5 Fun and Practical Htaccess Solutions


Today we will go over some practical uses of htaccess files that you can use in your web applications.


Htaccess files are plain-text configuration files used by the Apache HTTP web server. They allow users to set directory level options without requiring access to the httpd.conf file. As such it is required that your server uses Apache, and a web host that allows htaccess files (the most popular hosts do).

I assume a basic working knowledge of htaccess, but if you need to freshen up check out this article by Joseph Pecoraro

1. Prevent Hotlinking

Hotlinking, or inline linking, is when one web site links directly to an object on another site. This costs the hosting site bandwidth to provide the image on the page of the second site. On popular photo sites this can be a major problem, albeit humorous at times.

There are ways to fix this growing problem using htaccess. First here is the image we are trying to protect.

  RewriteEngine on
  RewriteCond %{HTTP_REFERER} !^$

  #domains that can link to images
  #add as many as you want
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
    # RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

  #show no image when hotlinked
    RewriteRule \.(jpg|png|gif)$ - [NC,F,L]

We will step through this line-by-line.

  1. First we need to turn on the rewrite engine in Apache, this allows us to redirect the user's request.
  2. Next we start setting our conditions using RewriteCond. This is a function that takes two arguments: TestString and CondPattern. TestString is the string we want to check our CondPattern against (using regular expressions). ${HTTP_REFERER} is a variable provided by Apache that holds the domain the request came from, in this instance we want to allow requests from blank HTTP referrers to protect users who are on a proxy server that sends blank referrers.
  3. Next we set the domains from which we will allow our images to be linked using the same syntax except now we provide a URL. The [NC] flag at the end of the command simply instructs the engine to ignore casing. You can add as many lines domains as you'd like here, using the same syntax. For the sake of example I added my personal domain, but commented it out.
  4. Finally, the last line is the RewriteRule we wish to use if any of the conditions above are not met. It takes two arguments as well Pattern and Substitution, where pattern is a regular expression match and substitution is what we want to replace any matches with. In this case we are looking for requests that end in jpg, png, and gif; if found we want to use a blank substitution. However in the flags we tell it furthermore what we want to be done, NC means no case, F sends a 403 forbidden error to user, and L tells the engine to stop rewriting so no other rules are applied.

This is fairly straightforward, but perhaps we are interested in telling the user we don't want them to hotlink our images, so let's redirect all hotlinked requests to an image instead of sending a 403 forbidden error. This is done by replacing the last line with this code.

  #show an alternate image
    RewriteRule \.(jpg|png|gif)$ [NC,R,L]

You can change url to any image path you'd like on your domain, but remember it needs to not end in jpg, png, or gif as it will reapply the rule and send the server into a never-ending loop. I chose to use the older .jpeg extension to fix this. The R flag that replaced F simply sends a redirect.

2. Block User By IP Address

This is a great little tip if you have a spammer on your website. If you can find their IP in your logs, simply add it to an htaccess file.

  Order Deny,Allow
  Deny from
  # Deny from

Using the Order directive in the mod_access module we can specify IPs to deny and allow. Simply using the syntax Deny from IP ADDRESS we can forbid those users from accessing our directory.

3. Error Documents

All production ready sites should use custom error pages for a professional touch. This is easy using the ErrorDocument directive in Apache's core. A custom page is far better than the default Apache error pages.

  ErrorDocument 404
  ErrorDocument 403
  ErrorDocument 500

ErrorDocument takes two arguments error-code and document. In the code above I created error documents for the 3 most common HTTP errors: 404 not found, 403 forbidden, and 500 server error. Then you can provide the full URL or relative path to your error documents. You could also them redirect to a PHP script that logs the errors in a database or emails them to you (might get annoying though). This is a great way to take control of errors in your web application, be sure to check out Smashing Magazine's 404 error page showcase for inspiration.

4. Redirect While Performing Upgrades

If you are performing a major site upgrade you most likely should redirect users to a page informing them. This prevents users from seeing broken pages or potential security holes while the application is uploading. One caveat to consider is that we want to allow certain IP addresses into the site for testing before it goes live all of this can be achieved in an htaccess file.

  RewriteEngine on
  RewriteCond %{REQUEST_URI} !/upgrade.html$
  RewriteCond %{REMOTE_HOST} !^24\.121\.202\.30
  RewriteRule $ [R=302,L]

We are using the rewrite engine again to do this, but in a kind of reverse way. First we need to set a condition that excludes the document describing the upgrade otherwise our server start a never ending loop. Next we exclude a single IP address from being redirected for testing purposes. Finally we use the rewrite rule to send users to an upgrade page. The flags we have looked at before, except this time we setting the redirect to a 302 status code, telling the browser that the page has temporarily moved and to handle caching accordingly. Smashing Magazine, again, has a great showcase of Effective Maintenance Pages.

5. Hiding Directory Listing

For numerous security reasons it is a good idea to restrict directory listing, the default behavior in Apache. This can be done with a simple line in our htaccess file we can prevent visitors from seeing our directory listings.

  Options -Indexes

Now users who request a directory that doesn't have an index file it will show them a 403 forbidden error page.


These are several of my favorite uses of htaccess. Leave yours in the comments! I am available for help in the comments or on twitter. If there is a great deal of interest, I will do more htaccess tutorials with solutions to your requests in the comments. Thanks for reading!

Related Posts
  • Code
    Web Development
    How to Use New Relic With PHP & WordPressRelic retina preview
    Today we will look at how to monitor a PHP application using New Relic. More specifically we will set up a basic WordPress installation and get some performance data about it, in the New Relic dashboards.Read More…
  • Code
    The Beginner’s Guide to WordPress SEO by Yoast: Final TweakingThe beginners guide to wordpress seo by yoast
    In my previous article, I discussed the social settings of Yoast's WordPress SEO plugin. In this tutorial, you will learn the final steps to configuring the WordPress SEO plugin with the ultimate goal of making it as rock-solid as possible for your blog.Read More…
  • Code
    Creative Coding
    A Look at the WordPress HTTP API: wp_remote_get - the ResponseDiagram http api
    In this series, we've been taking a look at the wp_remote_get WordPress HTTP API function in order to understand how it works, how we can use it, and the optional arguments that it accepts. From here, we're able to write detailed requests; however, that's only half of it - there's also the response. In the second article, we took a look at what a basic response would look like, how to evaluate it, and how to display it on the screen, but we didn't actually talk about the response in detail. If you're looking to write more advanced requests and write more defensive code, then it's important to understand the data that's sent as a response. In this final article, we're going to do exactly that.Read More…
  • Code
    Tools & Tips
    HTTP: The Protocol Every Web Developer Must Know - Part 1Http2 http
    HTTP stands for Hypertext Transfer Protocol. It's a stateless, application-layer protocol for communicating between distributed systems, and is the foundation of the modern web. As a web developer, we all must have a strong understanding of this protocol.Read More…
  • Code
    Imposing SSL and Other Tips for Impenetrable WP SecurityImposing ssl and other tips for impenetrable wp security b
    Internet security has always been as important as your personal security. If you are making money through your blog or website, the security of your website becomes as critical as securing your bank account. Luckily, WordPress strives to ensure better security with every new version. Besides, there are plenty of plug-ins you can use to fortify your website or blog’s security. However, not all users, including developers, are as security savvy as they can and should be. The most interesting part is that optimizing a WordPress blog/website for better security requires only small tweaks, most of which are previously covered in one of our posts. Today, we share a few more interesting and effective tips to help you secure your website/blog against information theft, breaches, intrusions and interception.Read More…
  • Code
    Apache 2 Advanced Configuration on Unix-Like SystemsPreview
    In a previous tutorial, we took a look at some of the most basic, but important, Apache configuration directives - what they are for, and how to edit them to fit our needs. For a very basic website (perhaps one with just a few static HTML pages), those simple directives might be all you need to know. Chances are, however, you need a more complex website; today we will look at some advanced directives and configuration settings.Read More…