In short, my website has a single payments page. SSL certificate is installed but is not required apart for that one payments page.
With regards to my .htaccess file - I currently separate my payments page with the following code. I also block visitors from semalt.com. Can't remember exactly why, but I think I was receiving unwanted attention (spam) from them at the time.
What I would like to know is:
1. Options +FollowSymlinks
2. RewriteEngine On
3. RewriteBase /
4. # RewriteCond %{HTTP_HOST} !^example\.com$ [NC]
5. # RewriteRule .* http://example.com%{REQUEST_URI} [L,R=301]
6.
7. RewriteCond %{HTTPS} off
8. RewriteRule ^payment\.html$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
9.
10. # block visitors referred from semalt.com
11. RewriteEngine on
12. RewriteCond %{HTTP_REFERER} semalt\.com [NC]
13. RewriteRule .* – [F]
14. # End semalt block
15. # block referer spam buttons for website
16. RewriteEngine On
17. RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com
18. RewriteRule ^.* - [F,L]
19. # End buttons for website block
20.
21. ErrorDocument 404 /404.html
The main thing I would address is that you are only redirecting to HTTPS for your payments page. You should be forcing HTTPS for your entire site - everywhere. These days browsers alert users to the fact that they are browsing an insecure connection if on HTTP (Google Chrome states "Not Secure" next to the URL), which doesn't do anything for user trust. This is the main thing that would have changed in the last 5 years - HTTPS is mandatory everywhere.
There is no good reason not to use HTTPS everywhere these days.
Assuming the rest of your site is already HTTPS "ready" (I assume it must be and you aren't sending users back to HTTP from your payment page?!) then change the HTTP to HTTPS redirect to include your entire site:
# HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
2) do I need to address canonicalization by directing to either a www or non-www version of mywebsite (importantly without affecting that one important https payments page); is it necessary?
Yes, you should. You already have the directives at the top of your .htaccess file - but they are commented out? You may have already set the rel="canonical" element in the head of your pages, but otherwise, if www and non-www are both available then this is potentially duplicate content (same content available from 2 or more different URLs). You need to decide which: www or non-www? Which do you currently favour? Which (predominantly) is already indexed? Which does your payments page use? (Hopefully, the answer is the same to all the above.)
Also redirect directly to HTTPS as part of this redirect. And this should go before the current HTTP to HTTPS redirect (the same order as currently in your .htaccess file):
# Redirect to non-www
RewriteCond %{HTTP_HOST} !=example.com
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
Note that the above www to non-www redirect assumes you are not using any other subdomains. To redirect to www.example.com, just change both instances of example.com.
RewriteCond %{HTTP_REFERER} semalt\.com [NC] RewriteRule .* – [F]
Ok, if it helps - check your server logs if this is doing anything for you. But change the .* regex to ^ (marginally more efficient). And any blocking directives should be at the very top of the file (you don't want to bother canonicalising these requests).
RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com RewriteRule ^.* - [F,L]
Again - OK, it helps (does it?!). Optimise the regex as above. No need to backslash escape literal hyphens in the CondPattern (unless they appear in the middle of a character class). The L flag is not required when used with F.
Other notes:
RewriteEngine On directive.RewriteBase / directive with your current directives.ErrorDocuments at the top of the file.Bringing the above points together we have:
Options +FollowSymlinks
ErrorDocument 404 /404.html
RewriteEngine On
# block visitors referred from semalt.com
RewriteCond %{HTTP_REFERER} semalt\.com [NC]
RewriteRule ^ – [F]
# block referer spam buttons for website
RewriteCond %{HTTP_REFERER} buttons-for-website\.com [NC]
RewriteRule ^ - [F]
# Redirect to non-www
RewriteCond %{HTTP_HOST} !=example.com
RewriteRule ^ https://example.com%{REQUEST_URI} [R=301,L]
# HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]