.htaccess help and tips

Use these tips to recover traffic to dead and missing pages, stop hot linking and hackers
1) Stopping hackers
2) Stopping site snagging (offline viewing)
3) Stopping Hotlinking
4) Multiple Domain Names: Shared Members Areas

**1) Stopping hackers

The most common way of protecting your members only area is with, as I'm
sure you know, a file named .htaccess . This file is the file that pops up the password box and then matches the login/password to the password file.

But what most webmasters don't know, is that this file can be used for lots of other things which will be discussed below.

The below code is the basic contents of an .htaccess file. You only need to copy the text below then make a new file with notepad and past the below into the file and save it as .htaccess.  DO NOT use MS Word! The file will not save
correctly! You should also realize that an .htaccess file is just plain
text file with a funny name. The complete file name really is .htaccess ,
period in front and all.

Here is the basic .htaccess file:

AuthUserFile /server/path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Area"
AuthType Basic

<limit GET PUT POST>
require valid-user

This file, when placed in your members only folder will protect all of
the subfolders under it. However, Once inside the members area, they can still poke around for things you may not want
them to see by typing in URL's.

Another problem is that some password security programs have to be
accessed directly or in a very specific way to work. An older version of
the security program I used required a file called index.cgi to be placed
in the member's only folder. When you linked to
http://members.landofvenus.com/members/ it would do two things. First, the
.htaccess file would check the username and password to see if they were
valid. Second, if approved, it would run my security program to see how
many people have used that username and password. If that checked out,
they would be sent to the opening page of my member's area which was
actually http://members.landofvenus.com/members/members.html

That worked fine as long as no one tried to go directly to the
members.html page. Guess what, hackers are smart. By posting a simple link
on a password trading site, they could bypass the security program and
gain access in one easy step. The link would look like this:


Look familiar? If you've ever been password traded (and you will) it
should look familiar. After that I learned of some code that will stop
this and force everyone to use one page to gain access to the member's

AuthUserFile /server/path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Area"
AuthType Basic

<limit GET PUT POST>
require valid-user

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*yourdomain.com/ [NC]
RewriteRule /* http://www.yourdomain.com/login.htm [L,R]

The new section activated the RewriteEngine feature of your .htaccess
file. This will now only allow access to the member's area of your site
through a link on your page. If they don't use an actual link on your
site they cannot get in. Any URL that you manually type into the address
bar of your browser will show up in your log file as having no referrer
and will not pass. The only way to satisfy the RewriteCond of this
updated .htaccess file is to use a link on your site.

Using this example, you will need a new little web page named login.htm
in your free area. On that page you will need a link to your member's
area. Whatever link will allow your security program to work right.

The main thing I like about using this is that it keeps people from
messing around inside the members area. Since I update with new pics
every week, I can upload several sets at a time to the server and have
them waiting. I don't have to worry about anyone finding them before I
link to them.

Now remember, if you don't have any software in place to monitor how many
times your usernames and passwords are being used, this won't help you at
all. This method won't stop shared usernames and passwords from being
used. It is only here to channel people into your password sharing
software. I personally recommend using Password Sentry. It's a one time
charge and they give you lifetime upgrades and support. It's also not
very expensive. I haven't found any program out there that I liked any
better, at any price. You can find them at


2) Stopping Site Snagging

There are many programs out there designed for
"offline viewing" of web sites. These programs allow a person to download
everything on your site to their computer. It works wonderfully in the
free area, however, if they have a username and password to your site,
they can also download your entire member's area.

If you don't have any software protecting you from password traders, this
one could be devastating. Not only could everyone in the world get into
your members area for free, they could download everything in there in a
hurry. If you have 200 MB of stuff in your site and 1000 people get in
for free and decide to use one of these programs, your looking at 200
Gigabyte of transfer in as short as one day. Can you afford that? Those
numbers are kind too. Many of you have much more than 200 MB of stuff.
I've also been traded in the past and was receiving 4500 people per hour
into the members area for free. That could put you out of business in a

If you don't think that these programs are a problem check your stats.
Many stats programs will tell you the different web browsers that are
visiting your site. I have programs like Teleport Pro and Offline
Explorer in my top 10 web browsers every single day.

Since we have to pay for bandwidth, which can get expensive as your site
grows, this can turn into a major problem. I was surprised at how much
bandwidth I saved after adding these lines to an .htaccess file.

Here's the best part. You can place this .htaccess file in your root
public directory. Put it in the same folder as your site's opening index
file and it will protect your entire site.

You'll notice one major difference about this file. It doesn't require
usernames and passwords to get in. Those lines have simply been removed
from the file. It will also not have any effect on the .htaccess file in
your member's folder. That one will check passwords, this one will stop
people from snagging your site.

There are actually 3 sections to the file below.

The first section allows you to block specific users' ip addresses. I
have two blocked here. There were users that tried hammering my site with
around 20,000 username and password combos. This part is optional since
most people have a new ip each time they log on. However, if they are
using a cable modem they will keep the same ip all of the time like the
two in my example. If I were you I would definitely leave that guy in

The second section related to error 404's. This works well with the way
many search engines work. I don't know how many of them are still linking
to pages on my site that no longer exist. If someone clicks on a link
from that search engine that is no longer any good, they just get that
blank error page. The errordocument line below forwards those people to
another page. I forward them to my opening page. That way, if they come
to my site using a link that no longer is valid, they end up at my
opening page never realizing that the link was bad.

The third section stops the programs that will try and download your
site. Since I'm finding more all the time the list keeps growing. If you
discover more, just add them it. If the program is actually two words,
Teleport Pro for example, you only need to include one word to block
them. Notice below that I have a line including Teleport, but not
Teleport Pro. I've downloaded the program and tested it. This method
works perfectly.

The very last line, the RewriteRule, is where violators will be sent to.
I have personally chosen a site at geocities that features sewing
patterns for gay men's swimwear. :)

<Limit GET>
order allow,deny
deny from
allow from all

errordocument 404 http://www.landofvenus.com/index.html

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*WebZIP.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Stripper.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Offline.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Copier.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Crawler.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Snagger.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Teleport.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Reaper.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Wget.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Grabber.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Sucker.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Downloader.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Siphon.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Collector.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Mag-Net.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Widow.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Snake.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*BackWeb.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*gotit.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Vacuum.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Pump.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*HMView.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*HTTrack.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*JOC.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*likse.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Memo.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*pcBrowser.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*SuperBot.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*leech.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Mirror.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Recorder.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*GrabNet.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Likse.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Navroad.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*attach.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Magnet.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Surfbot.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Bandit.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Ants.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Buddy.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*Whacker.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*FileHound.*$
RewriteRule /* http://www.geocities.com/WestHollywood/Heights/3204/1home.html [L,R]

If you decide to redirect them somewhere else be sure to leave the
"[L,R]" at the end of the line. It's rather important.

Remember to always check your site immediately after uploading a new
.htaccess file to your server. If there are any errors in you file, your
site will most likely not load at all. In that case, quickly delete the
file off of the server until you figure out what went wrong!


3) Stopping Hotlinking

I think I see some of you smiling already. Yes, you can use an .htaccess
file to stop people from hotlinking images off of your site. I recently
discovered several of my pictures being posted on a messageboard. They
had a little message and then my picture would pop up in the message. It
was loading directly off of my server with absolutely nothing pointing
back to me. I was pissed.

The .htaccess file to prevent this is very similar to some of the ones
above. It's just much shorter since it only performs one function, to
stop hotlinking. It does this by checking the referrer. In other words,
where the hit is coming from.

I have actually moved all of my images, graphics, games, you name it into
a subfolder in the free area. I then just place this .htaccess file into
that folder.

I DON"T recommend adding these lines into the .htaccess file above that
protects your entire site. Why? Well, when you sign up on someone else's
friends page you have to enter in a URL of your ID picture. If you block
everything than all of your ID pictures on all of those friends pages you
signed up for will not load. Your ID picture will be a very sexy little
red x.

You can stop people from hotlinking your id pictures if you want, just
think it through first. I have my banner farm protected to stop new sign
ups from hotlinking. However, I still have a few I pictures in
unprotected areas too. That way I can sign up for new friends and links
pages. You also don't want to block everything if you purposely post
pictures at picpost pages. If you block your entire site, none of those
picposts will load.

Similar to some of the above files, this one will allow the picture to
load if the referring site starts with landofvenus.com .com only. Do not
include the www. in here. That's what all of the crap in front of
landofvenus.com is for. The referrer can end with anything it likes,
as long as it has landofvenus.com in it.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*landofvenus.com.com/ [NC]
RewriteRule /* http://www.landofvenus.com.com [L,R]


Multiple Domain Names: Shared Members Areas

Here's a fun one. Many of you may have several web sites but only one
credit card account and one password file. How do you get everyone to
have access to all of your site's members areas but only use one account?
Easy. Use .htaccess files. This can get a little bit tricky so pay

Let's say you have three sites: one.com, two.com, and

Let's also say that you want anyone joining one site to have access to
all three.

Pick one site to house the main entry page. Just like in the above
examples, create a page called http://www.one.com/login.htm in the
free area of that site. You can call it whatever you want. Use that page
as the entry page for all of your web sites. Just put a link on there
saying "click here to enter the member's area" or something.

Now everywhere on two.com and three.com that says "member's
entrance" should point to http://www.one.com/login.htm. Understand?
Only one entrance page and only one password file. Everyone must enter
from the same place.

Now, you'll need to add the following lines to your .htaccess file in the
member's only folder of one.com.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*one.com/ [NC]
RewriteCond %{HTTP_REFERER}
!^http://([a-z0-9-]+\.)*two.com/members/ [NC]
RewriteCond %{HTTP_REFERER}
!^http://([a-z0-9-]+\.)*three.com/members/ [NC]
RewriteRule /* http://www.one.com/login.htm [L,R]

This will allow entry only from either your main page's entry page, or
from the member's area of your other sites. Is part is tricky to think
about but very important.

Your new monkeyone.com member's only folder .htaccess file will most
likely look like this:
AuthUserFile /server/path/to/your/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Members Area"
AuthType Basic

<limit GET PUT POST>
require valid-user

RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*one.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*two.com/members/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*three.com/members/ [NC]
RewriteRule /* http://www.one.com/login.htm [L,R]

Now here's the fun part. The members areas of two.com and
three.com will no longer check for a valid username and password.
They will only check out where the person is coming from. If they aren't
coming from one of three places they will be routed to the login.htm page
on one.com.

This .htaccess file is very small and should be placed in the members
only folder at two.com and three.com.

You must include lines for all of your sites in every .htaccess file.

The .htaccess files at two.com/members and three.com/members
should look like this:

RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*one.com/members/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*two.com/members/ [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)*three.com/members/ [NC]
RewriteRule /* http://www.monkeyone.com/login.htm [L,R]

That's it. They're very short files but they will do the job. These new
.htaccess files at two and three will only allow people
access if they're coming from the members only area of one of the other
sites. They don't need to check usernames and passwords too.


Now in a nut shell for those webmasters who want to make sure, that surfers who type in randon URL's or click on a link from another site, and the page or directory  was deleted and if someone types in the wrong login and password and you want those people to go to a join page this is what your .htaccess file would look like.

Line 1 (404): will send people who type in a bad URL to my index page
Line 2 (401): sends people who type in the wrong password to my join page as is line 3.

<Limit GET>
order allow,deny
allow from all

ErrorDocument 404 http://www.landofvenus.com/guestframes.html
ErrorDocument 401 "<META HTTP-EQUIV=Refresh Content=0;URL=http://www.landofvenus.com/401.html>
ErrorDocument 403 http://www.landofvenus.com/401.html

RewriteRule /* http://www.landofvenus.com/guestframes.html [R,L]


If you have any questions or would like me to write your htaccess for you please email me support@landofvenus.com