Must have htaccess file for every website

I have come across some client websites which do not have the proper rules in place and due to this their websites are exposed to attacks from hackers. I have put together a basic htaccess file what each website must have from security and SEO point of view. Of course this may not be suitable for every website as each one may have it’s own specific requirements however the one below will get the basic job done.

You are welcome to provide further additions to the one below.

# Disallows directory browsing
Options -Indexes

Options +FollowSymLinks

# Telling Apache which page to render when some one browses the home page
DirectoryIndex index.php

# Telling Apache where to send the visitor upon a 404 page
ErrorDocument 404 /404.php

RewriteEngine On
RewriteBase /

# Disallows htaccess to visitors
RewriteRule ^\.htaccess$ - [F]

# Redirects non-WWW URLs to www URLs
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

How to 301 redirect static URLs using htaccess

If your website has static URLs i.e. do not contain any query string parameters and you need to redirect your old website URLs to your new website URLs then you don’t have to fear anymore. You can write simple redirect statements in your .htaccess file and you don’t have to be regular expression guru.

Add the following line in your .htaccess file

redirect 301 /oldname 

As you can see in the above statement the htaccess tells the Apache web server to 301 redirect URL if it encounters /oldname to You can add as many statements as you like however if there are over 20 plus URLs then consider using RedirectMatch. You should try your hand at regular expressions and get the job done in few statements.


How to 301 redirect non-www URLs to www URLs using htaccess

If your website can be accessed by two different URLs then your website could be penalized for duplicate content by the search engines which would be costly in terms of your rankings. For e.g. if your website can be accessed by and then Google may deem it as duplicate content.

Google provides a method known as setting up your “Preferred Domain” in your Google Webmaster Tools. Once you have done that then Google would crawl, index and rank your website using the Preferred Domain however they still recommend that you should 301 redirect all other URLs to your Preferred Domain URL so that you can use any link juice on those links and improve your website ranking.

Add the following code in your .htaccess file which will 301 redirect all non-www URLs to your www URL.

RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]


How to 301 redirect SSL URLs to non-SSL URLs using .htaccess

If you would like to rewrite your SSL URLs to non-SSL URLs then please add the following code to your .htaccess file.

RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*)$$1 [R=301,L]

The above code should be used in the following conditions:

1. Your website used to run on https:// and now it does not use SSL.
2. Your website has case your website is not using SSL anymore and you have https:// pages indexed in Google and other search engines.


301 redirect folder url to root url using htaccess

Our SEO department recently tweaked the URLs of a client website in order to improve the search engine rankings. The change was minor and they just removed a category path from the URL which shortened the actual length of the URL. There was one problem. The website was already indexed in Google and even though the change was minimal the effect was on hundreds of URLs. When any one clicked on the old URL indexed in Google the 404 page showed up which was a Big NO NO if you are some one managing a website having more than 50,000 GBP of sales.

The solution was an addition of one line in the .htaccess file which would automatically redirect the visitor from the old URL to the new URL.

I added the following line which resolved the problem.

RedirectMatch webman/(.*)$$1 [R=301,L]

Please note that the above is an example. You can replace the webman to your path name and the domain name to the relevant domain name.


How to disallow executable scripts from executing using htaccess

I came across an issue recently in which the client complained that his hosting provider had suspended his website account due to large number of spam emails being sent from this website. The client website was a small 5 page website and CAPTCHA had been implemented on the Contact Us form.

After talking with client’s hosting support I found that the emails were being sent from .php and .pl scripts in the images folder. The images folder had 777 permission meaning that any file could be read, written to and modifiied. I first changed the permissions to 755 and then removed all executable scripts from that folder.

Next I uploaded an .htaccess file to disallow any executable script from running in the images folder. The contents of the .htaccess file are as follows

 Order Allow,Deny
 Deny from all

As can be seen from above the htaccess will now disallow an script or file which does not belong in the images folder. Please see below

Hope the above helped and let me know if you encounter any problems.