Complete .htaccess File Tutorial: What It Is & How to Use It

What Is an .htaccess File?

An .htaccess file is a website file used to configure certain aspects of your site. Like redirects, customized error pages, and more. All without having to edit the main server configuration files.

It’s used on servers that run Apache, an open-source web server software. If your website runs on Nginx instead, you won’t have an .htaccess file.

Here’s an example of what an .htaccess file might look like for a WordPress website:

.htaccess file of a WordPress website showing various lines of code including rewrite rules and conditions.

Where Is the .htaccess File?

Your .htaccess file is usually located in the root directory of your website whether you’re using a content management system like WordPress or you created the site from scratch.

One way to access your site’s root directory is through your web host, typically through a file manager interface. Which is a directory within your web host where you can access and edit your site’s files—like your .htaccess file.

Your web host’s server files might look similar to the file folders you have on your computer:

But the exact location of an .htaccess file depends on its purpose.

For example, say you have an .htaccess file in the “image” directory of your website. The directives within that .htaccess file would only affect files in that directory.

But if your .htaccess file is in the root directory of your website—the folder that contains your main website files—the file’s directives would apply to all the files (and pages) on your site.

Website host file manager showing the .htaccess file is inside the public_html folder, or root directory.

How to Edit Your .htaccess File

If you’re using WordPress, an .htaccess file should already have been generated when you installed WordPress (we’ll go over what to do if this isn’t the case in the next section.)

And there are three main ways to edit it:

1. File Manager

Many web hosts offer the ability to access key website files through a file manager.

To do this, log in to your host, head to your file manager, and locate your .htaccess file.

Your .htaccess file is likely located in your root folder. The root folder is titled “public_html” in our example below:

Website hosting file manager showing .htaccess file under the public_html root directory.

Double click “.htaccess” to open the plain text editor.

Then, make any changes—like adding or removing directives—and hit the save button.

.htaccess file editor within a web host's file manager.

2. FTP Client

A file transfer protocol (FTP) client is an application that lets you transfer files between your computer and your website. Cyberduck is an example of an FTP client.

You need to set up an FTP client if you don’t have one. Which may entail reaching out to your host for the details you need to connect to it.

Once you’re set up with an FTP client, you can log in to your site via FTP. We’ll use Cyberduck for our example.

Click “Open Connection” and enter your login details. Your web host usually provides these.

Cyberduck FTP client interface showing ability to open a connection to a website's files and an area to input login credentials.

Next, enable hidden files. Any files that begin with a dot (like the .htaccess file) are hidden by default. Meaning you can’t view—or edit—them.

To show hidden files in Cyberduck, go to “Edit” > “Preferences” > “Browser” and check the box next to “Show hidden files.”

Cyberduck FTP client browser with the option to show hidden files.

Exit out of the preferences. Then, locate your .htaccess file. Again, it’s likely in your root folder.

Select the file and click “Edit.”

Cyberduck FTP client interface with access to a website's public_html files.

This opens your .htaccess file on your computer as a plain text file.

Make any edits directly in the file and hit save. Your saved changes are automatically added to your .htaccess file.

3. WordPress Plugin

Plugins like Yoast make it easy to edit your .htaccess file from your site’s backend.

Then click “Yoast SEO” and select “Tools.”

Yoast SEO WordPress plugin sidebar menu.

Click “File editor.”

Yoast SEO WordPress plugin option to edit files.

Scroll to the .htaccess file area and make your edits directly in the text box. And save them by clicking “Save changes to .htaccess.”

Yoast SEO WordPress plugin .htaccess file editor screen.

How to Create an .htaccess File

If you don’t already have an .htaccess file, follow the instructions below to create one yourself.

File Manager

To create an .htaccess file in your host’s file manager, select the folder you’d like your .htaccess file to be in. And keep in mind that the .htaccess file can affect the directory you put it in and its subdirectories.

Then click the new file button.

Web host's file manager showing the option to create a new file within the root directory.

Next name your file “.htaccess” (with the dot). Click “Confirm.”

Web host interface for creating a new file with the name ".htaccess."

You now have an .htaccess file ready to edit.

Web host file manager showing a blank .htaccess file created from scratch.

FTP Client

To create an .htaccess file using your FTP client, save a plain text file on your computer as “.htaccess” (with the dot). You can create a plain text file using apps like the Notepad.

Then, within your chosen FTP client (we’re using Cyberduck), select the directory you want to place the .htaccess file in (like “public_html”). And click “Upload” and select the .htaccess file saved to your computer.

Cyberduck FTP client interface showing option to upload a new file.

Your .htaccess file is now ready to use.

4 Common .htaccess Directives

These four .htaccess directives can help you improve and customize your site.

1. Add Redirects Using .htaccess

You can redirect URLs using .htaccess in several ways depending on what you want to redirect.

Before adding some types of redirects, you may need to load the RewriteEngine module by adding this directive to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>

Then, add your redirect directives under this module.

We’ll include the “RewriteEngine On” code where required in each example below for clarity. But depending on how your .htaccess file is set up, you may not need to include it each time.

Redirect Individual URLs

Redirect individual URLs with this directive:

Redirect 301 /old-page/ https://www.yourdomain.com/new-page/

The “old-page” should mention the URL path—the portion that comes after your domain. This should begin with a slash.

And the second part should be the new page’s full URL.

Users will be automatically redirected to the new page whenever they try to access the URL from the old page.

Redirect WWW URLs to Non-WWW URLs

If your domain uses the www subdomain, you can use your .htaccess file to redirect it to the non-www version with this directive:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.yourdomain.com [NC]
RewriteRule (.*) https://yourdomain.com/$1 [L,R=301]

Redirect Subfolders to New Locations

A subfolder is a folder that exists within another folder on your site. For example, in “www.yourdomain.com/blog,” the “blog” part is a subfolder.

And you can redirect subfolders to different locations on your domain using the .htaccess file with this directive (using your URL paths):

RewriteEngine On
RewriteRule ^/?blog/(.\*)$ /news/$1 [R,L]

In the above example, any URL in the “blog” subfolder will be redirected to the “news” subfolder.

Redirect an Old Domain to a New Domain

You can also use the .htaccess file to redirect users from an old domain to a new one with this directive:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(?:www\.)?oldsite\.com$ [NC]
RewriteRule ^(.*)$ https://newsite.com%{REQUEST_URI} [L,R=301]

This redirects both the www and the non-www versions of your domain to the new one.

Other Ways to Redirect URLs

There are other ways to redirect URLs if you don’t want to edit your .htaccess file.

First, run an audit of your site to see which pages may need redirects.

The Semrush Site Audit tool can identify those pages for you.

Within the Site Audit tool, enter your URL and click “Start Audit.”

Site Audit interface to add a domain name, with yourdomain.com entered.

Configure your audit settings on the following page. Like how many pages you’d like to check during the audit. And how frequently you want to run the audit.

Click “Start Site Audit” after configuring your audit settings.

Site Audit settings configuration screen.

When the audit is done, click “Issues” and look for “# pages returned 4XX status code.” Which means the server couldn’t reach those pages due to a client-side error.

Click the “# pages” to view each affected page.

Site Audit results showing 2 pages with a 4xx status code error.

Review which pages you need to redirect. And which ones (if any) you’d prefer to keep as 404 errors.

You might indeed want a page to display a 404 error if you’ve deleted the page and there isn’t any relevant page to redirect users to.

To implement redirects for these pages on WordPress without editing your .htaccess file, you can use a plugin like Yoast.

Click “Yoast SEO” and “Redirects” in the left-hand toolbar after installing and activating the plugin.

Yoast SEO WordPress plugin side menu showing redirects option.

Select the type of redirect you want. We'll use 301 because we want to permanently redirect the old page to a new one.

Yoast SEO WordPress plugin redirect type selection screen showing option for 301 Moved Permanently.

Enter the old URL slug—the last part of the URL—and the destination URL slug. And click “Add Redirect.”

Yoast SEO WordPress plugin showing old URL redirecting to new URL.

Lastly, test the URL by entering the old URL into your address bar to make sure it redirects to the new page. You may want to clear your cache first.

2. Load Custom 404 Error Pages with .htaccess

Your .htaccess file also lets you load custom 404 error pages—the page that shows when the server cannot find a webpage at that URL. This can happen when the page no longer exists or if someone enters an incorrect URL.

You might want a 404 page that reflects your brand, and perhaps gives users directions to relevant content or pages.

For example, our 404 page looks like this:

First, create the page you’d like to load when someone encounters a 404 error.

Then, add this code to your .htaccess file:

ErrorDocument 404 /404-page.html

And update the path to reflect your custom 404 page’s path.

Your custom 404 page should then load any time someone visits a page on your site that doesn’t exist.

Other Ways to Create a Custom 404 Page

If you’re using WordPress, a plugin like the Smart Custom 404 error page can help you create a 404 page fairly easily.

Here’s how:

Install and activate the plugin when logged into your WordPress site. Then head to “Pages” and “AddNew Page.”

WordPress side menu showing option to Add New Page.

Create and publish your custom 404 error page within the editor.

WordPress page editor showing example of a custom 404 page.

After publishing your page, click “Appearance” and “404 Error Page” in the menu bar.

WordPress side menu showing option to change 404 Error Page.

Select your error page from the drop-down menu and click “Save Changes.”

Yoast SEO WordPress plugin interface for adding a custom 404 page.

Test your 404 page by visiting a URL that doesn’t exist on your site. It should redirect to your new 404 page.

3. Force Your Site to Load with HTTPS Through .htaccess

Hypertext transfer protocol secure (HTTPS) encrypts communications between the browser and your website. Which secures data sent from the browser to the server.

Plus, HTTPS is a ranking signal. So, using it could have a positive impact on your rankings.

If your site has a secure sockets layer (SSL) certificate, you can force HTTPS instead of HTTP using your .htaccess file.

To do so, add these lines of code to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Other Ways to Use HTTPS Instead of HTTP

Your host can often help you switch to HTTPS.

Some even provide one-click options to force HTTPS:

HTTPS Enforce screen within a web hosting dashboard.

So, reach out to your host for help setting up HTTPS if you don’t want to edit your .htaccess file.

4. Enable Password Protection with Your .htaccess File

You can enable password protection on your site—or specific areas of your site—using your .htaccess file.

This may be useful if you’re making site updates and only want certain people to access your site. Like your web designer.

You’ll need two files to password-protect your site: .htpasswd and .htaccess.

First, head to your website host’s file manager.

Add a new file outside your root directory. Name it “.htpasswd” and click “Confirm.”

Important: It’s best to place your .htpasswd file outside of your root directory as this may be more secure.

Web host interface showing ability to add a new file with the name ".htpasswd."

Double click your .htpasswd file to open and edit it. This is where you’ll add a username and password needed to access your site.

Web host file manager screen showing .htpasswd file outside the root directory.

You then need to encrypt your passwords (for security purposes). A free tool like HTPasswd Generator will encrypt your password for you.

Just enter your username, password, and click “Generate .htpasswd file.” And copy the output.

HTPasswd Generator tool showing the encryption of a password.

Paste the output in your .htpasswd file and save your file.

Encrypted password along with a username inside the .htpasswd file.

Lastly, open your .htaccess file and add this directive:

# Password protection
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Make sure to change the path of the “AuthUserFile” line to the path of your .htpasswd file. And save the file.

Head to your website. Your site should display a prompt upon loading if the directive works.

Enter your username and password and click “Sign in” to access your site.

Sign-in box on a webpage as a result of .htaccess password protection.

Other Ways to Password-Protect Your Site

If you’re using WordPress, an easier way to set up password-protected pages is by using the platform’s native password protection functionality.

Next to “Visibility,” click on “Public.”

WordPress page with the visibility set to Public.

Select the circle next to “Password protected” and enter the password you want to use. Then, exit out of the prompt and click “Update.”

WordPress page visibility options showing space to enter a password for password protection.

Now when someone tries to access the page, they’ll see something that looks like this:

And they’ll need the password to access the content.

But this means you can only have one password for each page—you can’t have different passwords for different users.

For extra functionality, you may want to consider using WordPress plugins instead.

Common Performance Issues Associated with .htaccess

Keep these issues in mind if you decide to rely on your .htaccess file to make specific changes to your site.

Speed

Using many or very complex .htaccess files can impact your site’s performance. And cause it to run slowly.

Why?

Because Apache needs to read and interpret each directive every time a request is made to your server.

So, carefully consider what’s necessary to include in your .htaccess and what isn’t.

And keep it as concise as possible to avoid site performance issues. Since page speed is a ranking factor, you want your site to load fast.

While there’s no ideal length for an .htaccess file, one way to determine if your .htaccess file is impacting side speed is to run speed tests before and after making any .htaccess file changes.

Free tools like Google’s Page Speed Insights let you test page speed by entering a URL:

PageSpeed Insights for Semrush.com showing the site is passing Core Web Vitals.

You may need to speak with a developer to review your .htaccess file if your page loads slowly after making updates.

Security

Because .htaccess files let you redirect entire sites, someone who hacks your site can use the .htaccess file to redirect your site somewhere else.

So, check your .htaccess periodically for any directives you didn’t add.

Also maintain regular backups of your site. Ideally, your host will also do this for you, but you may want to keep your own backups as well.

That way, you can quickly revert your site to an older version (which includes the older version of your .htaccess file, too) if something happens.

Accessibility

Improperly configured .htaccess directives can lead to accessibility issues. Like incorrect redirects that don’t take people to the right page.

Users are more likely to leave your site (and potentially head to a competitor) if they can’t find the content they want.

So, it’s important to keep an eye on any technical issues that might arise from improperly configured .htaccess directives.

Spot Technical Issues on Your Site

Your .htaccess file allows you to make powerful changes to your site with relative ease.

But those edits can also cause unwanted errors.

Use Semrush’s Site Audit tool to help keep your site error-free when editing your .htaccess file.

Site Audit monitors errors and sends you regular updates, so you don’t need to worry about keeping track of them yourself.

Try it today.