainly so that we don't lose it, as then reconfiguring all the settings we had done will be very complicated. Although we could restore a basic WordPress .htaccess file, we would lose all the configurations we had previously made, and some of them, we may not even know if they were added by some plugin.

.htaccess related tricks From Axarnet, we provide you with some tricks or rather basic codes that are usually used in the .htaccess file. 

Visible Domain with www 

This trick is used to access the website with www. Nowadays, simply typing the domain name and its extension is enough to access the corresponding website. The use of www has become somewhat outdated, but there are still some who like it. So, to keep the www part in the web address, you just have to add this code to the .htaccess file:

perl

RewriteEngine On RewriteCond %{HTTP_HOST} ^yoursite.com RewriteRule (.*) http://www.yoursite.com/$1 [R=301,L]

Block IPs 

If we are receiving attacks from the same IP address with the goal of spamming our domain, bringing down the server, or carrying out a brute force attack to obtain our credentials, we can block IPs within the .htaccess file with the following code. We should replace the 000.000.000.000 with the IPs to block. We can add as many as we want, but the more there are, the more overloaded the .htaccess file will be:

sql

<Limit GET HEAD POST> order allow,deny deny from 000.000.000.000 deny from 000.000.000.000 deny from 000.000.000.000 allow from all </Limit>

Block Website 

If instead of an IP, we want to block a website, we can do it with the following code:

css

RewriteEngine on RewriteCond %{HTTP_REFERER} blocked-website.com [NC] RewriteRule .* - [F]

Prevent Hot Linking or Image Theft 

For those who don't know, Hot Linking is a "technique" that involves copying images from one site to another using the same URL to avoid consuming one's own bandwidth, but rather that of the source. If we don't want others to use the images from our website on a different website, we can add this code to .htaccess:

ruby

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC] RewriteRule .(jpg|jpeg|gif|png|bmp)$ - [F]

Restrict Access to Files 

This option is very useful if we don't want third parties to be able to access some files on our website, for example, the wp-config.php of WordPress, which includes all the data for the CMS configuration. The code we need to add to the WordPress .htaccess file is as follows (in the case of WP, it would be replacing "file-to-protect.php" with wp-config.php):

css

<files file-to-protect.php> order allow,deny deny from all </files>

Protecting the .htaccess file itself 

The .htaccess file itself can include valuable information, so we can protect it from itself with this code so that no one can access it:

css

<Files .htaccess> Order allow,deny Deny from all </Files>

Common Codes for the .htaccess File 

With the .htaccess file, you can do much more; you can practically change all the hosting configuration, as long as the server administrator allows it, as there are restrictions for security reasons, especially in shared hosting.

Some of the most common codes that you can add to the .htaccess file are as follows:

Redirect URL: If you have changed the URL, you can redirect it without any problem from the .htaccess file.

The code is very simple, but remember that you must change the example URLs to the correct ones:

bash

Redirect 301 /old-url.html https://domain.tld/new-url.html

Force access via HTTPS 

When you install an SSL security certificate on your hosting, you have to redirect all traffic to HTTPS. For that, you just need to add this code to the .htaccess file, but remember that you have to install the certificate first for it to work.

perl

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Compress files 

With mod_deflate, you can compress files into gzip format to save space and make the website load faster. The code would be something like this:

bash

<IfModule mod_deflate.c>  # Enable file compression  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript  # Certain browsers can be excluded  BrowserMatch ^Mozilla/4 gzip-only-text/html  BrowserMatch ^Mozilla/4\.0[678] no-gzip  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html  Header append Vary User-Agent </IfModule>

Restrict access to file types 

Your website may have different types of files, .jpg, .zip, .log, etc. Some of them are not necessary for the proper functioning of the website, and sometimes it is preferable to block access to certain file extensions. To do this, you just need to add the following code:

sql

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh|zip|tar)$">  Order Deny,Allow  Deny from all </FilesMatch>

You can add or remove the extensions you need from the code.

Improvements in Security with .htaccess 

Online security should never be taken lightly, and the .htaccess file is your silent ally in this constant battle. With a few adjustments, you can turn your site into a fortress.

HTTP Security Headers

An effective way to fortify your site is by implementing HTTP security headers. These headers instruct browsers on how to behave when interacting with your content, helping to prevent common attacks.

X-Frame-Options: This header prevents your site from being used in an <iframe>, crucial for preventing clickjacking attacks. Use Header set X-Frame-Options "SAMEORIGIN" to allow only your own site to use your pages in an <iframe>. 

X-XSS-Protection: Activate browser protection against Cross-site Scripting (XSS) attacks. Add Header set X-XSS-Protection "1; mode=block" to block pages detected with XSS. 

Strict-Transport-Security: The HSTS header tells the browser to communicate with your site only through HTTPS, protecting it against man-in-the-middle attacks. Implement this with Header set Strict-Transport-Security "max-age=31536000; includeSubDomains". 

Content-Security-Policy (CSP): CSP is an additional layer of security that helps detect and mitigate certain types of attacks, including XSS and data injection. Configure it carefully according to the specific needs of your site.

SEO and Advanced Redirections Redirections are essential for maintaining the SEO health of your site, especially during content renovations or after restructuring a website.

Advanced 301 

Redirects 301 redirects are the standard way to tell search engines that a page has permanently moved. They are crucial for preserving the SEO value of the original page. Here's how to implement complex redirects:

ruby
# Redirect an entire domain to a new domain RewriteEngine on RewriteCond %{HTTP_HOST} ^old-domain.com [NC,OR] RewriteCond %{HTTP_HOST} ^www.old-domain.com [NC] RewriteRule ^(.*)$ http://new-domain.com/$1 [L,R=301,NC]

Custom Error Pages 

Creating custom error pages not only improves the user experience but can also be an opportunity for reengagement. For example, for a custom 404 page, use:

vbnet

ErrorDocument 404 /custom-404-error-page.html

With these strategies in your arsenal, you'll be well-equipped to improve the security, performance, and SEO of your website using the powerful .htaccess file. Remember, each change you make can have a significant impact, so proceed with caution and always back up before making significant modifications.

Conclusion 

The .htaccess file is an important file within any website, but even more so in websites built with CMS like WordPress or PrestaShop. It contains crucial information about redirects, blocks, and other relevant matters, so be careful when modifying it or deleting it if you're not knowledgeable, as the consequences for your digital project can be dire.

Other very useful tools for SEO:

• Website Screenshot Generator
• Online HTML Viewer
• WordPress Theme Detector
• Get HTTP Header
• Mobile Friendly Test
• Adsense Calculator
• Screen Resolution Simulator
• Twitter Card Generator
• Open Graph Generator
• Xml Formatter
• HTML Minifier
• Javascript Minifier
• CSS Minifier
• Online Ping Website Tool
• URL Opener
• URL Encoder Decoder
• Base64 Encode Decode
• QR Code Generator
• XML Sitemap Generator
• HTML Editor
• Bulk Email Validator