.htaccess tutorial for beginner

.htaccess is text/ASCII file that can be used to control web server (Apache) behavior for your web site. You may be wondering what .htaccess can do, or you may have read about some of its uses but don’t realise how many things you can actually do with it. Some of the familiar job that are configured using .htaccess are as follows:

  • Redirecting a requests url using .htaccess
  • Prohibit visitor access to a directory using .htaccess
  • Protect directory using password
  • Changing the index file name
  • Define a custom error page
  • Modify PHP configuration
  • Banned IP addresses
  • Changing file extensions etc.

Redirecting a requests url

Over time, files on a website may get moved or renamed. Rather than letting the user to see a 404 error message when requesting the old file, you can redirect them to the new file using the following directive:

Redirect permanent /old.php http://www.example.com/new.php


The permanent keyword indicates that an HTTP 301 (“resource has moved permanently”) status code should be returned to the web browser. Replace “old.php” with the path to the old file, and “http://www.example.com/new.php” with the URL to the new file.

Prohibit visitor access to a directory

Sometimes, there may be directories on your website that the user shouldn’t be able to directly request files from. For example, you may have a directory that stores data files for your scripts, or a set of PHP includes. Placing the lines below in the .htaccess file for that directory will block direct requests for those files:

Order Deny,Allow
Deny from all


The first line ensures that the deny directive is evaluated before any allow directives that may have been defined elsewhere in the directory hierarchy.


Protect directory using password

Adding password protection to a directory using .htaccess takes two stages:

** The first part is to add the appropriate lines to your .htaccess file in the directory you would like to protect. Everything below this directory will be password protected:

AuthName “Section Name”
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user


There are a few parts of this which you will need to change for your site. You should replace “Section Name” with the name of the part of the site you are protecting e.g. “Members Area”.


** The second part is to add an .htpasswd File

Password protecting a directory takes a little more work than any of the other .htaccess functions because you must also create a file to contain the usernames and passwords which are allowed to access the site. These should be placed in a file which (by default) should be called .htpasswd. Like the .htaccess file, this is a file with no name and an 8 letter extension. This can be placed anywhere within you website but it is advisable to store it outside the web root so that it is impossible to access it from the web. In the .htpasswd File username & password should be entered as follows:



Here the password is the encrypted format of the password. To encrypt the password you can either need to use one of the premade scripts available on the web or write your own. There is a good username/password service at the KxS site which will allow you to enter the user name and password and will output it in the correct format. For multiple users, just add extra lines to your .htpasswd file in the same format as the first. There are even scripts available for free which will manage the .htpasswd file and will allow automatic adding/removing of users etc.


Changing the index file name

The index file is the file that gets displayed automatically when a user browses to an web directory. There sometimes you may not want to use index.htm or index.html as default directory file for a web directory, for example if you are using JAVA files in your site, you may want index.jsp to be the index file for a directory. This can be accomplished by putting the following line in your .htaccess file:

DirectoryIndex index.php index.html


In the syntax of .htaccess file the server will work from left to right, checking to see if each file exists, if none of them exist, it will display a directory listing. The directive above instructs Apache to use index.php as the index file if it exists, otherwise it should look for a file named index.html. If neither file exists in the requested directory, the user will usually get a directory listing.


Define a custom error page

Basically we need to define some error page for the visitor if unfortunately the visitor get error without the expected result. We can locate error page using .htaccess very easily. The default error page is usually quite ugly. However, it is possible to use a custom error page for this or any other HTTP error. This can be done by placing just a single line below in your .htaccess file:

ErrorDocument 404 http://www.example.com/404.html


Replace “http://www.example.com/404.html” with the URL for the page you want the user to see when they request a missing file. You can also replace the error number to define other type of error page, such as –

ErrorDocument 500 http://www.example.com/500_error.html


You should aware about your custom “file not found” page returns the HTTP 404 status code, otherwise your site might be penalized by the search engines. You can do this by adding the following PHP code at the top of your 404 page.

header(“HTTP/1.0 404 Not Found”);


Modify PHP configuration

.htaccess files can be used to change PHP settings when running as an Apache module. Such configuration is performed using the php_value and php_flag directives. For example – The following directive can be used to turn off magic quotes for all PHP scripts in a directory:

php_flag magic_quotes_gpc off


Banned IP addresses

In some situations, you may want to ban certian IP addresses, or you may also want to only allow people with specific IP addresses to access your site. This can be done only in that situation when you know about the IP addresses.  You can block an IP address by using:

deny from


You can allow an IP address by using:

allow from


You should replace the with the IP address. If you only specify 1 or 2 of the groups of numbers, you will allow a whole range. If you want to deny everyone from accessing a directory except allow scripts to use the files in that directory. you can use:

deny from all


If you like to use .htaccess file for your entire site, You should upload it to your root web directory. You can also use it for any single directory. Before use an .htaccess you should ensure about the correctness of the syntax of .htaccess, sometimes only for a simple wrong to the syntax to that .htaccess your site may fall down.


How to create an .htaccess file?

While creating a .htaccess file, you may face a problem that is saving the file. Because .htaccess is a strange file name (the file actually has no name but a 8 letter file extension) it may not be accepted on some systems (e.g. Windows 3.1). With most operating systems, though, all you need to do is to save the file by entering the name as: “.htaccess” (including the quotes).  If this doesn’t work, you will need to name it something else (e.g. htaccess.txt) and then upload it to the server. Once you have uploaded the file you can then rename it using an FTP program.


Is .htaccess support by all hosting server?

Now a days most of the hosting server support .htaccess but don’t actually publicise it or do not allow their users to have a .htaccess file. As a general rule, if your server runs Unix or Linux, or any version of the Apache web server it will support .htaccess, although your host may restrict you to use it.


Author Info

Shah Alom

Hi, This is Mohammad Shah Alom, My passion is Programming & Web Development. I am Founder of Micro Solutions Bangladesh. My Facebook profile shahalom1983 & Twitter Profile shahalom_83