The “.htaccess” file is one of the most powerful, and therefore one of the most dangerous, files at a webmaster’s disposal. Unfortunately, one simple typo can bring down your entire site.

Even if you don’t have any typos, a .htaccess entry can alter the behavior of your site, break certain features, or result in actions you may not have intended for your visitors.

What is a .htaccess file?

A “.htaccess” (yes, that is a dot in front of the word “htaccess”) file is nothing more than a text file. It is used as a configuration file for any webserver running Apache. Apache is the most common webserver in use today, so there’s a good chance your website uses Apache. Here’s Wikipedia’s .htaccess explanation.

The file is typically placed in the main directory where you homepage and other files reside. Since the file starts with a dot, it may be hidden when you view your files via FTP. You may need to configure your FTP program to display hidden files to see if it exists.

Here are the six most common issues we see with .htaccess files…

1. The simple typo

.htaccess files are quite fickle. One simple mis-spelling of a command, and *poof*, your entire website is broken.

What’s worse is if you are adding a number of entries to the file, your web error log does not tell you which line number is the culprit. It’s  like trying to find a needle in a haystack to find your one bad line.

That’s why we developed an application that can help you validate your .htaccess lines, *and* tell you every line number where there is an issue and an explanation as to why that line is not correct. It’s a free service, and can save you time and aggravation when updating your .htaccess file.

www.htaccesscheck.com

I highly recommend pasting your intended .htaccess changes to our www.htaccesscheck.com site before making those changes live in your site.

2. Rewrite URLs with spaces in them

This one’s a special kind of typo, worthy of its own listing… The dreaded space ” ” in a URL. If either the old location or new location has a space in the URL, this will break your site.

If a space is part of the URL, the URL must be enclosed by double quotes (“) for the rewrite to work.

3. mod_rewrite priority

Apache does care which rewrites come first. In fact, if Apache can match a rule above another, the latter rule will never work.

So, for example, if you need to rewrite “products.php?Category=5″ and “products.php?Category=54″, it matters which is listed first in your .htaccess file. You *must* list the longer redirect first (Category=54) before the shorter redirect (Category=5):

RewriteCond %{QUERY_STRING} Category=54
RewriteRule products.php http://www.Your_Domain.com/books.html? [R=301,L]

RewriteCond %{QUERY_STRING} Category=5
RewriteRule products.php http://www.Your_Domain.com/pencils.html? [R=301,L]

4. 404 Not Found ErrorDocument

Sometimes webmasters want to define a custom page that is displayed as the 404 not found page on a site. The mistake that is often committed is to list a full URL for the missing page:

ErrorDocument 404 http://www.Your_Domain.com/404.html

Why is the example above bad? What this does is actually return a 200 “OK” status instead of the 404 status. To a human, not a big deal. But to search engines like Google, the 200 code tells them the page is not actually missing, just at a different URL. That distinction matters, as 404 not found pages tell search engines to ultimately drop the non-existent page from their index of URLs.

Instead, the proper syntax should be:

ErrorDocument 404 /404.html

5. 301 redirect of everything that is not www.Your_Domain.com

We often see this code used by webmasters that want any URL that is not www.Your_Domain.com to be redirected to the www URL:

RewriteEngine on
Options +FollowSymlinks
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.Your_Domain\.com
RewriteRule ^(.*) http://www.Your_Domain.com/$1 [L,R=301]

Sounds like a great idea, and is easy to put in place. However, if you use a different domain for secure SSL calls (like a shared SSL certificate, or sub-domain), using the code above will break that functionality. Or if you use pointed domains to sub-folders, this code can break those domains as well.

Instead of a global rule, we prefer to list specific redirects for other domain names. Something along the lines of:

RewriteEngine on
Options +FollowSymlinks
RewriteBase /
RewriteCond %{HTTP_HOST} ^Your_Domain\.com
RewriteRule ^(.*) http://www.Your_Domain.com/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^1\.2\.3\.4
RewriteRule ^(.*) http://www.Your_Domain.com/$1 [L,R=301]

Using this method, you avoid accidentally changing a domain for something that needs to be different from your main www URL.

6. Permalinks with WordPress

Permalinks, the code that makes WordPress blog URLs pretty (like this blog), are a great feature that use .htaccess code to achieve their goal. Out of the box, WordPress automatically sets these up correctly.

However, if you move your blog to a new directory, or move it be the main webpage for your site, or you manually add the code to a .htaccess file, there is a gotcha:

Not putting the directory name in two lines

For example, if your blog is in the /blog directory, the code would look like:

RewriteEngine On
RewriteBase /blog/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]

If you move the blog to another directory, you have to change the “blog” word in two lines. If you don’t your blog links will no longer work.