Save 25% on Wizard’s SQL for WP w/ code: WIZARDSQL
Web Dev + WordPress + Security

Improve Security by Protecting .htaccess

As you know, HTAccess files are powerful tools for manipulating site performance and functionality. Protecting your site’s HTAccess files is critical to maintaining a secure environment. Fortunately, preventing access to your HTAccess files is very easy. Let’s have a look..

Different Methods

If you search around the Web, you will probably find several different methods of protecting your HTAccess files. Here are a few examples, along with a bit of analysis and discussion.

Case-sensitive protection

As far as I know, this is the most widespread method of protecting HTAccess files. Very straightforward, this code will prevent anyone from accessing any file named precisely “.htaccess”. This is not ideal because the match is case sensitive. On certain systems, HTAccess files protected with this method may remain accessible via “HTACCESS”, for example.

<Files .htaccess>
	Order allow,deny
	Deny from all

Weak pattern matching

Recently, I have been seeing several instances of this particular technique. Using the same general strategy, this method will prevent access to any file beginning with the characters “.ht”. The assumption here is that HTAccess files are the only files that begin with “.ht”. Thus, by simply matching these first three characters, all HTAccess files — and only HTAccess files — will be protected from external access. Unsafe assumptions aside, this method also relies on a case-sensitive match in order to work. Note, however, the addition of the “Satisfy All” directive in the penultimate line — this is an improvement over the previous method.

<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	Satisfy All

Strong pattern matching

This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:

  • .htaccess
  • .hTaCcEsS
  • testFILE.htaccess
  • filename.HTACCESS

..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:

<Files ~ "^.*\.([Hh][Tt][Aa])">
	Order allow,deny
	Deny from all
	Satisfy all


Can you improve on this technique? How do you protect your HTAccess files? Speak up!

Jeff Starr
About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
The Tao of WordPress: Master the art of WordPress.

25 responses to “Improve Security by Protecting .htaccess”

  1. I can see how your version is superior and thanks for sharing, but don’t understand the need for “satisfy all”. According to both apache 1.3 and 2.0 docs, satisy all/any is only useful when combined with “require”, i.e.satisy user auth and deny/permit.You are far more knowledgable with .htaccess and apache than I am, so was just wondering if there is anything I’m missing with this because I didn’t see a require directive here.

  2. Avatar photo
    Perishable 2008/05/20 9:13 pm

    Yes, you are correct. I should have verified my sources before posting this article. Although I don’t think inclusion of the “satisfy all” directive does any particular harm when used in this context, it certainly isn’t “fortifying” anything either.

    Thanks for keeping me honest, Sat! ;)

  3. Hey, I though the .htaccess were by default protected from external queries !

    I wonder if it wouldn’t be easier (and less ressources eating) to CHMOD the .htaccess so that it can only be read by the server.

  4. Avatar photo
    Perishable 2008/05/21 4:28 pm

    The idea here is to protect your htaccess files on multiple fronts. Yes, on properly configured servers, htaccess files should be restricted by default, however, if someone discovers an associated vulnerability, and no additional security measures are in place, serious damage could be done. As you mention, setting an appropriate CHMOD value for htaccess files is also important, as it provides a secondary measure of protection, however, even then, if someone discovers a way around this, extensive damage could be done. Granted, these cases are merely hypothetical, however because of the inherent power involved with htaccess directives, it is important to secure htaccess files on as many levels as possible. The protective technique(s) provided in this article provide a tertiary level of defense on properly configured machines.

    Bottom line: it never hurts to have too much protection when it comes to htaccess. If a fourth method were available, I would use it as well.

  5. Avatar photo

    Thank you very much for your blog: it was (and is) very very useful to me.

    About CHMOD of htaccess, can I know what’s the best value? 644?

  6. Avatar photo
    Jeff Starr 2008/09/01 9:54 am

    Hi Aldo, Thanks for the kind words :)

    As for CHMOD values, it’s always best to use the most secure settings possible. That is, if you can get away with using 644 and still maintain the desired functionality, then use it. If that is too restrictive, then try the next least permissive setting (e.g., 755), and so on. Only as a last reort (and in some cases not at all) should you enable full rights (e.g., 777) for any file or folder. Unfortunately, in many cases, that is the only thing that will work.

  7. Avatar photo

    Yep, I am using 644!
    Thanks for your kind reply. ;)

  8. It is even safer to use 444 CHMOD code rather than 644.

  9. Avatar photo

    @Alex: indeed, that is the case if the file/folder retains its functionality with such restrictive settings applied. In my experience, some server configurations are rather picky when it comes to file permissions. My rule of thumb is to always go with the most secure settings possible, but unfortunately on my current server, 644 is about as restrictive as I can go without sacrificing functionality.

  10. Avatar photo

    First of all, all the servers I’ve encountered don’t let people browse .htaccess.

    Second, I don’t see how any 444 (-r–r–r–) permission or looser is considered secure in terms of not letting somebody read something.

    If you want something wacky, see where people can execute PHP left and right.

  11. Avatar photo
    Tom Lewis 2009/04/04 7:31 am

    Oh, wow, thats ausom, i didnt realize that you could read other peoples .htaccess files!

    Thanks for the heads up!

  12. Avatar photo

    @Tom Lewis: Actually you can’t. At least not theoretically. When Apache is installed and configured correctly with the proper modules and security settings implemented, external access to per-directory HTAccess files is explicitly prohibited.

    Of course, when these conditions aren’t met, or if there is a conflict with a third-party script, Frontpage extensions, or even other HTAccess directives, the protective measures for HTAccess files may not function as expected.

    Such situations are hopefully rare, but the information provided in this post should cover your bases and keep your site secure should such a vulnerability present itself.

    Better safe than sorry!

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
BBQ Pro: The fastest firewall to protect your WordPress.
Daylight savings is a complete waste of time and needs to be eliminated.
Got a couple of snow days here in mid-March. Fortunately it's not sticking.
I handle all email in real time as it comes in, perpetually clear inbox for years now.
Added some nice features to Wutsearch search engine launchpad. Now 21 engines!
.wp TLD plz :)
Nice collection of free SEO APIs and user-agent lookups for Googlebot, Bingbot, Applebot, YandexBot, and more.
90% of online customer support is just explaining how to do basic troubleshooting.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.