htaccess file - site security (to help beginners)

print · Время на чтение: 9мин · by · Published · Updated

Listen to articleListen to this article

We increase the security of the site with the help of .htaccess. htaccess file

htaccess file - site security, the article will first of all help beginners. If you are a new WordPress CMS user, then you may not even have heard of the .htaccess file. If you are an intermediate level WordPress user, you are probably not completely familiar with WordPress, Sitemap, Html, Css. People who host their site on Wordpress CMS don't really like to bother with .htaccess. This happens for the following reasons:

  1. Not knowing how to work with .htaccess;
  2. Tried to do something in the file and the site broke.
Today I'm going to tell you what an .htaccess file is and how to use it to secure and speed up your site.

What is an htaccess file?

htaccess - set in the httpd.conf file.

.htaccess is the short form of Hypertext Access. This is a configuration file used in the apache web server to enable or disable additional features or functionality on the web server. It will help you fine-tune your website without changing the basic server configuration.

The htaccess files may be hidden in the folder you uploaded it to. The file controls the directory where it is placed and also affects the subdirectories within that directory. Now you should know exactly where to place this file. What is an .htaccess file?

An .htaccess file can greatly improve the performance of a website if you use it in the recommended manner. This file has a priority effect on the two components of the website.

Download speed:

The file slows down the server. However, most of the time it is not identified. This is because when the server loads the page. It also needs to read all of its directories until it reaches the final directory or reaches the .htaccess file. If this file does not exist in the folder, the process will continue. The reason is lack of permissions to override file access.

Next, the server needs to go through all the rules specified in the file. As a rule, there are enough of them in the file, while all of them are quite resource-expensive. This applies to compression, caching  or redirects. All of them significantly load the server with work and slow it down. But it also speeds up the site.

Site security:

The main problem in the life of a website is its security. The .htaccess file is a powerful security solution and is easily accessible to the user. If you add any directive to the .htaccess file, it will be considered added to the Apache configuration file. All these changes will take effect, even without restarting the web server.

Knowing this, you should be more careful in granting access to third-party users, since it gives full control over the server. Apache does not encourage giving access to .htaccess, since the user can directly access the Apache configuration file.

How to activate the .htaccess file?

You must have access to the server settings. So that you can make changes to the configuration file to allow .htaccess overrides. Next, your next step is to open the Apache default configuration file. To do this, you need sudo user privileges.

$ sudo nano /etc/apache2/sites-available/default

After you have opened the file, you need to find the following section in it.

Options Indexes FollowSymLinks MultiViews
AllowOverride None
order allow,deny
allow from all

Here you need to replace None with All . The file should now look like this:

Options Indexes FollowSymLinks MultiViews
AllowOverride All
order allow,deny
allow from all

Save the file and restart Apache.

$ sudo service apache2 restart

Creating an .htaccess file

Create htaccess file very simple. You can create it with a text editor on your local system. Then upload it to the web server directory via an FTP client. Or you can create an .htaccess file using the terminal command line.

Here is the command to create this file on the terminal. Here:
Replace with the name of your site.

$ sudo nano /var/www/

Redirecting pages in .htaccess

Mod_Rewrite: This is one of the best features. You can use Mod-Rewrite to mark and change. Especially when your web page or URL on your website needs to be rendered correctly to the user.

Site security with .htaccess

User Authentication: This file does not require more permissionsthan required to access the Apache web config. You can still make effective changes to the website. One important change you can make is setting a password for a specific part of a web page. Thus, the user must enter a password to access the section. htaccess password will be stored in .htpasswd file.

How to create an .htpasswd file

Create a file and save it outside of the web directory for some reasons security. When you create the .htpasswd file, add a space between the username and password. Also, add all usernames and passwords for users. Which you want to grant access to a specific part of the web page.

You can encrypt the password using: Htpasswd Generator - create htpasswd. You need to add a username and password to it. The tool will provide you with an encrypted password. If you enter username: seva and password: thereworld, you will get the following encrypted password.


You can add as many users as you like. Don't add all users on one line, use a new line for each user. If you have created an .htpasswd file, the next step is to create a rule to use this password.

How to add rules to .htaccess for .htpasswd file

To do this, add the following line to the file.

AuthGroupFile /dev/null
AuthName “Please Enter Password”
AuthType Basic
Require valid-user

Let me explain what each line defines:

  1. AuthUserFile: This line sets the path to the .htpasswd file.
  2. AuthGroupFile: The string is used to find the author group file. Since we didn't create such a file, we set /dev/null.
  3. AuthName: The text you enter will be displayed on the command line. You can choose a name of your choice.
  4. AuthType: This field specifies which type of authentication should be used to verify the password. You must not change the AuthType. It should remain the main one.
  5. Require valid-user: This line indicates that there are many people who are allowed to enter the password-protected area (if you have added many usernames and passwords to the .htpasswd file then add this line) If only one user! Who is allowed to enter the password-protected area. Then add "require user username" to specify the specified person who is allowed to enter.

Custom error pages in .htaccess

You can create custom error pages for your site. Such pages are very useful, especially for the SEO of the site. Here are some examples:

Client request errors:

  • 400 - Bad request
  • 401 - Authorization required
  • 403 - Forbidden
  • 404 - Document not found
  • 405 - Method not allowed
  • 406 - Not allowed (encoding)
  • 407 - Proxy and other authentication required.

Server side errors:

  • 500 - Internal Server Error
  • 501 - Not implemented
  • 502 - Bad Gateway
  • 503 - Service unavailable
  • 504 - Gateway Timeout
  • 505 - HTTP version not supported

These custom error pages allow you to create your own custom error page. Then add it to the list of error pages.

Creating a 404 Error Page

By default, the server displays its own error pages. However, you can use your own error page. And arrange it with your own design. Once you've created a custom error page, upload it to your web directory and add the page's location to .htaccess. As an example, I will use the 404 error page.

ErrorDocument 404 /new404.html

The Apache server will look for the error page in the site's root directory. If you have added an error page to any of the sub folders. Then you need to specify the exact path of this file to access the page.

For example:

ErrorDocument 404 /error_pages/new404.html

MIME types using .htaccess

If you are using some application files that are not processed by your web server. Then you need to add them to your apache config file using the following code.

AddType audio/mp4a-latm .m4a

You can replace the app and extensions in the above code. The ones that match your application type.

Extensions to be added to the Apache web server. SSI: SSI (Server Side Includes) is used to bulk update a web page. This extension will save a lot of your time. Especially when you need to make any changes to the site. And they should be reflected on all pages, SSI will help you with this. You can enable SSI by adding the following code to your .htaccess file.

AddType text/html .shtml
AddHandler server-parsed .shtml

These commands instruct .htaccess that .shtml is valid, and the second instructs the server to parse all files ending in .shtml for all SSI commands. If you have a large number of html pages and you don't want to rename them from .shtml then there is an option that will force the server to parse all .html files for SSI commands. The option uses XBitHack.

If you add this line then Apache will check all .html files with SSI permissions.

XBitHack on

Next, you need to make SSI suitable for XbitHack using the command below.

chmod +x pagename.html


The file has many functions that can give flexibility for your site. All features cannot be described in one article. There are a huge number of them, as well as methods of application for the site. In this article, I tried to give you the basic information. I wish you success)

Thank you for reading Nicola Top

How useful is the post?

Click on the smiley to rate!

average rating 4.9 / 5. Number of ratings: 17

There are no ratings yet. Rate first.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

16 + thirteen =