What is .htaccess?

What is an .htaccess file?

.htaccess is a configuration file you can use to control some behaviour and security settings on Apache-powered websites. The file includes directives, or configuration rules, that are read by the web server and must be named .htaccess, including the period at the beginning. Files that begin with a period are sometimes called dotfiles. You can have more than one .htaccess file for your site, but only one in each directory. The directives in the file apply to the current directory and all of its subdirectories. For example, an .htaccess file in the root directory will apply to your whole site and an .htaccess file in the /images directory will apply to /images and its subdirectories.

Creating and editing .htaccess files

Even minor errors, such as typos or missing special characters, in .htaccess files can cause problems with viewing your site, so always make back up copies before you edit them. It’s also a good idea to only make one change before testing your site, so if there is an error, you’ll know it was likely caused by the most recent change. There are two methods you can use to create and edit files: on your local computer or on the web server with cPanel.

On your local computer

Create the file on your local computer using a text editor, such as Notepad on Windows or TextEdit on a Mac. If you’re editing an existing file, you’ll need to download the file using an FTP client and then open it in the text editor. Note that by default, some FTP clients don’t show files that begin with a period. Check your FTP client documentation for information about how to show hidden files. Make your changes and save the file, then use the FTP client to upload the file to the correct directory on the web server. For more information, see Downloading and using FTP software programs.

On the web server with cPanel

Log in to your HostPapa cPanel and click File Manager. Click Settings in the upper right corner and make sure Show Hidden Files is selected and click Save.

Select the directory where you want to create or edit the .htaccess file. To create a new file, click New File and name the file .htaccess. To edit an existing .htaccess file, select the file and click Edit. For more information, see How to navigate in cPanel’s File Manager.

How can I use .htaccess files?

Now that you know what .htaccess files are and how to create them, let’s look at some of the common ways you can use them.

Specify alternate index files

An index file is the default page, or home page, displayed in the web browser. By default, most web servers are configured to use index.htm or index.html as the index file, but depending on how your site is designed you may want to use another file. For example, if your site is developed in PHP, you may want index.php or home.php to be the index file.

Alternate index files are entered in a list. The server reads the list from left to right, checking to see if each file exists, and if none of the files exist it displays a directory listing. Here is an example of the DirectyIndex directive in an .htaccess file:

DirectoryIndex index.php home.php home.htm home.html index.html index.htm

Display custom error pages

You can create custom error pages for your site instead of using HostPapa’s default error pages. As long as you know the error number, such as 404 for a page not found, you can use .htaccess to display a custom error page. The syntax of the ErrorDocument directive is:

ErrorDocument errornumber /file.html

For example, if you had a custom error 404 file called my404.html in the root directory of your site, you would add this line to your .htaccess file:

ErrorDocument 404 /my404.html

If the error file is not in the root directory of your site, you can enter the path to the file:

ErrorDocument 404 /errorpages/my404.html

Some common errors are:

  • 401 – Authorization required
  • 400 – Bad request
  • 403 – Forbidden
  • 500 – Internal server error
  • 404 – Page not found

Disable directory listings

If there is no index file in a directory, a directory listing is displayed in the web browser. This is a potential security risk and you may not want people to see a full list of files in the directory. To display a ‘Forbidden’ message instead of a directory listing, add the following line:

Options -Indexes

Redirect visitors

You can use the Redirect directive to redirect visitors to another page. For example, to redirect visitors from a file in your root directory called old_page.html to the URL www.example.com/new_page.html, you would add the following line to your .htaccess file:

Redirect /old_page.html https://www.example.com/new_page.html

You can also redirect from any file in a directory to another URL. For example, to redirect visitors from any file in a directory called old_site to a directory called new_site, add the following line:

Redirect /old_site https://www.example.com/new_site

Enable password protection

You can use .htaccess files to add password protection to your whole site or specific directories. To do this, you need to create a password file (.htpasswds) in addition to the .htaccess file.

The .htaccess file

Add the following lines to the .htaccess file in the directory you want to password protect. The protection will apply to the directory and all of its subdirectories, unless a subdirectory has its own .htaccess file. Change Site Area to the name of area of your site that you’re protecting and change the path to the .htpasswd file to the correct path on your site.

AuthName "Site Area"
 AuthType Basic
 AuthUserFile /home/username/.htpasswd
 Require valid-user

The .htpasswd file

The .htpasswd file contains all of the usernames and passwords that are required to access the password protected part of the site. The usernames are stored in plain text (unencrypted) and the passwords are encrypted. Create the file using the same method you use to create the .htaccess file. You can save this file anywhere in your home directory, but we recommend that you keep it outside the root of your website so it can’t be accessed from the web.

You’ll need to use an .htpasswd password generator to create encrypted passwords. There are many password generators available on the Internet. In this example, we used the generator at .htaccess Tools. Enter the usernames and encrypted passwords in the following format with one username and password pair on each line:


For example, for a user named Ruby, the line would look something like:


Deny or allow access by IP address

You can allow or deny access to your site based on the visitor’s IP address. However, keep in mind that most ISPs use dynamic or frequently changing IP addresses, meaning that this may not be the most effective way to control access to your site.

Block by IP address

A deny list, or blacklist, is read and processed by the server from top to bottom. All IP addresses are granted access except those listed.

 order allow,deny
 deny from #block a specific address
 deny from #block a subnet range
 deny from 123.123.* #block IP addresses using a wildcard
 allow from all #grant access to all other IP addresses

Allow by IP address

An allow list, or whitelist, is also read and processed by the server from top to bottom. All IP addresses are denied access except those listed.

 order deny,allow
 allow from #grant access to a specific address
 allow from #grant access to a subnet range
 allow from 123.123.* #grant access to IP addresses using a wildcard
 deny from all #block all other IP addresses

More information

This article covered just a few of the many ways you can use .htaccess files. For more information, see the Apache .htaccess tutorial.

And if you have any questions or need help, you can always contact HostPapa Support by opening a support ticket. Details about how to open a support ticket are here.

Related Articles

This post is also available in: Français
Get online with our affordable web hosting

Get online with our affordable web hosting

Learn more now
HostPapa Mustache