What are .htaccess Files and their Uses

In this article, we will explain what are .htaccess files; what are their uses; and provide some examples of useful commands.

Updated: 14 Dec, 21 by Elizabet J 14 Min

List of content you will read in this article:

The .htaccess file is a robust website file that controls the high-level configuration of a website. It is supported by many web servers, such as the famous Apache webserver. The .htaccess file performs at the level of a directory which allows these files to revoke the global configuration setting of .htaccess. Similarly, .htaccess enables people to make changes to their website's configuration without any need for editing server configuration files. 

.htaccess files can modify the Apache server software setup to enable additional functionality and features that the apache web server draws to the table. We can utilize the .htaccess file for the exchange of several configurations in apache web server software. Also, anyone can use the .htaccess file to have greater control over several aspects of the Apache webserver. Below, you will learn some of the crucial information you must know about the .htaccess file. 

.htaccess means "hypertext access." The name comes from the tool's directory, which controls users' access to specific files based on per-directory. The .htaccess allows a system administrator to regulate access to individual directories to users with a password and name particularized in a .htpasswd file. It happens with a portion use of Apache's httpd.conf settings directives. While .htaccess files are used for restriction purposes, there are also many other uses that we will convert in this article. 

  • Some of the common utilization of .htaccess is the following:
  • Redirecting URLs
  • Enabling password protection for any websites and pages
  • Showing custom error pages like 404 ages 
  • Boosts SEO with a consistent trailing slash policy 
  • It also allows creating error pages for your site, such as 400 Bad Request, 500 Internal Error, and 403 Forbidden Page. 
  • Moreover, the .htaccess page gives you immense flexibility for building up your website. 

In theory, every directory folder on your server should have one. Generally, there is one main webroot folder that holds all the content of your website. It is usually labeled such as www. Or public_html. 

Suppose you have one directory that combines several website subdirectories; there will generally be a .htaccess file in the primary root (public_html) file.

In every file system, file names that started with a dot (.) are invisible files. It means they are not usually visible by default. Which doesn't mean it is hard to get. The File Manager or FTP client-server should have a setting to see these hidden files. Perhaps, this will be in several programs but is generally in "Folder Options.", "Settings" or "Preferences." You can also find it in the "View." 

First, you should make sure that you have intentionally turned on the "show hidden file" option from your setting. It will verify whether you have a .htaccess file or not. Many times, .htaccess files are formed automatically, so chances are you may have one. Sometimes this case isn't always happening. You can create a new one if you don't have a .htaccess file. Follow the steps mentioned below. 

  • You have to begin with a new file in a plain text editor. 
  • You can save it in ASCII format as .htaccess (Don't use UTF-8 or any other form)
  • Now make sure that it isn't htaccess.txt or related like that. 
  • Finally, you have to upload it to the relevant directory via FTP or through your browser's filer manager.

Till now, we understood the essential dynamics of the .htaccess file. Now we will learn error handling specifications by .htaccess files. With the use of .htaccess files, it is very simple to specify error documents. Let's understand this concept. 

Once a request is claimed to a web server, it strives to respond to that particular request. It is generally delivering a document in the event of HTML pages. Or it can be by accessing an application and returning the output in the event of web applications and content management systems. 

If something goes abnormal with it, an error is formed. There are different types of errors that occur through other codes, as you show above in the example of 404 error. It happens if the document cannot be searched on the webserver. 

Let's have a view of some of the most popular errors and their causes. 

Client Request Errors

400 — it means a bad request 

401 — permission required

402 — payment required

403 — Forbidden

404 — not found an error

405 — Method Not Allowed

406 — Not Acceptable (encoding)

407 — Proxy Authentication Required

408 — Request Timed Out

409 — Conflicting Request

410 — Gone

411 — Content-Length Required

412 — Precondition Failed

413 — Request Entity Too Long

414 — Request URI Too Long

415 — Unsupported Media Type

Server Errors

500 — Internal Server Error

501 — Not Implemented

502 — Bad Gateway

503 — Service Unavailable

504 — Gateway Timeout

505 — HTTP Version Not Supported.

If you don't define any error handling, the service will automatically return the text to the browser. Afterwards, the browser will display a standard error message in the text form to the use. 

You have to create an HTML document for the error code you want to display. You can also name these errors whatever resonates with you. It is more beneficial to name something that will showcase and help you remember—for example, not-found.html or 404.html. Afterwards, in the .htaccess file, define which document to display with each type of error. 

  • ErrorDocument 404 /errors/not-found.html
  • ErrorDocument 500 /errors/server-err.html
  • ErrorDocument 401 /errors/auth-reqd.html
  • ErrorDocument 403 /errors/forbid.html
  • ErrorDocument 400 /errors/bad-request.html

As you can see, each directive is placed in its position.

One of the most useful content management systems like Drupal and WordPress, including other web applications, has its native way of handling more of these error codes.

As we discussed, the primary purpose of .htaccess files was to regulate the access to specific directories on a per-user basis, including the name and hypertext access altogether. Now we will further illustrate more about the password protection appliance with .htaccess. 


Usernames and passwords for the .htaccess system are stored in a file name .htpasswd.

In the file name called ".htpasswd," usernames and passwords are stored.

These are layered each on a single line. For example:

Username: the encrypted password

For example:


It's crucial to acknowledge that the password stored in the file isn't the original password used to log in. Instead, it is another graphic crypto hash of the password. 

It means the password has been running with an encryption algorithm, and the result is layered. When a client logs in through the plain text password, it runs through the same encryption algorithm. If the input is the same, the passwords match, then the client can access the content. 

Storing passwords on these algorithms makes them more robust. If someone tries to access your .htpasswd file, they would only see the cryptographically hashed passwords that are not original. Also, there is no way to reconstruct the original password from these fake texts due to encryption algorithms. 

For secure algorithms:-

  • bcrypt: It has a robust security function, but it is also the slowest measure. Nginx and Apache 
  • md5: It is the default hashing algorithm performed by the current version of Apache servers. However, it is not authorized by Nginx. 
  • Insecure Algorithm: you should not use.
  • Crypt ():  It is used to the default hashing algorithm, but it is vulnerable and not very secure. 

Besides, you should not give importance to both SHA and Salted SHA functions. 

Directly from the command line and SSH terminal, you can create a .htpasswd file and add username-password. The command for applying for the .htpasswd file is htpasswd.  If you want to create a new .htpasswd file, use the command together with the -c option for building. Afterward, type the path to the directory (don't add the URL). Besides, you can easily add any user as per your requirement.

> htpasswd -c /usr/local/etc/.htpasswd Leesnmith

It creates a new .htpasswd file in the /etc/directory and indexes a record for a user named Lessnmith. You can also store the password using md5 encryption.

Suppose there is already a .htpasswd file at some particular address, then new users will be appended to the existing file.  On the other hand, if you prefer to see the bcrypt hashing algorithm, you should use the -b option.

Suppose you are not comfortable using the SSH terminal or command line. Or, if you are not able to access it, you can quickly create a .htpasswd file. Afterward, proceed with using a plain text editor and upload it on the FTP or file manager.  After all that procedure, you will have to encrypt your passwords. 

There are many ways .htpasswd encryption services available online. Perhaps the best one is the htpasswd generator at Asprine.org. It provides various options for hashing algorithms and password strength. You can quickly copy-and-paste the output in your .htpasswd file.

It is not required to have a separate .htpasswd file for every .htaccess file. It can be one for your entire web hosting account or leading server directory under most ordinary situations. Another critical thing is, the .htpasswd file should not be in a publicly accessible directory, including not any subdirectory or public_html or www. It should be in an entirely different location, which is only attainable only from the server.

Remember, each directory can have its native .htaccess file, with its native range of users authorized to access it. Suppose you need any directories that range from non-logged-in users to access the directory and its files. You don't have to add any other algorithm because there is a default setting. In order to restrict access you have to add the following to the .htaccess file:

AuthUserFile /usr/local/etc/.htpasswd

AuthName "Name of Secure Area"

AuthType Basic

<Limit GET POST>

require valid-user


The first line showcases the path and file name to your list of usernames and passwords. The second line showcases a name for the protection area. It can be whatever you like. The third line showcases "common or basic" authentication, which is what everyone usually searches for.

The <Limit> tag showcases what is being limited in posting or getting to any directory file. Under the pair of <Limit> tags is the list of authorized users who can access files.  If you want to regulate access to a particular user or some users, you can function their name. 

AuthUserFile /usr/local/etc/.htpasswd

AuthName "Name of Secure Area"

AuthType Basic

<Limit GET POST>

require user Leesnsmith

require user janedoe


You can also put users into the ground and allow access based on this group. It can be articulated by adding another file that showcases the groups.   The group file which can be named, for example, .htgroup like this: 

Admin: Leesnsmith janedoe

Staff: Lee acrostic

Afterward, you can showcase it in your .htaccess file: 

AuthUserFile /usr/local/etc/.htpasswd

AuthGroupFile /usr/local/etc/.htgroup

AuthName "Admin Area"

AuthType Basic

<Limit GET POST>

require group admin


If you have many static files, it only makes sense to use .htaccess and .htpasswd to restrict some particular files' access. 

This feature was created when websites used to be a collection of HTML documents and correlated resources.

If you are working on a content management system (CMS) like WordPress or Drupal, you must acquire the built-in user management system to restrict or grant permission to access the content. 

In the above post, we have discussed some of the critical factors of the .htaccess file and its uses. At the same time, we discussed the correct definition of the .htaccess file and its robust security features. The .htaccess file is a configuration file read and performed by the server. It can override many server configuration elements. We also learned the .htaccess could be used for authorization, website optimization, URL rewriting, and, most importantly, cache control. In content management applications such as WordPress, it is commonly used for rewrite URLs and search engine optimization. 

Thus, the .htaccess file greatly influences the ranking factors of a website. The .htaccess file improves your website's search engine optimization. As we discussed, it is a distributed server configuration file for the Apache web server, so you can easily use it for modification and create redirection, HTTP headers, manage to crawl, and many more. However, it helps developers write and deeply a .htaccess file that can specifically solve complex SEO problems. 

Elizabet J

Elizabet J

One OF my major goals is getting new experiences about ICT and what’s more making progress through this field.