.htaccess Guide: Hidden Settings, Redirects, and Security

The .htaccess file is a local configuration file that allows you to control specific settings of your website directly within the respective directory. It is commonly used in web hosting environments with cPanel to set up redirects, enforce HTTPS, disable directory listings, restrict access, or implement specific security rules.

For many website owners, .htaccess is one of the most important files in web hosting, even if it seems inconspicuous at first glance. The filename begins with a dot, which is why it is treated as a hidden file by default in many file managers. It plays a crucial role especially in content management systems like WordPress, Joomla, or other PHP applications, for example, for search-engine-friendly URLs, redirects, and access protection.

Important Security Note:
An incorrect .htaccess file can cause your website to become unavailable and display an error such as a 500 Internal Server Error instead. Therefore, always create a backup copy of the existing file before making any changes. Only modify a few lines at a time and test your website immediately afterwards.

What exactly is the .htaccess file?

The .htaccess is a configuration file that contains instructions for the web server. These instructions usually apply to the directory in which the file is located, as well as its subdirectories. For instance, if the file is located in the public_html folder, it can affect the behavior of the entire website.

Typical tasks of an .htaccess file include:

  • Redirecting old URLs to new ones
  • Enforcing HTTPS connections
  • Redirecting from www to the domain without www or vice versa
  • Protecting against directory listings
  • Blocking individual IP addresses
  • Protecting specific files from direct access
  • Defining custom error pages
  • Technical rules for content management systems like WordPress

The .htaccess file is powerful but should be edited with caution. Not every possible Apache directive is allowed in every hosting environment. If a rule is not supported or contains errors, it can lead to an error message.

Where is the .htaccess file located in cPanel?

In most cases, the most important .htaccess file for your website is located in the main directory of the website. For a primary domain, this is often the public_html folder. For addon domains, subdomains, or separately installed applications, the file may also reside in a different directory.

How to find the file in the cPanel File Manager:

  1. Log in to your cPanel account.
  2. Open the File Manager section.
  3. Navigate to your website's folder, often public_html.
  4. Click on Settings in the top right corner.
  5. Enable the option Show Hidden Files (dotfiles).
  6. Click on Save.
  7. The .htaccess file should now be visible, provided it already exists.

If no .htaccess file is present, it can be newly created if needed. Make sure to use the exact filename: .htaccess. No file extension like .txt must be appended.

Always create a backup before making changes

Before editing the file, you should create a backup copy. This is particularly important because even a minor typo can block the website.

  1. Select the .htaccess file in the cPanel File Manager.
  2. Click on Copy or download the file to your computer.
  3. Save the copy as .htaccess-backup or htaccess-backup.txt, for example.
  4. Only then proceed to edit the active .htaccess file.

If an error occurs after a change, you can undo the last modification or restore the backup.

Practical .htaccess examples

The following examples show commonly used rules. Do not copy code blindly into your website; always check whether similar rules already exist. Especially with WordPress and other CMS systems, the order of the rules is important.

1. Enforce HTTPS

This rule automatically redirects visitors from http:// to https://. This requires a valid SSL certificate to be active for the domain.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

A permanent redirect with R=301 signals to browsers and search engines that the HTTPS version should be used permanently. After setting it up, you should test several subpages of your website.

2. Redirect from www to non-www

If you want your website to be consistently accessible without www, you can use the following rule. Replace example.ch with your own domain.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.example\.ch$ [NC]
RewriteRule ^(.*)$ https://example.ch/$1 [L,R=301]

A consistent domain variant makes sense from an SEO perspective, as it reduces duplicate content across different domain variants.

3. Redirect from non-www to www

If instead you want your website to always be called with www, use this variant. Here too, replace example.ch with your own domain.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.ch$ [NC]
RewriteRule ^(.*)$ https://www.example.ch/$1 [L,R=301]

It is important to decide on one variant. Do not use contradictory redirects for www and non-www at the same time.

4. Permanently redirect a single page

If the URL of a page has changed, you can permanently redirect old addresses to new addresses. This is particularly important so that visitors and search engines do not end up on a 404 error page.

Redirect 301 /alte-seite.html https://example.ch/neue-seite.html

This rule is suitable for simple redirects of individual pages. For more complex URL structures, RewriteRule directives are often more flexible.

5. Disable directory listing

If a directory does not contain an index file such as index.php or index.html, the server might display a list of the contained files. This is usually undesirable for security and privacy reasons.

Options -Indexes

With this rule, you prevent visitors from seeing the contents of a directory as a file list.

6. Block a single IP address

With Apache 2.4, access protection is managed via the Require directive. The following example blocks a specific IP address. Replace 203.0.113.10 with the respective IP address.

<RequireAll>
    Require all granted
    Require not ip 203.0.113.10
</RequireAll>

Blocking individual IP addresses can be helpful in case of suspicious access. However, it does not replace a comprehensive security solution, as attackers can change IP addresses or access via networks with dynamic addresses.

7. Block access to sensitive files

Certain files should never be directly accessible via the browser. This can include backup files, configuration files, or development files, for example.

<FilesMatch "^(\.env|composer\.json|composer\.lock|package\.json)$">
    Require all denied
</FilesMatch>

This rule blocks direct access to some typical technical files. Whether these files should be present in your web directory depends on your application. When in doubt, sensitive configuration files should not be stored in the publicly accessible web directory in the first place.

8. Define a custom error page for 404 errors

A custom error page can help visitors if a page is not found. Instead of a standard technical message, you can display a helpful page with navigation, a search function, or contact options.

ErrorDocument 404 /404.html

The 404.html file must exist in the specified path. Alternatively, a PHP file can also be used if your website is configured for it.

Important notes for WordPress websites

WordPress frequently uses the .htaccess file for so-called permalinks, which are search-engine-friendly URLs. The WordPress block typically looks similar to this example:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Only edit the WordPress block if you know exactly what you are doing. Many rules should be inserted either above or below this block. If the WordPress block is corrupted, subpages of your website may no longer be properly accessible.

If you notice errors after changing WordPress permalinks, you can resave the permalink structure in the WordPress admin area under Settings > Permalinks. This often causes WordPress to recreate the required rules.

Common errors during .htaccess adjustments

Many problems with .htaccess do not arise from complex technical causes, but rather from minor syntax errors or conflicting rules. Pay close attention to the following points:

  • Duplicate RewriteEngine rules: Multiple RewriteEngine On lines are usually not critical, but they can make the file harder to read.
  • Endless redirect loops: These occur when a redirect points back to itself or encounters a conflicting rule.
  • Incorrect domain names: Placeholders like example.ch must always be replaced with your actual domain.
  • Outdated Apache syntax: Older examples using Order Allow,Deny, Deny from, and Allow from come from Apache 2.2 and are no longer the recommended syntax in modern Apache 2.4 environments.
  • Rules in the wrong place: In CMS systems, the order of the rules can be decisive.
  • Missing SSL requirement: HTTPS redirects only work correctly if a valid SSL certificate is active for the domain.

What to do in case of a 500 Internal Server Error?

If your website is no longer accessible after a change to the .htaccess file, proceed calmly and systematically:

  1. Open the cPanel File Manager.
  2. Navigate to the affected website directory.
  3. Rename the .htaccess file as a test, for example to .htaccess-broken.
  4. Call your website again in the browser.
  5. If the website is accessible again, the error is very likely located in the .htaccess file.
  6. Compare the file with your backup copy or remove the rule you last inserted.

For WordPress, it may subsequently be necessary to resave the permalinks in the admin area so that WordPress generates a correct .htaccess file again.

Best practices for a clean .htaccess file

  • Create a backup copy before making any changes.
  • Insert new rules step by step and test your website afterwards.
  • Comment your own rules using # so that it remains clear later what they are intended for.
  • Avoid duplicate or contradictory redirects.
  • Use permanent 301 redirects only if the change is meant to be permanent.
  • Keep sensitive files outside of the publicly accessible web directory whenever possible.
  • After making changes, test not only the homepage, but also subpages, forms, login areas, and media files.

FAQ regarding the .htaccess file

Why can't I see the .htaccess file in cPanel?

Files that begin with a dot are treated as hidden files. In the cPanel File Manager, under Settings, enable the option Show Hidden Files (dotfiles).

Can I delete the .htaccess file?

You should only do this if you know what function the file performs on your website. For WordPress and many other applications, deleting it can cause subpages, redirects, or security rules to stop working. Always create a backup beforehand.

Why does a small change cause an error immediately?

The .htaccess file is evaluated directly by the web server. Even an invalid directive, a wrong character, or an unsupported option can cause the server to abort the request with an error.

Is .htaccess a replacement for a security plugin or a firewall?

No. The .htaccess file can complement certain protective measures, but it does not replace a complete security strategy. Updates, secure passwords, up-to-date applications, backups, and appropriate protection mechanisms remain essential.

Should I set up redirects via .htaccess or via my CMS?

This depends on the use case. Individual, simple redirects can be set up directly via .htaccess. For a large number of redirects or editorial management, a CMS plugin is often clearer. Technical redirects, such as HTTPS or www redirects, are frequently best placed in the .htaccess file.

Summary:
The .htaccess file is a powerful tool for controlling your website. It is suitable for redirects, HTTPS rules, access protection, and other technical settings. At the same time, it should be edited with caution, as faulty rules can immediately impair your website. Therefore, always work with backup copies and test changes thoroughly.

Is your website showing an error after a change, or are you unsure which rule is correct?
First, remove the last change or restore your backup copy. If you have any questions, the CURIAWEB Support team will be happy to assist you.

Was this answer helpful? 1 Users Found This Useful (1 Votes)

Most Popular Articles

Images

Edit Images Directly in cPanel: Thumbnails, Scaling, and Conversion Images are among the most...
File Manager Guide: Manage website files directly in your browser

File Manager Guide: Managing Website Files Directly in Your Browser The cPanel File Manager is...
File and Directory Restoration

Restore Files and Folders: How to Use the cPanel Backup Restore It can happen quickly: an...
FTP & SFTP Guide: Transfer files securely and manage accounts

FTP & SFTP Guide: Transfer Files Securely and Manage Accounts If you regularly upload...
Git Version Control: Hosting and managing repositories in cPanel

Git Version Control: Hosting and Managing Repositories in cPanel With Git Version Control in...