.htaccess - How can it be used?

[SpyBoy]

We have all heard of the .htaccess file right? We know that it is one way in which to cookie stuff your site, but what other uses and capabilities does it have? Come to think of it, exactly what is it?

Well .htaccess is an Apache file, in that it has nothing to do with your operating system, it works best on a Unix server but can be implemented on just about any server. If your webhost does not incorporate Apache as standard then I suggest you find one who does, or maybe start paying them to host you if you currently have ad supported hosting.

.htaccess is an ASCII file (you really don't need to know this but if you do not use an FTP client you mat need to alter the way in which you upload and download it) and can easily enough be created with a simple text editor. Just open one, add a few lines and save it as .htaccess (depending on the editor you use you may be required to place a .txt extention on it, do so and then rename the file without the .txt

If you don't have a FTP client then get one, there are enough free ones out there and it will save you loads of time and potentially cut down your error margin. I would suggest changing the attributes of .htaccess using CHMOD (see your FTP client for details) to 644 which makes it usable to the server but not by a browser so people cant access it and see what's inside (Affiliate managers specifically)

Bear in mind that .htaccess, being an Apache file, doesn't like multiple commands to be placed on one line so disable wordwrap and have each command on different lines.

.htaccess files affect all files within that directory and any subdirectories within, so if you place a command on /public_html bear in mind that it will also affect public_html/stuffing/random/muppet There is a way to get around this by just creating another .htaccess file in the directory muppet. This ensures that anything in the /public_html /public_html/stuffing and /public_html/stuffing/random will be affected by the first .htaccess file, and anything in public_html/stuffing/random/muppet will be affected by the .htaccess file placed in that directory

Ok so that's a quick explanation of the file, let's move onto it's uses

Error pages

When someone encounters an error message on your site they would get an error message which doesn't really help them. With .htaccess we can provide them with a custom page so for example, instead of them seeing a 404 message saying the page does not exist, we can provide them with a sitemap instead. Here are the server codes:

Successful Client Requests
200 OK
201 Created
202 Accepted
203 Non-Authorative Information
204 No Content
205 Reset Content
206 Partial Content
Client Request Redirected
300 Multiple Choices
301 Moved Permanently
302 Moved Temporarily
303 See Other
304 Not Modified
305 Use Proxy
Client Request Errors
400 Bad Request
401 Authorization Required
402 Payment Required (not used yet)
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable (encoding)
407 Proxy Authentication Required
408 Request Timed Out
409 Conflicting Request
410 Gone
411 Content Length Required
412 Precondition Failed
413 Request Entity Too Long
414 Request URI Too Long
415 Unsupported Media Type
Server Errors
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported

I wonder if we could direct someone who gets a 404 message to a specific page on our server that looks exactly like the standard 404 message but which has a hidden cookie. I doubt this would be picked up by any affiliate manager as I would think they would just automatically hit the back button. Anyway, you can play around with them. Just be careful, on pages that are fine, no error message would be returned and it can be quite easy to create an infinite loop if you play around with those codes. Anyway, here would be the usage in the .htaccess

ErrorDocument 404 /errors/404.html
This would cause any error code resulting in 404 to be forward to yoursite.com/errors/404.html

Alternately you can use html in the .htaccess, this could go along the lines of:
Code:
ErrorDocument 401 "<body bgcolor=#ffffff><h1>Unless you pay for membership you ain't gettin' in!

This can be fun to play around with. Just remember to keep it all on one line, no wordwrap!

Password protection

For this we are going to be password protecting a directory so that only allowed users can access it. Just like before when I told you how to create the file, do the same with one named .htpasswd and go here
# www.tools.dynamicdrive.com/password/

In the left box, enter all the usernames you want to get access to the directory we are going to protect, and in the right box, the passwords. Step two requires you to enter the path FROM your root directory to the directory we are going to place the .htpasswd file (should not be in the root directory as it can be viewed) Hit submit and it will encrypt your passwords for you. Just follow the instructions and copy the produced code into the .htaccess file , and then the new encrytped passwords into the .htpasswd file. upload these two files into the correct location and you are done! That's your directories password protected.

I need a smoke, back in 10 ........

OK Enabling SSI

For an explanation of SSI go here
# www.hypergurl.com/ssi.html

Many who want to use SSI are unable to do so due to hosting restriction, .htaccess will allow us to do so. You should of course get permission to do so though from your host of they may ban you as it could be against the TOS. I'm not going to go into the what SSI is, just read the link above and decide if you want it, if you do and your host allows, just adding the following to your .htaccess file will enable it:
Code:
AddType text/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes

If you don't fancy renaming all of your pages to .shtml then enter the following between the first & second lines
Code:
AddHandler server-parsed .html

And you should also add the following to make your default homepage index.shtml rather than index.html. If it can't find .shtml it will load .html instead
Code:
DirectoryIndex index.shtml index.html

Denying access based on IP

You can deny people access based on their IP address as such
Code:
order allow,deny
deny from 123.45.6.7
deny from 12.34.5.
allow from all

This would block user from the IP address 123.45.6.7 as well as anyone under the subdomain block of 12.34.5. So do you know your affiliate managers IP address?

Blocking user from a referrer

The main use of this is as an example, you are getting tons of bad quality traffic from one particular site, they are not buying anything, they dont even stay for any longer than 5 seconds. The referring site may be linking into one of your images and eating up all your bandwidth. So you can block them from doing so. Think a little outside the box on this one, you can definitely use this one.
Code:
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} badsite.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherbadsite.com
RewriteRule .* - [F]

If you just want to block a single user, drop that 4th line and the ,OR from the line above it.

Ok we are not even halfway through as of yet so hang onto ya pants

Bad bots

Bots or spiders are a blackhatters best friend and worst enemy. Controling the Google spider is an easy enough task, but malicious bots won't follow the rules, they will blatantly ignore the robots.txt file and index your site in full unless you prevent it. This code will present the bad ones with a 403 error and will save you a fortune on your bandwidth costs.
Code:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC Web Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web Image Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

Change your default page

Sometimes we might not want to be showing our index.html for whatever reason when someone types in our domain name. The following code would first attempt to load up donkey.html then index.cgi then index.pl until it finds one, if it doesn't then it will load up your default page.
Code:
DirectoryIndex donkey.html index.cgi index.pl default.htm

Redirection using .htaccess

Javascript is good for redirection but .htaccess is more effective given the tiny amount of work needed to do so.
Code:
Redirect /olddirectory/oldfile.html http://whatever.com/newdirectory/newfile.html

I did cover the Redirect method of cookie stuffing in my tutorial on that so go take a look.

Prevent viewing of .htaccess

Really simple - This stops browsers viewing the file, only the server is allowed.
Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>

Of course it can be applied to other filenames should it be necessary.

Adding MIME types

Say your server is not set up to deliver file types correctly, which is fairly common with MP3 and SWF files. You would add something like this and everything will work fine
Code:
AddType application/x-shockwave-flash swf

Preventing hotlinking

Hotlinking is the act of someone linking to a file on your site and displaying it on theirs. You may not think it's so bad, but if someone is linking into a SWF file on your site and they play it on their homepage to 1000 people a day, that's a huge amount of bandwidth they are stealing from you. Commonly it is used for image files, but movies and music files are becoming more and more problematic now technology is good enough for them to look good. It can be fun too, if someone is linking to a popular image on your site, you can code it so that instead of that nice picture of a sunset scene they want, they actually get a picture of a child giving them the finger, or even your company logo (free advertising). This requires "Mod Rewrite" to be enabled which you may need to request from your host.
Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?mydomain.com/.*$ [NC]
RewriteRule .(gif|jpg|js|css)$ - [F]

This would give anyone trying to hotlink to a gif, jpg, javascript or style sheet an error. With a little fiddling we could put our logo/url in it's place:
Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?mydomain.com/.*$ [NC]
RewriteRule .(gif|jpg)$ http://www.domain.com/logo.jpg [R,L]

Denying indexing of filetypes

I would guess we all know about the robots.txt file and how we can tell spiders not to index certain files and folders. We also know that malicious spiders will ignore robots.txt and you have read above about banning them completely. You still want the malicious spiders to index your site but not get access to certain files like your pdf or rar files. You can put the following in .htaccess
Code:
IndexIgnore *.pdf *.rar

And I think that about covers the "need-to-knows" of the .htaccess file. There is so much more you can do with it but I haven't had time to learn more. This should be more than enough information for you to get creative with your blackhatting, just remember to get creative and test test test.

[bhmmfx]

I'm currently doing image stuffing using the basic www.affiliatelink.com/img.jpg using htacces redirection. Question: how can i prevent others from loading my "image" in the browser?

[LukasNorth]

Wow what a great article. Thanks. Will help me in the future.