Set up .htaccess: redirects, security and more
Published on July 10, 2026 8 min read
Learn what a .htaccess file is and how to set up htaccess redirects and security in Plesk, with ready-to-use code examples for Apache hosting.
An .htaccess file is a small configuration file that lets you fine-tune the Apache web server per folder, without touching the main server settings. You use it for common tasks, from htaccess redirects and security to custom error pages and caching. This guide explains what .htaccess is, where to find it in Plesk and how to edit it safely, with ready-to-use examples for redirects, security and more.
What is an .htaccess file?
The name stands for hypertext access. It is a plain text file that you place in a folder of your website, and that the Apache web server reads before it serves a page. The settings apply to that folder and every folder below it. This lets you change how your site behaves without any programming and without access to the central server configuration.
.htaccess is an Apache feature. LJPc hosting runs on Apache, managed through the Plesk control panel, so you can use .htaccess straight away. On a server that only runs nginx, .htaccess does not work, but that is not the case with a standard hosting package. If a rule does not behave as expected, it can be down to the server configuration. In that case, get in touch with support.
What you can do: htaccess redirects, security and more
An .htaccess file is surprisingly versatile. The most common uses fall into three groups:
- Redirects: send visitors and search engines on automatically, for example from HTTP to HTTPS or from an old URL to a new one.
- Security: shield folders, block IP addresses or protect a folder with a password.
- Server settings: show custom error pages, set up caching and fine-tune how your site works.
Below you will find a working example for each, which you can copy and adapt.
Where do you find .htaccess in Plesk?
The .htaccess file belongs in httpdocs, the main folder (document root) of your website. If it does not exist yet, you create it yourself. Note that a file name starting with a dot is hidden by default, so you first have to make hidden files visible.
In the control panel it works like this. You open Plesk through the customer portal.
- In Plesk, go to Files (the File Manager) and open the
httpdocsfolder. - Click Settings in the top right and turn on Show hidden files. You now see an existing .htaccess file.
- Does it not exist yet? Click Create File, name it exactly
.htaccess(with the leading dot and no extension) and create it. - Click the file name to open the built-in editor, paste your rules and click Apply or OK to save.
Prefer an FTP program? You reach the same file over FTP or SFTP in the httpdocs folder. See uploading files with FTP and SFTP. Turn on the display of hidden files in your FTP program as well.
Edit .htaccess safely: make a backup first
A small mistake in .htaccess can take your whole site down with a 500 error (Internal Server Error). So work carefully. First make a copy of the existing file, for example .htaccess-backup, or make a full backup of your website.
Add rules one at a time where possible and test after each change that your site still works. If you get a 500 error, remove the last rule or restore your backup. Your site works again straight away, because .htaccess is read again on every request.
Setting up redirects with .htaccess
Redirects send visitors and search engines on to a different address automatically. For SEO you almost always use a 301 (moved permanently), so the value of the old URL carries over.
1. Force HTTP to HTTPS
This sends every visitor on to the secure https version of your site:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
LJPc sets up the SSL certificate automatically with Let's Encrypt once your domain points to the hosting, but you switch on the redirect to https yourself. You can read more about certificates in what an SSL certificate is and how to install it. Want to solve it without code? Plesk has the option Permanent SEO-safe 301 redirect from HTTP to HTTPS under Hosting Settings. That is the simplest way and it does the same thing.
2. www to non-www (or the other way around)
Pick one fixed spelling of your domain, so you do not end up with two versions side by side. From www to without www:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]
Would you rather always use www? Then turn it around:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Use one of the two, not both at once. If you combine this with the https rule above, keep a single RewriteEngine block with the rules neatly underneath each other.
3. Redirect an old URL to a new one with a 301
Have you moved or renamed a page? Send the old address on to the new one:
Redirect 301 /old-page.html https://www.yourdomain.com/new-page
The first part is the path on your own site (start with a slash), the second part is the full new URL. To redirect a whole folder with a pattern, use RedirectMatch or a RewriteRule. It is best not to mix Redirect and RewriteRule in the same file, as they can clash.
Handling security with .htaccess
A few rules make your site much harder to abuse. The examples below are a good starting point.
4. Turn off directory listing
If a folder has no index file, Apache sometimes shows a list of every file in it. Usually you do not want that. Turn the list off with:
Options -Indexes
Visitors then get an error message instead of an overview of your files.
5. Block IP addresses
Want to keep out a nuisance IP address? In current Apache 2.4 you use the Require syntax:
<RequireAll>
Require all granted
Require not ip 203.0.113.5
Require not ip 198.51.100.0/24
</RequireAll>
The first line grants everyone access, the following lines exclude specific addresses or a whole range. The old style with Order and Deny from is outdated. Do not use it any more on modern hosting.
6. Protect a folder with a password
You can shield a folder with a username and password. You do this with two files: an .htaccess with the settings and a .htpasswd with the encrypted login details.
AuthType Basic
AuthName "Protected area"
AuthUserFile /var/www/vhosts/yourdomain.com/.htpasswd
Require valid-user
The path to .htpasswd is an absolute path on the server and differs per account. The password in .htpasswd has to be encrypted, so simply typing one in does not work. Easier is the built-in feature in Plesk: Password-Protected Directories (usually under Websites & Domains among the extra options). There you point to a folder and add a user with a password. Plesk then handles the .htaccess and .htpasswd for you.
More server settings with .htaccess
Besides redirects and security, .htaccess also lets you steer error pages, caching and more.
7. Custom error pages (404 and 403)
Default error pages look bare. You may prefer to show visitors your own page that matches your site:
ErrorDocument 404 /404.html
ErrorDocument 403 /403.html
A 404 means a page does not exist, a 403 that access is denied. Create the files 404.html and 403.html yourself in your main folder. The path starts with a slash, counted from the document root.
8. Set caching headers
With caching you let a visitor's browser store images, CSS and JavaScript for a while, so that later visits load faster. With the mod_expires module you set a retention time per file type:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>
On some servers nginx sits in front of Apache and serves static files directly. If your caching rule then does not take effect, check the settings in Plesk or get in touch with support. Caching is one of the ways to make your site faster; you will find more tips in speeding up your website.
9. Change PHP settings
Online you often see PHP lines like php_value upload_max_filesize 64M in a .htaccess. Be careful: that only works when PHP runs as an Apache module (mod_php). On Plesk hosting, PHP almost always runs as FPM (FastCGI), and then such a line actually causes a 500 error.
So do not change PHP settings through .htaccess, but through the PHP Settings in Plesk. See changing the PHP version in Plesk for where to find them. If you want to set an option that is not in the panel, use a .user.ini file in your folder, which FPM does read:
upload_max_filesize = 64M
post_max_size = 64M
memory_limit = 256M
Security headers: do it in the right place
With mod_headers you can also set security headers, such as X-Content-Type-Options or a Content-Security-Policy. Feel free to do that in .htaccess. Just do not add your own HSTS header: LJPc already sends that automatically once your SSL certificate is active, and a duplicate header can cause problems. You will find a complete overview in setting up HTTP security headers.
Still stuck?
Unsure about a rule, or does your site keep showing an error? First restore your backup, so your site works again, and then get in touch with support. We are happy to help you out.
Frequently asked questions
Does .htaccess work on my LJPc hosting?
Yes. LJPc hosting runs on Apache, managed through Plesk, and Apache reads .htaccess. You place the file in the httpdocs folder and the settings work right away. Only on a server that runs nginx exclusively does .htaccess not work, but that is not the case with a standard hosting package.
Why do I get a 500 error after editing .htaccess?
A 500 error (Internal Server Error) is almost always caused by a typo or a rule the server does not support. Remove the last rule you added or restore your backup, and your site works again straight away. A common cause is a php_value line on FPM hosting.
Where exactly is the .htaccess file?
In httpdocs, the main folder of your website. Because the name starts with a dot, the file is hidden by default. In Plesk File Manager, turn on Show hidden files under Settings, or switch on the display of hidden files in your FTP program.
Can I change PHP settings through .htaccess?
Only if PHP runs as an Apache module. On Plesk, PHP usually runs as FPM, and then a php_value line in .htaccess causes a 500 error. Instead, use the PHP Settings in Plesk or a .user.ini file in your folder.
What is the easiest way to set up an HTTP to HTTPS redirect?
The option Permanent SEO-safe 301 redirect from HTTP to HTTPS under Hosting Settings in Plesk. You switch it on with a tick box and it does the same as the RewriteRule in .htaccess, without you having to type any code. Your certificate does need to be active.
Do I have to add an HSTS header myself?
No. LJPc already sends the HSTS header automatically once your SSL certificate is active. If you add the same header in .htaccess as well, you end up with a duplicate header, which can cause problems. You are free to set other security headers yourself.