How to download .htaccess files via FTP
One of the most common problems that any newby webmaster has to face is the issue of the disappearing .htaccess file.
The .htaccess file is a strangely named file found in the web document folders of Apache servers. It allows a webmaster to manipulate the Apache configuration directives at the directory-level. Any changes made to its contents will have immediate effect.
See a PHP script that can help you find .htaccess files on your server
The Problem
The main problem occurs when a webmaster tries to find this .htaccess file. In many server set-ups it does not show up when viewing the directory structure through an FTP client application. This leads the unknowing webmaster to think that it is not there. Thus, causing two classic problems:
-
Even though a webmaster may not see a .htaccess file, they may still be able to overwrite it.
This could happen if, for example, they read an online tutorial on “How to Redirect a Web Page“, create an .htaccess file in their local copy of the website and then upload it onto the remote server. The tutorial may give a qualifying warning to explain that great care must be taken when making such changes. But, if the webmaster cannot actually see an existing .access file in their FTP’s remote directory, they are likely to have the mistaken belief that it isn’t there. The effect of overwriting an .htaccess file can lead to major security holes in a website’s authorisation schema if it is being used to password protect a directory.
Before uploading an .htaccess file it is essential to check to see if there is one already sitting where you intend to put it. If so, then it must be downloaded and any additional directives must be appended to the file.
-
An .htaccess file is difficult to download, hence it is difficult to backup a folder that contains it.
Lets say a web designer designs a website for a fellow called Bob. He created a folder in Bob’s site’s web root called “webmasters_admin”. It contains some administrative controls that allow him to create and delete user accounts etc. The designer placed an .htaccess file into the root of that directory in order to password-protect it and keep out the bad guys. Six months have passed and Bob is a little bit more knowledgeable about how to create web pages and has filled his web root with many folders and even created some extra password protected directorys using .htaccess files.
Then, one day, Bob’s cat walks across his keyboard and deletes the files and folders on his remote server - his website is an almighty 404 error! This doesn’t phase him. He had downloaded snapshots of his remote site at regular intervals - its always good to have a local backup, eh!
Shortly after he has finished explaining to the cat that the computer keyboard is a no-go area, he calmly uploads the local copy of his website back to its rightful place. Every file is uploaded. Every file that is, apart from those pesky .htaccess files. They don’t appear in his FTP client’s directory structure and so were never downloaded during the backup process. Now, the “webmasters_admin” folder is a fully functional website admin application that is open to the world. It will stay that way until he httpassword protects it again. Lets hope he notices soon.
So, whenever you download a local backup of your remote webspace - remember to download the .htaccess files too! Its also advisable to avoid using .htaccess to password protect directories if it is possible to do it another way.
Getting Close to a Solution
To avoid these problems, you need to instruct your ftp client software to show you ALL the files on your remote server. I know of only one ftp client that enables you to do this - IPSwitch’s WS_FTP Pro. (Please add a comment if you know of any others).
If you don’t already have it, you can download WS_FTP Pro here.
Then , see instructions on how to force the FTP software to display hidden files.
I have version 8.02 of WS_FTP Pro and, if I want to see hidden files in a particular remote directory, I insert some text into the form field that sits below the mkdir button and then click refresh. This then reveals any hidden files that may be lurking in the directory. The text to type is:
-la
That’s “-” as in negative. Then, “l” as in Lima and “a” as in Alpha.
Once you can see the “hidden files” you can then select it (in the remote view) and then click on the green arrow to download it to your local directory.
The only problem that I have is that, even when I have enabled the hidden files setting, I still cannot simply select the site’s top folder and be sure that I have downloaded all the files in the site, including those that are hidden. I have to go through each folder and manually download each .htaccess file. This can be a pain if I have 20, or so, .htaccess files buried in various folders and sub-folders throughout the site. To make things easier, I wrote a simple script that can help you find the folders on a website that contain hidden files.