The 9 most important security settings in .htaccess

.htaccess files provide a way to make configurative changes on a per-directory basis. A file containing one or more configuration directives is placed in a particular document directory and the directives are applied to that directory and all sub-directories thereof.

Below you see a list of the most important rules that you can add to your .htaccess file to enhance security, by greatly limiting the exposure of your website to many types of attacks.

Tip:

First of all, you must rename the htaccess.txt file to .htaccess


# Disable the server signature 
ServerSignature Off

This will block unauthorized external access to .htaccess.


# Prevent access to .htaccess
<Files .htaccess>
Order allow, deny
Deny from all
</Files>

This will limit bandwidth consumption for PHP enabled servers.


# Limit bandwidth consumption
<ifmodule mod_php5.c>
php_value zlib.output_compression 16386
</ifmodule>


# Disable unauthorized directory browsing 
Options All - Indexes

This will block access to specific files.


# Block access to specific file
<files myfile.doc>
Order allow, deny
Deny from all
</files>

This will block access to multiple file types.


# Block access to multiple file types
<FilesMatch "\.(htaccess|htpasswd|ini|psd|log|sh)$">
Order allow, deny
Deny from all
</FilesMatch>

This will allow access to specific IP's or domains or restrict access to specific IP's or domains.


# Restrict access to IP's & domains (replace x with numbers)
<Limit GET POST PUT>
Order allow, deny
allow from all
deny from xx.xxx.xx.xxx
deny from .*domain\.com.*
</Limit>

This will change the file extension to whatever you like. Note that you should also rename your file extension to the setting you apply here.


# Disguise php files as html files 
AddType application/x-httpd-html .php


# Protect a single file
<Files myfile.php>
AuthType Basic
AuthName "Mypassword"
AuthUserFile /home/path/.htpasswd
Require valid-user
</Files>

# Protect multiple files
<FilesMatch "^(execute|index|myfile|anotherfile)*$">
AuthType Basic
AuthName "Mypassword"
AuthUserFile /home/path/.htpasswd
Require valid-user
</FilesMatch>

With this rule you can set your own set of custom error pages.


# Display custom error pages 
ErrorDocument 400 /errors/400.html 
ErrorDocument 404 /errors/404.html 
ErrorDocument 500 /errors/500.html

Subscribe to our Blog
Subscribe to this content and receive updates directly in your inbox.
Name
Email

This website uses cookies so that we can provide you with the best user experience. By clicking "continue" you agree to cookies being used in accordance with our Cookies Policy.

Search