As you know, HTAccess files are powerful tools for manipulating site performance and functionality. Protecting your site’s HTAccess files is critical to maintaining a secure environment. Fortunately, preventing access to your HTAccess files is very easy. Let’s have a look..
Different Methods
If you search around the Web, you will probably find several different methods of protecting your HTAccess files. Here are a few examples, along with a bit of analysis:
Case-sensitive protection — As far as I know, this is the most widespread method of protecting HTAccess files. Very straightforward, this code will prevent anyone from accessing any file named precisely “.htaccess”. This is not ideal because the match is case sensitive. On certain systems, HTAccess files protected with this method may remain accessible via “HTACCESS”, for example.
# CASE SENSITIVE METHOD
<Files .htaccess>
order allow,deny
deny from all
</Files>
Weak pattern matching — Recently, I have been seeing several instances of this particular technique. Using the same general strategy, this method will prevent access to any file beginning with the characters “.ht”. The assumption here is that HTAccess files are the only files that begin with “.ht”. Thus, by simply matching these first three characters, all HTAccess files — and only HTAccess files — will be protected from external access. Unsafe assumptions aside, this method also relies on a case-sensitive match in order to work. Note, however, the addition of the “Satisfy All” directive in the penultimate line — this is an improvement over the previous method.
# WEAK PATTERN MATCHING
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Strong pattern matching — This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:
- .
htaccess - .
HTACCESS - .
hTaCcEsS testFILE.htaccessfilename.HTACCESSFILEROOT.hTaCcEsS
..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
Suggestionz
Can you improve on this technique? How do you protect your HTAccess files? Speak up!
25 Responses
AskApache – April 19, 2010 •
Haven’t been to your site in awhile, man is it looking amazing, nice work!
Couple notes:
FilesMatchshould always be used instead ofFilesfor regex according to Apache (and source).Also, the reason that by default the regex is
\.htinstead of\.htais to also protect .htpasswd files.Consider Instead
<FilesMatch "^.*(\.log|wp-config\.php|\.[hH][tT].*)$">Order allow,denyDeny from allSatisfy All</FilesMatch>Jeff Starr – April 21, 2010 •
@AskApache: Very nice improvement — thanks for sharing :)
Also great to see you back in action (online)!
AskApache – April 22, 2010 •
Thanks Jeff.. but I made a big mistake in that code.. Can you figure it out? Here’s the bad code:
<FilesMatch "^.*(\.log|wp-config\.php|\.[hH][tT].*)$">Order allow,denyDeny from allSatisfy All</FilesMatch>Here’s the fixed code.. The above code will deny all requests to .html files!
<FilesMatch "(\.log|wp-config\.php|\.[hH][tT][aApP].*)">Order allow,denyDeny from allSatisfy All</FilesMatch>AskApache – April 22, 2010 •
Just remembered this little gem. It’s nice because unless the rewrite engine is off, it will always deny access, and it’s case-insensitive
RewriteRule \.ht[ap] - [NC,F]Jeff Starr – April 25, 2010 •
Very nice! =)
kalpesh patel – May 8, 2012 •
so if i use this code
# CASE SENSITIVE METHOD<Files .htaccess>order allow,denydeny from all</Files>will the .htaccess file in my public_html would be readable by bots and any visitors ? i hope there wont be any issue regarding..reading .htaccess ?
Jeff Starr – May 10, 2012 •
When placed in your site’s root .htaccess file, that code will prevent anything from accessing your .htaccess files in the root directory and all subdirectories.
Note that Apache now protects .htaccess files by default, so in most cases there is no need to add this code. It depends on your server setup and general level of paranoia.
Justin Throngard – June 28, 2012 •
You have any suggestions for Joomla running on Apache?
I’m getting really tired of trying to protect htaccess files, so I am going to start using:
# Protect the htaccess fileorder allow,denydeny from allBut if you think there are better methods for Joomla on Apache (which should only be using .htaccess instead of any other version, right?) I’d like to know what the best way is to protect all my sites.
Jeff Starr – July 2, 2012 •
Apache protects .htaccess files by default, so you shouldn’t need to add any code to protect them. I do it because I’m paranoid, and because I didn’t realize that Apache already does this in the main configuration file (httpd.conf). I hope this helps.
Antonis – August 26, 2012 •
So someone hacked my site and now there is a script that creates infected .htaccess files. I changed passwords for ftp and hosting, deleted the infected .htaccess files and replaced them with basic and clean ones, but i dont know how to use your code for making them secure. Where exactly do i write the code?
Lio – October 4, 2012 •
I have the same problem as Antonis. Any suggestions how to protect .htaccess files against malicious backdoor scripts?
Jeff Starr – October 4, 2012 •
Have you looked at the 5G Blacklist?
http://perishablepress.com/5g-blacklist-2012/
Lieven test2 – January 17, 2013 •
# STRONG HTACCESS PROTECTION<Files ~ "^.*\.([Hh][Tt][AaPp])">order allow,denydeny from allsatisfy all</Files>