This quick tutorial will provide you with an htaccess file that does the following:
1. Protects itself (security)
2. Turns the digital signature off (security)
3. Limits upload size (security)
4. Protects wp-config.php (security)
5. Gives access permission to all visitors with exceptions (security, usability)
6. Specifies custom error documents (usability)
7. Disables directory browsing (security)
8. Redirect old pages to new (optional)
9. Disables image hotlinking (bandwidth)
10. Enables PHP compression (bandwidth)
11. Sets the canonical or “standard” url for your site (seo, usability)
htaccess file creation screenshot in Notepad on Windows XP
1. Step 1, create a blank .htaccess file. This can be done in Notepad or a comparable simple text editor of your choice (no MS Word does not count although it’s possible). Open Notepad and Click Save, name this file htaccess.txt. If you’re using Windows XP the OS won’t allow you to name a file e .htaccess but don’t worry, you can rename it once it’s been uploaded to your server (no idea how Linux, Vista or OSX handle this).
2. Add content to htaccess.txt. Now that you have htaccess.txt saved, you can start to edit the file and use it to better manage your site without relying on complex PHP or bloated JavaScript code.
The example htaccess file below is one that can be used for a website like this one (running WordPress and nothing else), simply un-comment the sections you’d like to use by removing the # at the beginning of the line and copy+paste the contents into your own .htaccess file.
# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>
# disable the server signature
ServerSignature Off
# limit file uploads to 10mb
LimitRequestBody 10240000
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
#who has access who doesnt
order allow,deny
#deny from 000.000.000.000
allow from all
#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php
# disable directory browsing
Options All -Indexes
#redirect old to new
Redirect 301 /old.php
http://www.yourdomain.com/new.php#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]
#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$
http://www.yourdomain.com/stealingisbad.gif [R,L]
# php compression – use with caution
<ifmodule mod_php4.c>
php_value zlib.output_compression 16386
</ifmodule>
# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$
http://www.yourdomain.com/$1 [R=301,L]
# protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
3. Upload htaccess.txt. Once you’ve created your master piece of an .htaccess file upload the htaccess.txt file to your web server via ftp (in ASCII mode) and rename the file to .htaccess. Once it’s been renamed change the file permissions of the .htaccess file to 644 to further protect it from malicious hacker types.
