This is a bit technical, let me tell you this upfront. It’s not easy for people to go ahead and edit the code of their blog directly. That’s why you have an Admin page, right? But just because you cannot do it (yet), does not mean that you should not know.

What is .htaccess by the way?

Wikipedia explains this pretty nicely - “.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree”.

Ok, if that was confusing - if you look into the folder structure of your blog through cPanel or your favourite FTP program, you must have seen this file called .htaccess. This is a file which defines the configuration of different sections of your blog. For example, you can modify this file to restrict access to certain sections of your blog, such as your wp-config.php file where you have to set the password information of your blog; or you can modify it to hide the actual URL of your blog as displayed to the end user, or change the structure of your permalink (what you call URL Rewriting), etc.

One thing to remember is that .htaccess can define the configuration for the current folder and everything within it. So if you want to set separate configurations for different folders (less likely), you can define a .htaccess file for each folder and the settings will be applied to the sub folders as well.

For the sake of this post, I’m writing here about 5 different ways in which you can work with your .htaccess file.

Before you attempt any of these - take a backup of the .htaccess file and keep it in a safe place, so that if a point comes where you have to feel sad about what you did, you can always put this file back there and get another chance at life :).

Also, when you edit this file, make sure that you do not put any piece of code presented here between any of the tags, unless otherwise specified. You would be better off putting them at the end of the file. In case you are not sure, I would suggest you keep some expert help handy.

1) Protecting your wp-config.php file

The wp-config.php file in your blog is the place where you put in sensitive information such as your wordpress database credentials. In other words, if this file is not there or it is modified wrongly, your blog will not work. So you would want any external hands to not see it.

Ok, add this to your .htaccess file, and your wp-config.php will be denied to external access.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

2) Disabling Directory Browsing

Directory Browsing is a way in which a visitor can view the contents of your entire directory, or even your directory structure. While your cPanel or the default permissions applied to your blog folders takes care of most of these, there might be other folders which are open to the world. For example, if you planned to put all your sites images in a particular location and did not give the appropriate security for that folder, the whole world might be able to see them all.

You can disable directory browsing entirely by adding the following to your .htaccess file.

Options All -Indexes

3) Limiting File Upload size

If you have a file upload facility in your blog and you want to limit the size of the file that the end users upload (to save your own web space and bandwidth), to say, 10 MB each, you can do so by adding the following line to your .htaccess file:

LimitRequestBody 10240000

(Why 1024 and not 1000? Because in the world of computers, 1024 is “1K”).

4) Redirecting error pages

It’s natural that your site might throw errors. Sometimes a user might try to click on a link to a page in your site listed in Google, but the page may not exist anymore. Your web server will have custom error pages set up for each of these errors by default, but they are all, as they are, default error pages. Most well designed web sites have customized their own error pages to make them more appealing to the end user.

Here are two ways of doing this -

Using one single page for all errors

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /errorpage.html [L]

Using separate pages for each error code (404, 301, etc)

ErrorDocument 404 /404errorpage.html
ErrorDocument 302 /302errorpage.html
ErrorDocument 500 /500errorpage.html

So what should an error page look like? Smashing Magazine talks about some cool 404 error pages here. Check them out.

5) Hiding your .htaccess file

After all these settings to secure your site and make your end user experience good, what if someone gets their hands on your .htaccess file itself?

Disable viewing of your .htaccess file

This is similar to the first tip above.

<Files .htaccess>
order allow,deny
deny from all
</Files>

Or you could simply rename your .htaccess file

AccessFileName acl.file

This tells your server that the new .htaccess file is acl.file. Think of some smart name where someone outside will not be able to guess.

Now, where do you put this? No, not in the .htaccess file itself - you put this in the httpd.conf (for Apache server), or your server’s main configuration file.

Other References to topics discussed here:

1) If you want to know other ways of hiding your wp-config.php file, look at this wonderful post from Ronald Huereca at Devlounge.

2) Some other good resources related to what we were talking about above is given below:

a. Almost Perfect htaccess File for WordPress Blogs

b. HTAccess Tutorials from JWRMedia

c. A-Z of Wordpress .htaccess hacks

d. Creating your own custom 404 error page

e. Using htaccess to restrict access to your webdirectories

Popularity: 23% [?]