.htaccess, or Hypertext Access, is a powerful configuration file used on Apache servers to control the server’s behaviour without altering its core configuration files. It is the backbone of many functionalities, including security, URL rewriting, directory browsing, and, most notably, redirects.
Understanding .htaccess Redirects
Redirects in .htaccess allow you to send users and search engines to different URLs than the ones they initially requested. They come in handy when you have moved a page or an entire website, and you want to direct traffic from the old location to the new one.
301 Redirect
This is the most common type of redirect used. It is a permanent redirect that sends users and search engines to a new URL.
Here’s an example of a 301 redirect:
Redirect 301 /old-page.html http://www.yourwebsite.com/new-page.html
In the example above, we’re redirecting the user from the “old-page.html” to “new-page.html”. It is vital that the path to the old file or folder is relative to the root of your site, whereas the new file or folder is a full URL.
302 Redirect
A 302 redirect is a temporary redirect and should only be used if the content is temporarily moved and will eventually be returned to the original URL.
Here’s an example of a 302 redirect:
Redirect 302 /old-page.html http://www.yourwebsite.com/new-page.html
Just like the 301 redirect, the old file path is relative, and the new file or folder path is a full URL.
Delving into URL Rewrites
URL rewriting in .htaccess, often facilitated by the mod_rewrite module, allows you to change the appearance of a URL dynamically. It provides a more readable and SEO-friendly URL structure.
Basic URL Rewriting
The simplest example is transforming dynamic URLs into static URLs. Here’s an example:
RewriteEngine On RewriteRule ^product/([0-9]+)/$ /product.php?id=$1
In this example, we are using the RewriteRule directive, which takes two arguments: the pattern to match and the substitution. The URL “/product/123/” will be internally mapped to “/product.php?id=123”. The use of parentheses “()” in the pattern creates a capture group, which can then be referenced in the substitution using “$1”.
Complex URL Rewriting
Complex URL rewriting can involve multiple variables and conditions. Here’s an illustrative example:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^(.*)$ $1.html
This example checks whether the requested URL does not correspond to a directory (-d) and whether a .html file exists (-f). If these conditions are met, it appends .html to the request. So, if you type “http://www.yourwebsite.com/about”, the server will serve “about.html” without changing the URL in the browser’s address bar.
Combining Redirects and Rewrites
Rewrites and redirects can also be used together to accomplish more complex tasks. A common example is redirecting non-www to www or HTTP to HTTPS:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourwebsite\.com [NC]
RewriteRule ^(.*)$ http://www.yourwebsite.com
$1 [L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This example first checks if the domain is accessed without ‘www’ – if so, it rewrites the URL to include ‘www’. The second part checks if the website is accessed via HTTP – if so, it redirects the user to HTTPS.
Wildcard Redirects
A wildcard redirect directs all of the pages within one directory to another directory. For example, if you want to redirect all of the pages within the /old/ directory to the /new/ directory, you could use a wildcard redirect.
RedirectMatch 301 /old/(.*) /new/$1
In the above example, the RedirectMatch statement will match any URL that includes “/old/” and the regular expression “(.)” will match any characters that follow “/old/”. The “$1” in “/new/$1” indicates that whatever was matched by “(.)” should be included here.
Handling 404 Errors
A 404 error signifies that a requested page does not exist. The .htaccess file can also handle these errors and redirect users to a custom 404 page, enhancing the user experience. Here is a basic implementation of this:
ErrorDocument 404 /404.html
This line tells the server to display the document located at “/404.html” whenever a 404 (Not Found) error occurs.
Useful Tips and Tools
Understanding and implementing redirects and rewrites can be challenging, but several resources can aid in the process. Apache’s official documentation is always a good place to start for detailed explanations of directives and modules.
Moreover, several online tools generate redirects and rewrites automatically. Tools like htaccessredirect.net and Generate It! are useful, especially for beginners.
To test .htaccess rules, an online checker such as htaccess.madewithlove.be can be used to debug and validate the rules.
Securing .htaccess
Security is paramount when dealing with server configurations. To secure the .htaccess file itself from unauthorised access, you can add the following lines to your .htaccess file:
order allow,deny deny from all
This configuration will deny access to anyone trying to access the .htaccess file from their browser.
WordPress-Specific .htaccess Tweaks
As a platform, WordPress enjoys a huge user base, and as such, comes with its own unique .htaccess tweaks, focused mainly on URL rewriting. WordPress has a default set of rewrite rules stored in the .htaccess file that make permalinks work. Here is a standard WordPress .htaccess file:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
The rules within this block allow WordPress to process permalinks correctly by routing all requests through the index.php file unless a physical file or directory for the request exists.
WordPress Security Tweaks
Securing your WordPress site is crucial. Here are some common .htaccess tweaks that can significantly improve the security of a WordPress site:
Protect .htaccess File
As discussed earlier, the .htaccess file itself can be a target. To secure it, add the following code:
Order allow,deny Deny from all
Prevent Directory Browsing
To prevent potential attackers from viewing the contents of your directories, use this code:
Options -Indexes
Protect wp-config.php
The wp-config.php file contains sensitive information, and it’s crucial to protect it:
order allow,deny deny from all
Prevent Image Hotlinking
Image hotlinking is when someone uses your images on their site by linking them directly from your website, which uses your server resources. You can prevent it with the following code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
WordPress Performance Tweaks
An important aspect of a WordPress site is its performance. Several tweaks can be made via the .htaccess file to improve your website’s loading time.
Enable Gzip Compression
Gzip compression reduces the size of files sent from your server to increase the speed to which they are transferred to the browser.
mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
Browser Caching
Leveraging browser caching can improve load times for returning visitors. Here’s how to enable it:
ExpiresActive On ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/gif "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType text /css "access 1 month" ExpiresByType text/html "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType text/x-javascript "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresByType image/x-icon "access 1 year" ExpiresDefault "access 1 month"
In this example, we’re setting different caching times for different file types, such as one year for images and one month for CSS, HTML, JavaScript, and more.
WordPress Hardening
Hardening WordPress means adding layers of protection to reduce the risk of attacks. Here are some hardening tips via .htaccess:
Restrict Access to wp-includes
The wp-includes folder holds core WordPress files that generally should not be accessed by users. Restrict access to it with the following:
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
Disable XML-RPC
XML-RPC can be used for brute force attacks. If you’re not using it, consider disabling it:
# Block WordPress xmlrpc.php requests order deny,allow deny from all
Block Suspicious Requests
This will block some suspicious-looking requests that may be malicious:
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
Concluding Remarks
As you can see, the .htaccess file is a powerful tool in the right hands, capable of configuring security, SEO, and performance optimisations. Whether you’re managing an Apache server or a WordPress site, a thorough understanding of .htaccess, its directives and the capabilities of mod_rewrite are indispensable. Ensure to make regular backups and test new rules in a controlled environment before implementing them on your live site. If you are unsure about any .htaccess modification, consider seeking assistance from an expert or the supportive WordPress community.
