Guide to the .htaccess File

What is the .htaccess file?

.htaccess (Hypertext Access) is a configuration file for Apache and LiteSpeed web servers. At BeoHosting you edit it through the cPanel control panel. It is located in the root directory of your site and lets you control server behavior at the directory level - without access to the main server configuration. This makes it extremely useful on shared hosting where you do not have access to httpd.conf.

The leading dot in the name means the file is hidden on Linux/Unix systems. Some FTP clients and file managers do not show it by default - check options to show hidden files. In cPanel, File Manager has a "Show Hidden Files" option in settings.

Where is .htaccess located?

The main .htaccess file is in your site's root directory (public_html or htdocs). Rules in it apply to all files and subdirectories. You can have additional .htaccess files in subdirectories with rules specific to that directory - they override rules from the parent .htaccess for files in that directory.

Redirects

301 permanent redirect

A 301 redirect tells search engines that the page is permanently moved to a new address. SEO value (link juice) transfers to the new URL. Use it when changing URL structure, moving the site to a new domain, or consolidating multiple URLs into one.

• Redirecting one page: Redirect 301 /old-page /new-page - redirects a specific path to a new one.
• Redirecting an entire domain: Use RewriteRule with an HTTP_HOST condition to redirect all traffic from one domain to another.
• Redirecting www to non-www: A RewriteCond for HTTP_HOST that checks for a www prefix and redirects to the non-www version (or vice versa).

302 temporary redirect

A 302 redirect is temporary - it tells search engines to keep the old URL in the index, because the page may return to the old address. Use it for temporary promotions, A/B testing, or maintenance.

Forcing HTTPS

One of the most common uses of .htaccess is redirecting HTTP traffic to HTTPS. For this you need an installed SSL certificate that enables HTTPS. This is essential for site security and SEO rankings. The rule uses RewriteCond to check whether the connection is already HTTPS (via the HTTPS variable or the X-Forwarded-Proto header) and, if not, performs a 301 redirect to the HTTPS version of the same URL.

Security rules

Protect access to sensitive files

Block access to files that should not be publicly accessible. A FilesMatch directive with regular expressions can block access to configuration files like .htaccess, .env, wp-config.php, php.ini, and similar. The server returns 403 Forbidden when someone tries to access these files.

Disable directory listing

The "Options -Indexes" option prevents Apache from showing a file list in a directory without an index file. Without this option, anyone can see all files in a directory by simply visiting the directory URL.

Blocking malicious bots

Use RewriteCond with the HTTP_USER_AGENT variable to block known malicious bots, scrapers, and spam crawlers. You can use regular expressions to match multiple user-agent strings and redirect them to a 403 page or simply block access.

Hotlinking protection

Hotlinking is when other sites use your images directly from your server, consuming your bandwidth. A RewriteCond rule checks the HTTP_REFERER header and blocks image requests (jpg, jpeg, png, gif, svg) not coming from your domain. You can even redirect hotlinked images to a placeholder image that says hotlinking is blocked.

Caching

Properly configured caching dramatically speeds up your site for returning visitors. The browser caches files locally so they do not need to be downloaded again on every visit.

Cache settings by file type

Use mod_expires to control how long browsers cache different file types:

• Images (jpg, png, gif, svg, webp): 1 year - images rarely change.
• CSS and JavaScript files: 1 month - they change more often than images but not daily.
• Fonts (woff, woff2, ttf): 1 year - fonts practically never change.
• HTML pages: Short or no cache - content updates often.
• PDF and documents: 1 month - updated occasionally.

GZIP compression

GZIP compression reduces the size of files sent to the browser, typically by 60-80%. Use mod_deflate to compress text/html, text/css, application/javascript, application/json, text/xml, and similar text formats. Do not compress images because they are already compressed.

Custom error pages

Instead of generic server errors, you can show custom pages styled to match your site that help visitors find what they are looking for.

• ErrorDocument 404: The page shown when the requested page does not exist. Include site search, popular links, and contact info.
• ErrorDocument 403: Shown when access is forbidden. Explain why and offer an alternative.
• ErrorDocument 500: Internal server error. Explain that the problem is temporary and offer support contact.
• ErrorDocument 503: Service unavailable. Useful for showing a maintenance page with expected return time.

Useful snippets for everyday use

Blocking an IP address

Use Require directives (Apache 2.4+) or Order/Deny (Apache 2.2) to block specific IP addresses or ranges. This is useful for blocking known attackers or unwanted visitors.

Protecting WordPress admin

Restrict access to the wp-admin directory and wp-login.php to specific IP addresses. This dramatically reduces brute-force attacks on your WordPress site. You can also add HTTP authentication as an extra protection layer.

Setting PHP values

On shared hosting you can change PHP configuration via .htaccess using php_value and php_flag directives: upload_max_filesize for upload size, max_execution_time for script timeout, memory_limit for RAM, and post_max_size for POST request size.

Maintenance redirect

When working on the site and wanting to show a maintenance page to visitors, use RewriteCond to check whether the visitor is from your IP (let yourself through) and redirect everyone else to a maintenance.html page. Use a 302 (temporary) redirect, never 301.

Common errors and troubleshooting

• 500 Internal Server Error: The most common error. Usually means a syntax error in .htaccess. Check server logs (Error Log in cPanel) for details. Remove rules one by one until you find the problematic one.
• Redirect loop: Happens when two rules redirect to each other. Use RewriteCond conditions to avoid the loop (e.g. check if already HTTPS before redirecting).
• Rules not working: Check whether mod_rewrite is enabled. On LiteSpeed, Apache rules usually work, but there can be differences. Also check that .htaccess has proper permissions (644).
• UTF-8 issue: Save the .htaccess file in UTF-8 encoding without BOM (Byte Order Mark). BOM can cause unexpected behavior.

Conclusion

.htaccess is a powerful tool that gives you server-level control over your site. From redirects and security through caching to custom error pages - proper configuration can dramatically improve performance, security, and SEO. Always make a backup before changes, test rule by rule, and use server logs to diagnose problems.