Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Improve Security by Protecting .htaccess

As you know, HTAccess files are powerful tools for manipulating site performance and functionality. Protecting your site’s HTAccess files is critical to maintaining a secure environment. Fortunately, preventing access to your HTAccess files is very easy. Let’s have a look..

Different Methods

If you search around the Web, you will probably find several different methods of protecting your HTAccess files. Here are a few examples, along with a bit of analysis and discussion.

Case-sensitive protection

As far as I know, this is the most widespread method of protecting HTAccess files. Very straightforward, this code will prevent anyone from accessing any file named precisely “.htaccess”. This is not ideal because the match is case sensitive. On certain systems, HTAccess files protected with this method may remain accessible via “HTACCESS”, for example.

# CASE SENSITIVE METHOD
<Files .htaccess>
	Order allow,deny
	Deny from all
</Files>

Weak pattern matching

Recently, I have been seeing several instances of this particular technique. Using the same general strategy, this method will prevent access to any file beginning with the characters “.ht”. The assumption here is that HTAccess files are the only files that begin with “.ht”. Thus, by simply matching these first three characters, all HTAccess files — and only HTAccess files — will be protected from external access. Unsafe assumptions aside, this method also relies on a case-sensitive match in order to work. Note, however, the addition of the “Satisfy All” directive in the penultimate line — this is an improvement over the previous method.

# WEAK PATTERN MATCHING
<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	Satisfy All
</Files>

Strong pattern matching

This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:

  • .htaccess
  • .HTACCESS
  • .hTaCcEsS
  • testFILE.htaccess
  • filename.HTACCESS
  • FILEROOT.hTaCcEsS

..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
	Order allow,deny
	Deny from all
	Satisfy all
</Files>

Suggestionz

Can you improve on this technique? How do you protect your HTAccess files? Speak up!

About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
BBQ Pro: The fastest firewall to protect your WordPress.

25 responses to “Improve Security by Protecting .htaccess”

  1. Haven’t been to your site in awhile, man is it looking amazing, nice work!

    Couple notes: FilesMatch should always be used instead of Files for regex according to Apache (and source).

    Also, the reason that by default the regex is .ht instead of .hta is to also protect .htpasswd files.

    Consider Instead

    <FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

  2. Jeff Starr 2010/04/21 5:08 pm

    @AskApache: Very nice improvement — thanks for sharing :)

    Also great to see you back in action (online)!

  3. Thanks Jeff.. but I made a big mistake in that code.. Can you figure it out? Here’s the bad code:

    <FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

    Here’s the fixed code.. The above code will deny all requests to .html files!

    <FilesMatch "(.log|wp-config.php|.[hH][tT][aApP].*)">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

  4. Just remembered this little gem. It’s nice because unless the rewrite engine is off, it will always deny access, and it’s case-insensitive

    RewriteRule .ht[ap] - [NC,F]

  5. Very nice! =)

  6. kalpesh patel 2012/05/08 6:15 pm

    so if i use this code

    # CASE SENSITIVE METHOD
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    will the .htaccess file in my public_html would be readable by bots and any visitors ? i hope there wont be any issue regarding..reading .htaccess ?

    • When placed in your site’s root .htaccess file, that code will prevent anything from accessing your .htaccess files in the root directory and all subdirectories.

      Note that Apache now protects .htaccess files by default, so in most cases there is no need to add this code. It depends on your server setup and general level of paranoia.

  7. Justin Throngard 2012/06/28 9:57 am

    You have any suggestions for Joomla running on Apache?
    I’m getting really tired of trying to protect htaccess files, so I am going to start using:

    # Protect the htaccess file
    order allow,deny
    deny from all

    But if you think there are better methods for Joomla on Apache (which should only be using .htaccess instead of any other version, right?) I’d like to know what the best way is to protect all my sites.

    • Apache protects .htaccess files by default, so you shouldn’t need to add any code to protect them. I do it because I’m paranoid, and because I didn’t realize that Apache already does this in the main configuration file (httpd.conf). I hope this helps.

  8. So someone hacked my site and now there is a script that creates infected .htaccess files. I changed passwords for ftp and hosting, deleted the infected .htaccess files and replaced them with basic and clean ones, but i dont know how to use your code for making them secure. Where exactly do i write the code?

  9. I have the same problem as Antonis. Any suggestions how to protect .htaccess files against malicious backdoor scripts?

  10. Lieven test2 2013/01/17 1:39 am

    # STRONG HTACCESS PROTECTION
    <Files ~ "^.*\.([Hh][Tt][AaPp])">
    order allow,deny
    deny from all
    satisfy all
    </Files>

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Banhammer: Protect your WordPress site against threats.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.