How to close your website for maintenance with Apache .htaccess

You should, and almost always can, perform routine maintenance on your site without closing it down, but people sometimes ask how to take a site offline, so here are several methods.

Only a dire emergency justifies taking a site offline, but if your site was hacked and contains extremely offensive material or viruses, closing it while you repair it will help protect your visitors, prevent offensive content from getting indexed under your site's name, and can prevent your pages from getting flagged with "This site may harm your computer" in Google search results. If you were hacked, see also Step By Step Repair After A Website Hack.

All the methods below close the site to normal HTTP browser and crawler traffic, but you will be able to use your control panel and FTP, and your FTP users will have access, too. Four of the methods are easily customized so that you as the owner are allowed to access the site normally, while everybody else is redirected to the maintenance page or blocked.

The time your site is closed should be kept to the absolute minimum required to make it safe.

The methods that send HTTP response codes of 503 (the best) or 307 (an acceptable alternative) are recommended by Google.

Cautions

All the methods involve manually editing your Apache .htaccess file, so you need to know how to do that (Method #4, below, has the details).

Before making any changes to .htaccess, save a copy of the original so you can revert to it if necessary.

In addition, modifying .htaccess manually is least likely to cause side-effect problems under the following conditions:

• You do not use the Microsoft FrontPage Extensions.
• You do not use cPanel's graphical user interface "Hotlink Protection" feature.

If you do use the FrontPage Extensions or cPanel Hotlink Protection, the relatively simple procedures below get more complicated and must be done with great care. Both programs make automated modifications to .htaccess, and each of them "thinks" it owns that file. The two programs can interfere with each other, and your manual edits to .htaccess can make either or both of them think the file is corrupted, for reasons described in a previous article. Reverting to the original .htaccess should be sufficient to restore Hotlink Protection to the way it was, but that might or might not completely restore the Extensions. It might be necessary to uninstall and reinstall them, which can have complications of its own.

• The otherwise more desirable methods that use RewriteCond/RewriteRule are unfortunately the ones that are most likely to cause problems with the FrontPage Extensions and/or Hotlink Protection.
• The less desirable methods that use deny from lines have the advantage that they should not interfere with HotLink Protection at all, and they are most likely to work well with the FrontPage Extensions.

Try to avoid FrontPage Extensions conflicts

Before editing .htaccess manually, you can use FrontPage the usual way to upload any new files you'll need (maintenance.php, for example, as described later). After the needed files are in place, close FrontPage and do not use it to connect to your site in any way whatever while you modify and use your new .htaccess. Don't connect with FrontPage again until you've put back the original .htaccess.

Try to avoid cPanel Hotlink Protection conflicts

To reduce the chances of corrupting .htaccess:

1. Comment out (with #) all of cPanel's Hotlink Protection code (it uses RewriteCond/RewriteRule) before you add any new code.  
2. Do not modify Hotlink Protection through the cPanel graphical interface while the new code is in your .htaccess.
3. When you are finished, remove or comment out all the new code and un-comment the original Hotlink Protection code to re-enable it.

1) Simplest, almost-best method: send plain text status code 503 - Service Unavailable

This method, because of its simplicity, is easy to install and therefore preferable for most webmasters, especially ones in a hurry. It sends an HTTP response code of "503 - Service Unavailable" which tells search engines that this is a temporary problem.

This method only has two drawbacks, both minor:

1. The output page is limited to one single line of plain text, which will be displayed in a visitor's browser.
2. Although you can use the text message to inform human visitors what the problem is and when you expect it to be resolved, there is no way to tell search engine crawlers how long you want them to wait before they come back.

Put the following code lines in your .htaccess file and customize the highlighted text as appropriate:

ErrorDocument 503 "Our website is temporarily closed for maintenance. It should reopen by..."
RewriteEngine On
# TO ALLOW YOURSELF TO ACCESS THE SITE NORMALLY, SET THE NEXT LINE TO YOUR IP ADDRESS.
RewriteCond %{REMOTE_ADDR} !^111\.222\.333\.444$
RewriteRule .* - [R=503,L]

The ErrorDocument line specifies that the error document for a 503 response will be the one line of plain text inside the quotation marks.

The RewriteCond line says that if the request did not come from the given IP address (yours), the rule in the following line will be applied. That is, if you are making the request, the rule won't be applied, and the site will function normally for you.

The RewriteRule line says that no matter what page was requested, send a 503 response along with the default "error document" specified a few lines earlier.

2) Best method: Rewrite to return status code 503 - Service Unavailable

This method rewrites the incoming request to a PHP file that returns the 503 response code and tells search engine crawlers how long to wait before trying again, which is the main advantage of using this method. The text on the page can be formatted any way you want, to inform human visitors what the problem is.

Procedure

1. Create a page called maintenance.php whose text says something like "Site temporarily closed for maintenance." You can use the example code below. This page should be completely self-sufficient, with no links to stylesheets, images, JavaScripts, or any other page or object. This is because maintenance.php is the only file your server will be allowed to serve.
    
2. In .htaccess, add lines like this. You'll have to use your judgment. You might have to adjust the lines depending on what rewrite code is already in the file. The code lines are yellow to distinguish them from the comments:

RewriteEngine On
RewriteBase /
# When enabled, the next code line allows testing.
# It says only do the rewrite if the request is from YOUR IP address.
# Thus, you can close the site only to YOURSELF to make sure it works,
# then comment out the line again to close the site to everyone.
# Set it to your actual IP address at the time of the test.
#RewriteCond %{REMOTE_ADDR} ^111\.222\.333\.444$

# The remaining two code lines close the site. They say:
# if the request is NOT for /maintenance.php, send /maintenance.php instead.
# You MUST allow at least one file to be served without rewriting it,
# (maintenance.php in this example), to prevent endless looping.
RewriteCond %{REQUEST_URI} !^/maintenance\.php$
# To allow another file, copy the line above to here and change the filename.

# This line says: no matter what file was requested, serve maintenance.php.
# This is a rewrite (not a redirect), so we use the local file path, no http://
RewriteRule ^(.*)$ /maintenance.php [L]

Save your changes, and test.

Example code for maintenance.php or maintenance.html

Here is a maintenance.php you can use for method #2 above. The first line that says <?php must be at the very top of the file, with nothing, not even a blank line, above it.

Retry-After tells robots how long to wait (in seconds) before trying again. It is set here to 48 hours to allow for cleaning up a badly damaged website.

You can also use this text as maintenance.html for method #3 below. Just leave out the top 5 lines in yellow (the PHP code).

<?php
header('HTTP/1.1 503 Service Temporarily Unavailable',true,503);
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 172800');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="robots" content="noindex,nofollow">
<title>503 - Temporarily Closed For Maintenance</title>
<style type="text/css">
<!--
p
{
    font-family: "Verdana", sans-serif;
}
-->
</style>
</head>
<body>

<p><b>Name of website</b></p>
<p>is temporarily closed for maintenance.</p>
<p>Normal operation will resume as soon as possible.</p>

</body>
</html>

3) Third-best way to take your site offline: 307 redirect

This method uses a code 307 redirect to serve a "Site Closed for Maintenance" page instead of whatever page was requested. The 307 tells search engine crawlers that this is a temporary condition, and the text on the page informs visitors what the problem is.

If you are not able to use PHP required by method #2, this is an alternative. Its disadvantage is that you cannot specify a Retry-After time interval.

Procedure

It is basically the same procedure as for Method #2:

1. Use the code from the example above to create a page called maintenance.html.
2. In .htaccess, add lines like this. You might have to adjust them depending on what rewrite code is already in the file. The actual code lines are in yellow. The others are comments:

RewriteEngine On
RewriteBase /
# When enabled, the next code line allows testing.
# It says only do the rewrite if the request is from YOUR IP address.
# Thus, you can close the site only to YOURSELF to make sure it works,
# then comment out the line again to close the site to everyone.
# Set it to your actual IP address at the time of the test.
#RewriteCond %{REMOTE_ADDR} ^111\.222\.333\.444$

# The remaining two code lines close the site. They say:
# if the request is NOT for /maintenance.html,
# tell the browser to request /maintenance.html instead, this time only.
# You MUST allow at least one file to be served and NOT redirected,
# (maintenance.html in this example), to prevent endless looping.
RewriteCond %{REQUEST_URI} !^/maintenance\.html$
#To allow another file, copy the line above to here and change the filename.

#This line says: redirect to maintenance.html.
#This is a redirect (sent back to the browser), so the full URL is required.
RewriteRule ^(.*)$ http://yourdomain.com/maintenance.html [R=307,L]

4) The fastest way to take your site offline: deny access

This method uses 2 simple lines of .htaccess code to deny web access. Anyone requesting a file gets a "403 - Forbidden" error page instead. It is very fast. It can be installed in 1-2 minutes, but it is bad because it will confuse visitors and you might lose search engine ranking or indexing for pages that are crawled during the downtime. However, you could use this method briefly during the time it takes to set up and install one of the others.

The drawbacks are:

• Human visitors wonder why they are "Forbidden".
• Search engine crawlers will also get the "Forbidden" response. 

1. Go to cPanel > File Manager.
2. Navigate to the file public_html/.htaccess. If an .htaccess file is not already there, create it as a text file. Make sure it has the leading period.
3. Click on its filename (not the icon next to it).
4. In the upper right corner of the screen, click Edit File.
5. At the bottom of the file, in a location that is not between HTML-style tags like <tag></tag>, type the lines:
   (do not add a space after the comma)
   
   order allow,deny
   deny from all
   
   Further explanation: some lines of your .htaccess file might be contained between tags that look like HTML tags where the opening tag looks like <tag> and the closing tag looks like </tag>. Insert these new lines in a part of the file that is not between any of these pairs of tags.
   
   The reason these lines go at the bottom of the file is so that if you have another "order" directive higher in the file, this new one will override it. Apache uses only one "order", the last one it encounters.
    
6. Click Save.

To reopen your site, remove the two .htaccess lines you added.

In addition to the purpose described here (closing the whole site), this method is useful wherever you need to make an individual folder inaccessible by web. Just put an .htaccess file with the above 2 lines in the folder you want to close.

.htaccess configurations apply to the folder where .htaccess is located and all its subdirectories. That is why, when you put this code in your top level public_html/.htaccess, it closes the entire site.

5) Fast and flexible method - deny everybody except yourself

This variation of #4 above allows you to access your site normally, but turns away everybody else. Customize the highlighted digits below to your IP address.

# AN ALTERNATIVE THAT ALLOWS ONLY YOUR IP ADDRESS
SetEnvIfNoCase Remote_Addr .* SiteOwner=false
SetEnvIfNoCase Remote_Addr ^111\.222\.333\.444$ SiteOwner=true
SetEnvIfNoCase SiteOwner false deny_the_request
deny from env=deny_the_request

You can ask questions and get assistance in the forum.