If you host your website on a cPanel server running Apache - which is the case for the vast majority of shared hosting accounts - you have access to a remarkably powerful configuration file called .htaccess. It sits in your website root directory and lets you control how the server handles requests, without needing access to the main Apache configuration.
What Is .htaccess and Where Do You Find It?
The .htaccess file (the name starts with a dot, which is why it is sometimes called a "dot htaccess" file) is a plain text file that Apache reads on every request. Because it starts with a dot, it is hidden by default on most operating systems.
To find it in cPanel:
- Log in to cPanel and open File Manager
- Navigate to your
public_htmldirectory - Click Settings in the top right corner
- Check Show Hidden Files (dotfiles)
- Click Save
Your .htaccess file will now appear in the file listing. If it does not exist yet, you can create one - but always download a backup of the existing file before making changes.
The Most Useful .htaccess Directives
301 Redirects
A 301 redirect permanently sends visitors (and search engines) from one URL to another. This is essential when you rename a page, restructure your site, or move content.
Redirect 301 /old-page/ https://yoursite.ca/new-page/
To redirect your entire site from HTTP to HTTPS (which you should always do if SSL is active):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Forcing HTTPS and www
To ensure all traffic uses HTTPS and includes the www prefix:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
Blocking Bad Bots
Certain bots hammer websites and waste server resources without providing any value. You can block known bad actors by user agent:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (scrapy|semrushbot|ahrefsbot|mj12bot) [NC]
RewriteRule .* - [F,L]
Protecting wp-admin
For WordPress sites, you can restrict access to the admin area to specific IP addresses. This is one of the most effective ways to block brute-force login attempts:
<Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from 123.456.789.000
</Files>
Replace 123.456.789.000 with your own IP address. If your IP changes frequently, consider a security plugin like Wordfence instead.
Disabling Directory Listing
By default, if a visitor navigates to a directory that contains no index file, Apache may display a list of all files in that folder. This is a security risk. Disable it globally:
Options -Indexes
Custom Error Pages
Instead of showing visitors a generic server error page, you can define custom pages for common errors:
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html
ErrorDocument 403 /403.html
Create those HTML files in your public_html directory and your branded error pages will appear automatically.
How to Edit .htaccess Safely in cPanel
- Open File Manager and locate
.htaccessinpublic_html - Download a copy first - right-click and choose Download. Keep this backup somewhere safe
- Right-click the file and choose Edit
- Make your changes carefully
- Click Save Changes
Test your site immediately after saving. If something breaks, re-upload your backup copy.
Common Mistakes to Avoid
Syntax errors break the entire site. A single typo in .htaccess can cause a 500 Internal Server Error. If your site goes down after an edit, restore your backup immediately.
Order matters. Rules in .htaccess are processed top to bottom. If you have conflicting redirect rules, the first matching one wins. Put more specific rules above more general ones.
Do not edit without a backup. This cannot be overstated. Download the current file before every editing session.
The .htaccess file is one of the most powerful tools available to any shared hosting user. Used carefully, it gives you control over your server behaviour without requiring root access or server administration skills.
