What is the .htaccess file?

Generally speaking, an .htaccess file is a server document used to define directory or file permissions, URL rewrite rules, or error messages. It is most commonly associated with the display of a 404 Error message when an end user attempts to go to a URL that simply does not exist.

Beyond that, the .htaccess file is commonly used to improve search engine optimization. The use of 301 redirects to guide search engines toward a page’s new location or URL is the chief responsibility of the .htaccess file and the brief lines of code that it contains.

You might also like to bookmark these useful htaccess code snippets or these MySQL query snippets.

The .htaccess file is also closely associated with the modern permalink structure that dominates content management systems like WordPress. Before URL rewriting become popular, pages and posts would be found at links like the following:


When the .htaccess file is used to “rewrite” the URL, it uses things like the post’s date, time, category, tags, and other information, to generate a series of readable links with words — rather than numbers — forming the URL. That leads to permalinks like the following example:


Search engines actually respond much better to the second form of URL, and that’s why they’ve become so popular in recent years. It’s also why URL rewriting has become one of the most common uses of the .htaccess file, even among users that have limited knowledge of the file itself. Most content management platforms are actually able to create and modify the .htaccess document on their own, reducing or eliminating the need for administrator intervention.

The first thing that most people notice about an .htaccess document is that its filename actually starts with a period rather than with a typical word followed by a file extension. This is obviously intentional as files or folders that begin with a period are considered “hidden” by open source operating systems. That means that the .htaccess file cannot be seen by traditional visitors to a website, and thus cannot be modified or manipulated for malicious purposes.

This unique way of naming the file does have a side effect that sometimes causes a bit of confusion among users, however. Because it is designed to be hidden, it mostly cannot be seen by using a traditional FTP client on a Mac or Windows operating systems. This makes a lot of newer developers simply assume that the do not have an .htaccess file at all, and they’ll begin creating a new file to establish their rewrites, error codes, and directory permissions.

In many cases, though, web hosts actually create a standard .htaccess file by default and upload it to the server to be modified by the administrator.

This must be done, typically, by logging into the Plesk Panel or cPanel backend environment and browsing to the .htaccess file via the web-based file browser.

This file browser is designed to show hidden directories and files, and it will display the .htaccess file in the public_html directory. From there, it can be edited using the web-based file browser’s built-in text editor; it can then be saved and automatically uploaded to the server at the same time.

In some cases, web hosts actually might not permit their customers to create or modify an .htaccess file at all. This is often the case on free web hosts or lower-priced operations that are more restrictive on permissions and capabilities. Often, they’ll enable the .htaccess file at a higher price point in order to encourage the adoption of more expensive web hosting plans.

When Should You Use the .htaccess File?

An .htaccess file is best used to code website errors (like 404 or 301 page errors), URL rewrites, or directory permissions. This is appropriate when pointing to new locations of old content, creating an error page for content that no longer exists, requiring a password to access certain files or directories on the server, or pointing complex numerical URLs to more simplistic permalinks using software like WordPress.

Here are some typical uses for the .htaccess file demonstrated an explained:

1. Redirecting an Old Link to a New One

One of the biggest problems that most websites encounter when moving content is that their search engine ranking drops dramatically right after the move. This is because old content is not properly relocated to the new location, and the search engine itself has not been informed that a move took place.

Instead, the search engine encounters a 404 Error, which is essentially like telling the search engine that it has arrived at a dead end. That dead end will force the search engine to remove the link from its search results entirely, and the website in question will have to rebuild its reputation as if it is starting from nothing.

To prevent this, the best course of action is to use a 301 redirect. This will point the search engine toward the new location. In addition, it will inform the search engine that the content has moved on a permanent basis, and will not be moving back. This will prompt the search engine robot in question to update the link in its present search results, rather than remove it entirely and force the website to start over and rebuild its high ranking.

Here is what a typical 301 redirect looks like:

Redirect 301 http://domain.com/old-permalink-here/ http://domain.com/archive/new-permalink-here/

The above code should be pretty straightforward but, for those who are confused, it breaks down pretty easily. The first part of the code – Redirect 301 – establishes the type of error and redirection that will occur when an end user or a search engine visits the old location of the content. The first URL represents the old link to that content, while the second URL represents the updated location.

While this example uses the same domain name in both URLS (domain.com), the 301 redirect can actually be used to redirect users and search engines to an entirely new domain name.

2. Protecting Files or Directories

Any user that has ever stumbled upon a directory or file and has been greeted with a password prompt has seen the .htaccess and .htpasswd files in action. These two files work hand-in-hand to require a valid username and password when accessing a file; if no such password is provided, they simply display a “Restricted Access” error message and the invalid user is turned away.

This is the perfect way to protect sensitive files, administration areas, or sensitive login screens, from malicious hackers and other users who might have less-reputable ideas about what they want to do at a given website.

The first step in this process is to create an .htpasswd file and place it into the directory where the protected file is located. If it’s protecting a given directory, the .htpasswd file should be placed inside that protected directory. The content of the file is really easy to create, as it contains a username and password separated by a colon. Here’s the basic setup:


That single line of text goes into the .htpasswd file and that file is immediately uploaded to the server. If there should be more than one user and password combination that can grant access to the file or directory, they can be listed on separate lines.

To create the authentication screen that requires one of the valid username and password combinations to be entered, you need to add the following series of lines to your .htaccess file, requiring the password document and assigning it to a given directory or file:

AuthUserFile /server/path/of/.htpasswd
AuthType Basic
AuthName "The Title of the Protected Page Goes Here"

<Files "login.php">
Require ValidUser

The code above is also pretty easy, as are all implementations of .htaccess permissions and error messages. All that needs to be done is to point to the relevant .htpasswd file, specify the file or director being protected, and then give the page a title. That title will appear within the login form that is automatically generated by the browser when it encounters this restriction.

3. 404 Error for Missing Pages or Directories

Websites, like the technology that hosts them, are constantly evolving. Sometimes, that means entire sites or directories eventually go missing as they are no longer required or their content is simply deemed outdated and not worthy of remaining in the public eye.

No matter the reasoning for this change in the site’s structure, it should be accommodated by the .htaccess file with a custom error page and message. This will let users know that they’ve reached an outdated file, and it will prompt them to stop going there in the future. For search engine robots, this page will tell them to stop indexing the missing page or directory and spend their efforts on parts of the site that still remain available.

To specify a customized 404 Error document to be seen by end users and search engine robots when they stumble across an outdated link, simply place the following line into the .htaccess document:

ErrorDocument 404 /path/to/the/404-error-page.htm

Simply customize the local server path to the 404 Error page’s location and then save the .htaccess file to the server. That’s all that will be required; next time an invalid link is pursued by an end user, an intuitive and informative error page will result.

An Important Part of Web Design and Management

The .htaccess file is an essential part of creating friendly URLs, optimizing a website’s search engine performance and position, and notifying users or search engines of outdated links. It should be leveraged to best position a website for better rankings, and this is what makes learning about the file so essential for novice website operators.

With a little knowledge and a bit of trial and error, the file can be the difference between a website that performs well and one that tends to underperform consistently.


  • Winkme

    I always found .htaccess to be one of those “must do, no exceptions” kind of thing, so its awesome you are covering it for the non-informed :)


  • Kanghendy

    nice info..thanks..

  • John Miller

    Very interesting!