Magento 2 .htaccess file

Any website uses the web server software that provides access to the server via http and https protocols. Apache HTTP Server is one of the most widely used tools for this purpose. In July 2017 Apache is estimated to serve 46% of all active websites and 43% of the top million websites.

Apache is configured by means of a special configuration file (based on the server operating system, it may be either httpd.conf or apache.conf). This configuration file specifies the configuration of the whole web server and is sometimes not reachable via FTP. So the system administrators use the special .htaccess file that provides the configuration changes on a per-directory basis. It provides the ability to customize the main configuration defined in the httpd.conf/apache.conf. The directives provided in the .htaccess file apply to the folder where the file is located, and to all the subfolders as well.

Bear in mind that using .htaccess files slightly slows your Apache http server down so we do not recommend adding too much information. In case you do not see the file in the root folder, check whether the hidden files are shown.

Let’s look through some main .htaccess usage scenarios.

1. Protecting the website.

  • To restrict the directory access use this command:
deny from all
  • Note that this one restricts access to anyone including you. To allow access for some particular IP use this command:
order deny,allow 
deny from all
allow from
  • To blacklist some IPs, use this command:
order deny,allow 
allow from all
deny from

  • To restrict access by password, add these directives to the htaccess:
require valid-user
Authname "Password Required"
Authtype Basic
AuthUserFile "/www/pwd/.htpasswd"

  • The htpasswd file should be created as well. This text file is the password list with the following structure:

where the password is encoded. One can find plenty of online passwords generators like this. The line


allows the user test to access the password protected area with the password mageworx.

2. Redirects and rewrites.

The usage of 301 redirect is one of the most widely used htaccess features. It guides the search engines toward a page’s new location or URL. This may be useful if you've moved your site to a new domain or the structure of your website has been changed. To move the whole website to the new domain use this code:

Redirect 301 /

If you need to redirect some particular file use this code:

Redirect 301 /old/file.html

While the redirects setup is quite straightforward, the rewrites rules are more complex and we recommend you to check the primary source for more information.

3. Forbid Hotlinking.

Hotlinking means the directs links from website A to non-html objects (such as images, movie files, etc.) on website B. This can greatly impact bandwidth usage and CPU load. You can prevent these requests on your server by adding these directives to your htaccess:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L] should be changed to the corresponding name of your domain

4. Website Optimisation.

  • Apache server can use many external extensions that extend the default functionality. One of them is mod_gzip. You can compress your HTML, JS and CSS files. For this add these directives to htaccess
<ifModule mod_gzip.c>
	mod_gzip_on Yes
	mod_gzip_dechunk Yes
	mod_gzip_item_include  \.(html?|txt|css|js|php|pl)$
	mod_gzip_item_include handler ^cgi-script$
	mod_gzip_item_include mime ^text/.*
	mod_gzip_item_include mime ^application/x-javascript.*
	mod_gzip_item_exclude mime ^image/.*
	mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

  • Usage of the caches can be specified by means of the mod_expires extension. Use this sample code:
<ifModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault "access plus 1 seconds"
        ExpiresByType text/html "access plus 1 seconds"
        ExpiresByType image/gif "access plus 2592000 seconds"
        ExpiresByType image/jpeg "access plus 2592000 seconds"
        ExpiresByType image/png "access plus 2592000 seconds"
        ExpiresByType text/css "access plus 604800 seconds"
        ExpiresByType text/javascript "access plus 216000 seconds"
        ExpiresByType application/x-javascript "access plus 216000 seconds"
Modifying the htaccess can lead to a big amount of problems. There are several tools in the web (like this or this one) that are designed to validate that the htaccess file is free of any syntax errors.