Top

Follow me and receive all the latest free scripts:

By Email:

Categories
Most Popular Posts

Useful htaccess tips and tricks

Useful htaccess tips and tricks

Published November 26, 2014 by , category Security

Site's securityhtaccess fileserver configuration

Useful htaccess tips and tricks to tighten your site's security and manage web server configuration

Introduction

The .htaccess file is a directory-level configuration file you can use to override the settings on your web server. With the right commands, you can achieve simple task such as redirection, password protect folders, friendlier URLs, web server optimization and protect your site from hackers, spammers, hotlinking and other threats.

What is .htaccess?

To quote Wikipedia:

"A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration."

Tighten your site's security

If you want to protect your .htaccess file, please check my previous tutorial.

Deny access to a page

# protect my-file.php
<files my-file.php>
order allow,deny
deny from all
</files>

Disallow script execution

Options -ExecCGI
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

.htaccess hotlinking protection

RewriteEngine on  
RewriteCond %{HTTP_REFERER} !^$  
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain-name-1.com [NC]  
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain-name-2.com [NC]  
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain-name-3.com [NC]  
RewriteRule \.(jpg|jpeg|png|gif)$ http://www.domain-name.com/hotlink.gif [NC,R,L]

Some explanation:

Web server configuration

Custom error pages for better SEO

Redirect users to a custom error page. Most common errors are:

Code example:

# Redirect bad request to bad-request.php file
ErrorDocument 400 /bad-request.php

# Redirect file not found to file-not-found.php file
ErrorDocument 404 /file-not-found.php

# Redirect internal server error to internal-server-error.php file
ErrorDocument 404 /internal-server-error.php

Protect a directory

First, inside the directory you want to protect, you must create a .htaccess file containing:

AuthName "Protected area"
AuthType Basic
AuthUserFile "/home/site/www/admin/.htpasswd"
Require valid-user

Among these 4 lines:

But how do I find the absolute path?

Indeed, most of the time, it is tricky to find because it depends on the server. Fortunately, there is a PHP function that will help us a lot: realpath. This function gives the absolute path to the file you specify. So you will do the following to find the absolute path.

  1. Create a file called path.php,
  2. Write this code inside:
    <?php echo realpath('path.php'); ?>
  3. Send this file on your server with your FTP program and place it in the folder you want to protect,
  4. Open your browser and go see this PHP file. It gives you the absolute path, for example in my case: /home/site/www/admin/path.php,
  5. Copy this path in your .htaccess file, and replace the path.php by .htpasswd, which gives us the ultimate example: /home/site/www/admin/.htpasswd,
  6. Delete the file path.php from your server; it is no longer useful to us now that he has given us the absolute path.

Second, create the .htpasswd

The .htpasswd will contain the list of persons authorized to access the folder. We register one person per line, in this form:

Albert:$1$MEqT$Lcb$hAVid.qmmSGFW/wDlIfQ81
John:$1$/lgP8dYa$sQNXcCP47KhP1sneRIZoO0
Mike:$1$h4oVHp3O$X7Ejpn.uuOhJRkT3qnw3i0

In this example, there are three persons authorized to access the folder: Albert, John and Mike.

How can we encrypt the passwords?

There are plenty of online tools which will generate it for you!

Disable directory listing

To disable or prevent the directory access add following line in your .htaccess file:

Options -Indexes

Ignore files with specific extension

If you want to list files in a directory ignoring certain type of files, you can do it using IndexIgnore directive in .htaccess file.
Following snippet will not display .jpg and .txt file in directory listing.

IndexIgnore *.jpg *.txt

HTTP redirection

To redirect your site to another, add following line in your .htaccess file:

# Redirect toward another-site.com
RedirectPermanent / http://www.another-site.com/

Redirect non www to www or vice versa

To avoid duplicate content between www.domain-name.com and domain-name.com (at the base your site can be accessible via both URLs), you will have to redirect domain-name.com to www.domain-name.com or vice versa.

RewriteCond %{HTTP_HOST} ^domain-name.com$
RewriteRule (.*) http://www.domain-name.com [NC,R=301]
RewriteCond %{HTTP_HOST} ^www.domain-name.com$
RewriteRule (.*) http://domain-name.com [NC,R=301]

Specify upload file limit for PHP in htaccess

Warning: some hosters don't allow you to change values in php.ini

php_value upload_max_filesize 10M

Cache files

Cache files using module mod_headers

<ifModule mod_headers.c>
ExpiresActive On
 
# Expires after 1 month
<filesMatch "\.(gif|jpe?g|png|ico|css|pdf|js|swf|htm|html|txt)$">
Header set Cache-Control "max-age=2592000"
</filesMatch>
 
# Expires after 1 day
<filesMatch ".(css)$">
Header set Cache-Control "max-age=86400"
</filesMatch>
</ifModule> 

.htaccess time cheatsheet

# TIME CHEAT SHEET
#      300   5 MIN
#      600  10 MIN
#      900  15 MIN
#     1800  30 MIN
#     2700  45 MIN
#
#     3600   1 HR
#     7200   2 HR
#    10800   3 HR
#    14400   4 HR
#    18000   5 HR
#    36000  10 HR
#    39600  11 HR
#    43200  12 HR
#    46800  13 HR
#    50400  14 HR
#    54000  15 HR
#    86400  24 HR
#
#    86400   1 DAY
#   172800   2 DAY
#   259200   3 DAY
#   345600   4 DAY
#   432000   5 DAY
#   518400   6 DAY
#   604800   7 DAY
#
#   604800   1 WEEK
#  1209600   2 WEEK
#  1814400   3 WEEK
#  2419200   4 WEEK
#
#  2419200   1 MONTH
#  4838400   2 MONTH
#  7257600   3 MONTH
#  9676800   4 MONTH
# 12096000   5 MONTH
# 14515200   6 MONTH
# 16934400   7 MONTH
# 19353600   8 MONTH
# 21772800   9 MONTH
# 24192000  10 MONTH
# 26611200  11 MONTH
# 29030400  12 MONTH

Conclusion

This tutorial is regularly updated. More .htaccess tips and tricks will be added later.

About Simon Laroche
Simon Laroche on Google+
Simon Laroche on Twitter
Simon Laroche on Facebook
Simon Laroche on Pinterest
Simon Laroche on LinkedIn
: I am a Coder, Designer, Webmaster and Expert SEO Consulting, I'm also a wise traveller and an avid amateur photographer. I created the website TipoCode and many others such as Landolia: a World of Photos...

If you need help about this script, please leave a comment below. I reply as much as I can depending of my time, you may also get help from others.
I also offer a paid support, if you are in the need to adapt or create a script...

Leave a comment

Comments (0 comment)

No comments for the moment!