PHP SECURITY: Useful .htaccess Snippets Collection Take Better Control of Your Site 2021

PHP SECURITY 2021 Web performance and loading speed are among the hottest topics in the web. If your site or blog is slow, chances are people won’t ever come back. The good news is that some of the most important site optimizations can be achieved by means of .htaccess tricks. In this blog post we provide a useful .htaccess snippets collection with the help of which you’ll be able to redirect URLs, prevent hotlinking, enhance site speed, among many other things.

.htaccess is a special configuration file that provides multiple commands for controlling and configuring the Apache Web Server. However, by no means all web developers know and understand it fully. The true power of .htaccess snippets often goes unnoticed. These can be utilized not only for speeding up your site, but also for SEO optimization and a number of other purposes.

1. SEO-friendly URLs

Websites with clear URL structure rank higher than those with addresses like ‘index.php?product_id=’. Ideally, a SEO-friendly URL should feature a keyword and duplicate some content from your blog post title or the name of the page, which guarantees it will be properly indexed by Google or other search engines.

<Files magic> ForceType application/x-httpd-php5 </Files>

2.Redirect form your old domain to the new one

The technique is better known as 301 redirect. With its help you can redirect both separate pages and the entire sites. To redirect a single page, use code:

Redirect 301 /oldpage.html http://www.yoursite.com/newpage.html

3.For the entire site:

Redirect 301 / http://newsite.com/

In both cases, the old URL comes first, with the address of the new domain following it in the second part of code.

Remove www from URL

For the users’ convenience or for better SEO ranking, you might want to remove www from the URL of your site. With the help of the following code you’ll be able to remove www and forward the users to your site address starting with http:/ ….

RewriteEngine On
RewriteCond %{HTTP_HOST} !^mysite.com$ [NC]
RewriteRule ^(.*)$ http://mysite.com/$1 [L,R=301]

4.Error Pages: None of your visitors should see a blank page when they end up on a broken URL. Instead, create a beautifully-designed and informative error page that would provide the visitors with working links to keep on browsing your site.

ErrorDocument 400 /errors/badrequest.html
ErrorDocument 401 /errors/authrequest.html
ErrorDocument 403 /errors/forbidden.html
ErrorDocument 404 /errors/notfound.html
ErrorDocument 500 /errors/servererror.html

5.Better site speed with better caching: The faster your page loads, the higher your site will rank in search results. Web developers make a struggle to create websites that would smoothly run on both desktop and mobile devices, and not make them wait for long till the site loads. That’s when caching comes in handy. However, at this point there is one important thing to consider – you should make sure there are no other caching systems in place. Additionally, you need to decide on caching length. In the example below you can see how to set files to cache for 24 hours.

<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$">
Header set Cache-Control "max-age=28800"


6.Block access to backup and source files: Some file may go under risk and pose a great security danger when someone has access to them. For it not to happen, apply the following code.

<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
## Apache 2.2
Order allow,deny
Deny from all
Satisfy All

## Apache 2.4
# Require all denied

7.Password protect a directory: Protecting documents, images and other data from unauthorized users is of high value. Of course, you can accomplish this by means of PHP to ask users for login authorization information, however the same can be done much easier and effectively with .htaccess. You will need to prepare two files – the first one is the .htaccess file with code and another one is .htpasswd file with usernames and passwords off all the allowed users. Here is how the .htaccess file looks like.

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/davidwalsh/html/protect-me-dir/.htpasswd
require valid-user

8.Gzip compression:Compression of HTML and CSS files is quite popular now as it provides for faster page loading. If for some reason you still don’t compress files on your site, it’s high time to start practicing it. Add this code to the .htaccess file on your server.


mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*


9.Ban someone from your site: If you don’t want particular users or some malicious parties to have access to your site content, then you can easily ban them from your website with the help of the following code:


order allow,deny
deny from 123.456.78.9
deny from 987.654.32.1
allow from all


10. Add HTTP To HTTPS Secure Website: At this point if you go to https://yoursite.com you should see it load! Congrats, you’ve successfully installed SSL and enabled the HTTPS protocol! But your visitors aren’t protected just yet, you need to make sure they’re accessing your site through HTTPS!Keep in mind that you typically only need to protect a few pages, such as your login or cart checkout. If you enable HTTPS on pages where the user isn’t submitting sensitive data on there, it’s just wasting encryption processing and slowing down the experience. Identify the target pages and perform one of the two methods below. You can update all links to the target pages to use the HTTPS links. In other words, if there’s a link to your cart on your home page, update that link to use the secure link. Do this for all links on all pages pointing to the sensitive URLs.However, if you want to ensure that people can only use specific pages securely no matter what links they come from, it’s best to use a server-side approach to redirect the user if it’s not HTTPS. You can do that with a code snippet inserted on top of your secure page. Here’s one in PHP:

• Redirect All Web Traffic: If you have existing code in your .htaccess, add the following:

• Redirect Only a Specific Domain: For redirecting a specific domain to use HTTPS, add the following:

• Redirect Only a Specific Folder: Redirecting to HTTPS on a specific folder, add the following: