The Apache web server is one of the most popular and widely used web servers in the world. With its flexibility and power, Apache allows for a wide range of configuration options to optimize the security and performance of your website. One of the key tools available for this purpose is the .htaccess file.
The .htaccess file is a configuration file that allows for customization of a website’s server settings on a per-directory basis. It can be used to control various aspects of a website, including security, performance, and redirects. In this article, we will explore 36 useful Apache ‘.htaccess’ tricks for enhancing the security and performance of your website.
- Deny access to specific files or directories
You can prevent access to specific files or directories on your website by using the following code in your .htaccess file:
<FilesMatch "filename">
Order Allow,Deny
Deny from all
</FilesMatch>- Prevent directory listing
To prevent directory listing on your website, add the following code to your .htaccess file:
Options -Indexes- Set a custom error page
You can set a custom error page for different error codes using the following code:
ErrorDocument 404 /error404.html
ErrorDocument 403 /error403.html- Redirect users to a secure HTTPS connection
To redirect users to a secure HTTPS connection, add the following code to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]- Protect against hotlinking
To prevent hotlinking (i.e., when someone embeds your images on their website), you can add the following code to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]- Limit file upload size
To limit the maximum file upload size, add the following code to your .htaccess file:
php_value upload_max_filesize 10M
php_value post_max_size 10M- Block specific IP addresses
To block specific IP addresses from accessing your website, add the following code to your .htaccess file:
Order Deny,Allow
Deny from 192.168.1.1
Allow from all- Enable caching
To improve website performance, you can enable caching using the following code:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
</IfModule>- Protect against SQL injection
To protect against SQL injection attacks, add the following code to your .htaccess file:
# Block any request that includes <script>, DELETE, DROP, EXECUTE or INSERT
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} DELETE|DROP|EXECUTE [NC]
RewriteRule ^(.*)$ - [F,L]- Enable Gzip compression
To enable Gzip compression for faster page loading, add the following code to your .htaccess file:
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>- Block bad bots
To block bad bots from crawling your website, add the following code to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(BadBot1|BadBot2|BadBot3).*$ [NC]
RewriteRule ^.* - [F,L]- Protect against clickjacking
To protect against clickjacking attacks, add the following code to your .htaccess file:
Header always append X-Frame-Options SAMEORIGIN- Limit access to wp-admin directory
If you use WordPress, you can limit access to the wp-admin directory by adding the following code to your .htaccess file:
<Files wp-login.php>
Order Allow,Deny
Deny from all
Allow from 192.168.1.1
</Files>- Minify CSS and JavaScript files
To minify CSS and JavaScript files for faster page loading, add the following code to your .htaccess file:
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css text/javascript application/javascript
</IfModule>- Block access to specific referrers
To block access to specific referrers, add the following code to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} example.com [NC,OR]
RewriteCond %{HTTP_REFERER} example.org [NC]
RewriteRule .* - [F]- Block access to specific user agents
To block access to specific user agents, add the following code to your .htaccess file:
SetEnvIfNoCase User-Agent "^BadBot" bad_bot
Deny from env=bad_bot- Set security headers
To set security headers for your website, add the following code to your .htaccess file:
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY- Prevent image hotlinking
To prevent hotlinking of images on your website, add the following code to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]- Prevent access to the wp-config.php file
To prevent access to the wp-config.php file in WordPress, add the following code to your .htaccess file:
<Files wp-config.php>
order allow,deny
deny from all
</Files>- Specify a default character set
To specify a default character set for your website, add the following code to your .htaccess file:
AddDefaultCharset UTF-8- Protect against XML-RPC attacks
To protect against XML-RPC attacks in WordPress, add the following code to your .htaccess file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>- Redirect non-www to www
To redirect non-www to www for your website, add the following code to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]- Block access to specific file types
To block access to specific file types on your website, add the following code to your .htaccess file:
<FilesMatch "\.(log|sh|sql)$">
Order allow,deny
Deny from all
</FilesMatch>- Prevent access to the .htaccess file
To prevent access to the .htaccess file itself, add the following code to your .htaccess file:
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>- Limit access to the wp-includes directory
To limit access to the wp-includes directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>- Limit access to the wp-content directory
To limit access to the wp-content directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-content/uploads/ - [F,L]
RewriteRule ^wp-content/plugins/ - [F,L]
RewriteRule ^wp-content/themes/ - [F,L]
</IfModule>- Prevent brute force attacks
To prevent brute force attacks on your website, add the following code to your .htaccess file:
<FilesMatch "wp-login.php">
Order Allow,Deny
Deny from all
</FilesMatch>- Limit access to the .git directory
To limit access to the .git directory on your website, add the following code to your .htaccess file:
RedirectMatch 404 /\.git- Limit access to the .svn directory
To limit access to the .svn directory on your website, add the following code to your .htaccess file:
RedirectMatch 404 /\.svn- Disable directory browsing
To disable directory browsing on your website, add the following code to your .htaccess file:
Options -Indexes- Block access to the wp-content/plugins directory
To block access to the wp-content/plugins directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-content/plugins/ - [F,L]
</IfModule>- Block access to the wp-content/themes directory
To block access to the wp-content/themes directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-content/themes/ - [F,L]
</IfModule>- Block access to the wp-content/uploads directory
To block access to the wp-content/uploads directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-content/uploads/ - [F,L]
</IfModule>- Block access to the wp-includes directory
To block access to the wp-includes directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-includes/ - [F,L]
</IfModule>- Block access to the wp-admin directory
To block access to the wp-admin directory in WordPress, add the following code to your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/ - [F,L]
</IfModule>- Enable browser caching
To enable browser caching for your website, add the following code to your .htaccess file:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
</IfModule>In conclusion, the .htaccess file is a powerful tool for enhancing the security and performance of your website. By utilizing the tricks mentioned in this article, you can protect your website from various security threats and improve its loading speed. Remember to always back up your .htaccess file before making any changes and test each trick to ensure compatibility with your website.