How to close your website for maintenance with Apache .htaccess

You should, and almost always can, perform routine maintenance on your site without closing it down, but people sometimes ask how to take a site offline, so here are several methods.

Only an emergency justifies taking a site offline, but if your site was hacked and contains extremely offensive material or viruses, closing it while you repair it will help protect your visitors, prevent offensive content from getting indexed under your site's name, and can prevent your pages from getting flagged with "This site may harm your computer" in Google search results. If you were hacked, see also Step By Step Repair After A Website Hack.

All the methods below close the site to normal HTTP browser and crawler traffic, but you will be able to use your control panel and FTP, and your FTP users will have access, too. Four of the methods are easily customized so that you as the owner are allowed to access the site normally, while everybody else is redirected to the maintenance page or blocked.

The time your site is closed should be kept to the absolute minimum required to make it safe.

The methods that send HTTP response codes of 503 (the best) or 307 (an acceptable alternative) are recommended by Google.

Your current IP address

There are several places below where example IP addresses are shown. Before using any of the code that refers to an IP address, be sure to change the example digits to the digits of your own IP address. The expressions containing the example IP addresses have backslashes in them. Change only the digits. Leave the backslashes in.

Your IP address right now appears to be: 38.107.191.102

If you have a high-speed broadband internet connection, your IP address is always the same. With a dial-up telephone connection, your IP address is different every time you connect to the internet, so while you're working on this project it will be necessary to keep your .htaccess code updated so it always matches whatever your current IP is.

Cautions

All the methods involve manually editing your Apache .htaccess file, so you need to know how to do that (Method #4, below, has the details).

Before making any changes to .htaccess, save a copy of the original so you can put it back if necessary.

Modifying .htaccess manually is least likely to cause side-effect problems under the following conditions:

• You do not use the Microsoft FrontPage Extensions.
• You do not use cPanel's graphical user interface "Hotlink Protection" feature.

If you do use the FrontPage Extensions or cPanel Hotlink Protection, the relatively simple procedures below are more complicated and must be done with great care. Both programs make automated modifications to .htaccess, and each of them "thinks" it owns .htaccess. The two programs can interfere with each other, and your manual edits to .htaccess can make either or both of them think the file is corrupted, for reasons described in a previous article. Putting back the original .htaccess should be sufficient to restore Hotlink Protection to the way it was, but that might or might not completely restore the Extensions. It might be necessary to uninstall and reinstall them, which can have complications of its own.

• The otherwise more desirable methods that use RewriteCond/RewriteRule are unfortunately the ones that are most likely to cause problems with the FrontPage Extensions and/or Hotlink Protection.
• The less desirable methods that use deny from lines have the advantage that they should not interfere with HotLink Protection at all, and they are most likely to work well with the FrontPage Extensions.

Try to avoid FrontPage Extensions conflicts

Before editing .htaccess manually, you can use FrontPage the usual way to upload any new files you'll need (maintenance.php, for example, as described later). After the needed files are in place, close FrontPage and do not use it to connect to your site in any way whatever while you modify and use your new .htaccess. Don't connect with FrontPage again until you've put back the original .htaccess.

Try to avoid cPanel Hotlink Protection conflicts

To reduce the chances of corrupting .htaccess:

1. Comment out all of cPanel's Hotlink Protection code (it uses RewriteCond/RewriteRule) before you add any new code. You comment out a line by putting a pound sign (#) at the beginning of the line. There are examples in the code below. 
2. Do not modify Hotlink Protection through the cPanel graphical interface while the new code is in your .htaccess.
3. When you are finished, remove or comment out all the new code and un-comment the original Hotlink Protection code to re-enable it.

1) Simplest, almost-best method: send plain text status code 503 - Service Unavailable

This method, because of its simplicity, is easy to install and therefore preferable for most webmasters, especially if you are in a hurry. It sends an HTTP response code of "503 - Service Unavailable" which tells search engines that this is a temporary problem.

This method only has two drawbacks, both minor:

1. The output page is limited to one single line of plain text, which will be displayed in a visitor's browser.
2. Although you can use the text message to inform human visitors what the problem is and when you expect it to be resolved, there is no way to tell search engine crawlers how long you want them to wait before they come back.

Put the following code lines in your .htaccess file and customize the highlighted text as appropriate:

ErrorDocument 503 "Our website is temporarily closed for maintenance. It should reopen by..."
RewriteEngine On
# TO ALLOW YOURSELF TO VISIT THE SITE, CHANGE 111 222 333 444 TO YOUR IP ADDRESS.
RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$
RewriteRule .* - [R=503,L]

The ErrorDocument line specifies that the error document for a 503 response will be the one line of plain text inside the quotation marks. Keep the text line short. 80 characters should be safe. 128 might be ok. There is a maximum length, but I don't remember what it was when I exceeded it once, or whether the maximum is the same in all Apache versions. 

The RewriteCond line says that if the request did not come from your IP address (the ! means "not"), the RewriteRule will apply and the site will be reported as closed. But if the request did come from your IP address, the RewriteRule will not apply, so the site will function normally for you.

The RewriteRule line says that no matter what page was requested, send a 503 response along with the default "error document" specified a few lines earlier.

2) Best method: Rewrite to return status code 503 - Service Unavailable

This method rewrites the incoming request to a PHP file that returns the 503 response code and tells search engine crawlers how long to wait before trying again, which is the main advantage of using this method. The text on the informational page can be formatted however you want, to inform human visitors what the problem is.

Procedure

1. Create a page called maintenance.php whose text says something like "Site temporarily closed for maintenance." You can use the example code below. This page should be completely self-sufficient, with no links to stylesheets, images, JavaScripts, or any other page or object. This is because maintenance.php itself is the only file of any kind that your server will be allowed to send out.
    
2. In .htaccess, add lines like this. You'll have to use your judgment. You might have to adjust the lines depending on what rewrite code is already in the file. The code lines are yellow to distinguish them from the comments: 

RewriteEngine On
RewriteBase /
# The next code line is currently commented out on purpose so it will be ignored.
# It is only for testing the code when you don't really want to close the site.
# It closes the site ONLY to you, but leaves it OPEN to everybody else.
# When commented out, the site is closed to everyone, including yourself.
# To enable the line, remove the # (pound sign) at the start of it.
# You MUST first change the digits 111 222 333 444 to match YOUR IP address.
#RewriteCond %{REMOTE_ADDR} ^111\.222\.333\.444$
# It is easy to modify the above line so it does the opposite:
# close the site to everybody else, but leave it OPEN to only you.
# Put an exclamation point ! in front of the ^ character, to make it: !^

# The remaining two code lines close the site. They say:
# If the request is NOT for /maintenance.php, send /maintenance.php instead.
# Allowing maintenance.php to be served as-is prevents an endless redirect loop.
RewriteCond %{REQUEST_URI} !^/maintenance\.php$
# To allow another file, copy the line above to here and change the filename.

# This line says: no matter what file was requested, serve maintenance.php.
# This is a rewrite (not a redirect), so we use the local file path, no http://
RewriteRule ^(.*)$ /maintenance.php [L]

Save your changes, and test.

Example code for maintenance.php or maintenance.html

Here is a maintenance.php you can use for method #2 above. The first line that says <?php must be at the very top of the file, with nothing, not even a blank line, above it.

Retry-After tells robots how long to wait (in seconds) before trying again. It is set here to 48 hours to allow for cleaning up a badly damaged website.

You can also use this text as maintenance.html for method #3 below. Just leave out the top 5 lines in yellow (the PHP code).

<?php
header('HTTP/1.1 503 Service Temporarily Unavailable',true,503);
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 172800');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="robots" content="noindex,nofollow">
<title>503 - Temporarily Closed For Maintenance</title>
<style type="text/css">
<!--
p
{
    font-family: "Verdana", sans-serif;
}
-->
</style>
</head>
<body>

<p><b>Name of website</b></p>
<p>is temporarily closed for maintenance.</p>
<p>Normal operation will resume as soon as possible.</p>

</body>
</html>

3) Third-best way to take your site offline: 307 redirect

This method uses a code 307 redirect to serve a "Site Closed for Maintenance" page instead of whatever page was requested. The 307 tells search engine crawlers that this is a temporary condition, and the text on the page informs visitors what the problem is.

If you are not able to use PHP required by method #2, this is an alternative. Its disadvantage is that you cannot specify a Retry-After time interval.

Procedure

It is basically the same procedure as for Method #2:

1. Use the code from the example above to create a page called maintenance.html.
2. In .htaccess, add lines like this. You might have to adjust them depending on what rewrite code is already in the file. The third yellow code line is commented out on purpose. Please see the long comments in method 2) above for an explanation of that line. In the example below, the third line shows how to close the site to everybody else, but leave it open for you, which is the opposite of what was shown in the example code for method 2).

RewriteEngine On
RewriteBase /
# Before using this line, you MUST change the digits to match your own IP address.
#RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$

# The remaining two code lines close the site. They say:
# If the request is for any page other than /maintenance.html, ask the browser
# to issue a new request, for /maintenance.html, just this one time.
# Allowing maintenance.html to be served as-is prevents an endless redirect loop.
RewriteCond %{REQUEST_URI} !^/maintenance\.html$
#To allow another file, copy the line above to here and change the filename.

#This line says: redirect to maintenance.html.
#This is a redirect (sent back to the browser), so the full URL is required.
RewriteRule ^(.*)$ http://yourdomain.com/maintenance.html [R=307,L]

4) The fastest way to take your site offline: deny access

This method uses two simple lines of .htaccess code to deny web access. Anyone requesting a file gets a "403 - Forbidden" error page instead. It is very fast. It can be installed in 1-2 minutes, but it is bad because it will confuse visitors and you might lose search engine ranking or indexing for pages that are crawled during the downtime. However, you could use this method briefly during the time it takes to set up and install one of the others.

The drawbacks are:

• Human visitors wonder why they are "Forbidden".
• Search engine crawlers will also get the "Forbidden" response. 

1. Go to cPanel > File Manager.
2. Navigate to the file public_html/.htaccess. If an .htaccess file is not already there, create it as a text file. Make sure it has the leading period.
3. Click on its filename (not the icon next to it).
4. In the upper right corner of the screen, click Edit File.
5. At the bottom of the file, in a location that is not between HTML-style tags like <tag></tag>, type the lines:
   (do not add a space after the comma)
   
   order allow,deny
   deny from all
   
   Further explanation: some lines of your .htaccess file might be contained between tags that look like HTML tags where the opening tag looks like <tag> and the closing tag looks like </tag>. Insert these new lines in a part of the file that is not between any of these pairs of tags.
   
   The reason these lines go at the bottom of the file is so that if you have another "order" directive higher in the file, this new one will override it. Apache uses only one "order", the last one it encounters.
    
6. Click Save.

To reopen your site, remove the two .htaccess lines you added.

In addition to the purpose described here (closing the whole site), this method is useful wherever you need to make an individual folder inaccessible by web. Just put an .htaccess file with the above 2 lines in the folder you want to close.

.htaccess configurations apply to the folder where .htaccess is located and all its subdirectories. That is why, when you put this code in your top level public_html/.htaccess, it closes the entire site.

5) Fast and flexible method - deny everybody except yourself

This variation of #4 above allows you to access your site normally, but turns away everybody else.

# AN ALTERNATIVE THAT ALLOWS ONLY YOUR IP ADDRESS
SetEnvIfNoCase Remote_Addr .* SiteOwner=false
# You MUST change the highlighted digits below to YOUR IP address.
SetEnvIfNoCase Remote_Addr ^111\.222\.333\.444$ SiteOwner=true
SetEnvIfNoCase SiteOwner false deny_the_request
deny from env=deny_the_request

You can ask questions and get assistance in the forum.