Improve Security by Protecting .htaccess

♦ Posted by Jeff Starr in .htaccess, Security

Updated July 4, 2018 • 25 comments

As you know, HTAccess files are powerful tools for manipulating site performance and functionality. Protecting your site’s HTAccess files is critical to maintaining a secure environment. Fortunately, preventing access to your HTAccess files is very easy. Let’s have a look..

Different Methods

If you search around the Web, you will probably find several different methods of protecting your HTAccess files. Here are a few examples, along with a bit of analysis and discussion.

Case-sensitive protection

As far as I know, this is the most widespread method of protecting HTAccess files. Very straightforward, this code will prevent anyone from accessing any file named precisely “.htaccess”. This is not ideal because the match is case sensitive. On certain systems, HTAccess files protected with this method may remain accessible via “HTACCESS”, for example.

# CASE SENSITIVE METHOD
<Files .htaccess>
	Order allow,deny
	Deny from all
</Files>

Weak pattern matching

Recently, I have been seeing several instances of this particular technique. Using the same general strategy, this method will prevent access to any file beginning with the characters “.ht”. The assumption here is that HTAccess files are the only files that begin with “.ht”. Thus, by simply matching these first three characters, all HTAccess files — and only HTAccess files — will be protected from external access. Unsafe assumptions aside, this method also relies on a case-sensitive match in order to work. Note, however, the addition of the “Satisfy All” directive in the penultimate line — this is an improvement over the previous method.

# WEAK PATTERN MATCHING
<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	Satisfy All
</Files>

Strong pattern matching

This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:

.htaccess
.HTACCESS
.hTaCcEsS
testFILE.htaccess
filename.HTACCESS
FILEROOT.hTaCcEsS

..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
	Order allow,deny
	Deny from all
	Satisfy all
</Files>

Suggestionz

Can you improve on this technique? How do you protect your HTAccess files? Speak up!

apache tips

About the Author

Jeff Starr = Web Developer. Book Author. Secretly Important.

25 responses to “Improve Security by Protecting .htaccess”

AskApache 2010/04/19 12:17 am

Haven’t been to your site in awhile, man is it looking amazing, nice work!

Couple notes: FilesMatch should always be used instead of Files for regex according to Apache (and source).

Also, the reason that by default the regex is .ht instead of .hta is to also protect .htpasswd files.

Consider Instead

<FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Jeff Starr 2010/04/21 5:08 pm • Post Author

@AskApache: Very nice improvement — thanks for sharing :)

Also great to see you back in action (online)!

AskApache 2010/04/22 2:25 am

Thanks Jeff.. but I made a big mistake in that code.. Can you figure it out? Here’s the bad code:

<FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Here’s the fixed code.. The above code will deny all requests to .html files!

<FilesMatch "(.log|wp-config.php|.[hH][tT][aApP].*)">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

AskApache 2010/04/22 6:43 am

Just remembered this little gem. It’s nice because unless the rewrite engine is off, it will always deny access, and it’s case-insensitive

RewriteRule .ht[ap] - [NC,F]

Jeff Starr 2010/04/25 10:01 pm • Post Author

Very nice! =)

kalpesh patel 2012/05/08 6:15 pm

so if i use this code

# CASE SENSITIVE METHOD
<Files .htaccess>
order allow,deny
deny from all
</Files>

will the .htaccess file in my public_html would be readable by bots and any visitors ? i hope there wont be any issue regarding..reading .htaccess ?

Jeff Starr 2012/05/10 12:36 pm • Post Author

When placed in your site’s root .htaccess file, that code will prevent anything from accessing your .htaccess files in the root directory and all subdirectories.

Note that Apache now protects .htaccess files by default, so in most cases there is no need to add this code. It depends on your server setup and general level of paranoia.

Justin Throngard 2012/06/28 9:57 am

You have any suggestions for Joomla running on Apache?
I’m getting really tired of trying to protect htaccess files, so I am going to start using:

# Protect the htaccess file
order allow,deny
deny from all

But if you think there are better methods for Joomla on Apache (which should only be using .htaccess instead of any other version, right?) I’d like to know what the best way is to protect all my sites.

Jeff Starr 2012/07/02 10:50 am • Post Author

Apache protects .htaccess files by default, so you shouldn’t need to add any code to protect them. I do it because I’m paranoid, and because I didn’t realize that Apache already does this in the main configuration file (httpd.conf). I hope this helps.

Antonis 2012/08/26 6:13 am

So someone hacked my site and now there is a script that creates infected .htaccess files. I changed passwords for ftp and hosting, deleted the infected .htaccess files and replaced them with basic and clean ones, but i dont know how to use your code for making them secure. Where exactly do i write the code?

Lio 2012/10/04 7:25 pm

I have the same problem as Antonis. Any suggestions how to protect .htaccess files against malicious backdoor scripts?

Jeff Starr 2012/10/04 9:31 pm • Post Author

Have you looked at the 5G Blacklist?

https://perishablepress.com/5g-blacklist-2012/

Lieven test2 2013/01/17 1:39 am

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][AaPp])">
order allow,deny
deny from all
satisfy all
</Files>

Comments are closed for this post. Something to add? Let me know.

AskApache 2010/04/19 12:17 am

Haven’t been to your site in awhile, man is it looking amazing, nice work!

Couple notes: FilesMatch should always be used instead of Files for regex according to Apache (and source).

Also, the reason that by default the regex is .ht instead of .hta is to also protect .htpasswd files.

Consider Instead

<FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
Jeff Starr 2010/04/21 5:08 pm • Post Author

@AskApache: Very nice improvement — thanks for sharing :)

Also great to see you back in action (online)!
AskApache 2010/04/22 2:25 am

Thanks Jeff.. but I made a big mistake in that code.. Can you figure it out? Here’s the bad code:

<FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

Here’s the fixed code.. The above code will deny all requests to .html files!

<FilesMatch "(.log|wp-config.php|.[hH][tT][aApP].*)">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
AskApache 2010/04/22 6:43 am

Just remembered this little gem. It’s nice because unless the rewrite engine is off, it will always deny access, and it’s case-insensitive

RewriteRule .ht[ap] - [NC,F]
Jeff Starr 2010/04/25 10:01 pm • Post Author

Very nice! =)
kalpesh patel 2012/05/08 6:15 pm

so if i use this code

# CASE SENSITIVE METHOD
<Files .htaccess>
order allow,deny
deny from all
</Files>

will the .htaccess file in my public_html would be readable by bots and any visitors ? i hope there wont be any issue regarding..reading .htaccess ?
- Jeff Starr 2012/05/10 12:36 pm • Post Author
  
  When placed in your site’s root .htaccess file, that code will prevent anything from accessing your .htaccess files in the root directory and all subdirectories.
  
  Note that Apache now protects .htaccess files by default, so in most cases there is no need to add this code. It depends on your server setup and general level of paranoia.
Justin Throngard 2012/06/28 9:57 am

You have any suggestions for Joomla running on Apache?
I’m getting really tired of trying to protect htaccess files, so I am going to start using:

# Protect the htaccess file
order allow,deny
deny from all

But if you think there are better methods for Joomla on Apache (which should only be using .htaccess instead of any other version, right?) I’d like to know what the best way is to protect all my sites.
- Jeff Starr 2012/07/02 10:50 am • Post Author
  
  Apache protects .htaccess files by default, so you shouldn’t need to add any code to protect them. I do it because I’m paranoid, and because I didn’t realize that Apache already does this in the main configuration file (httpd.conf). I hope this helps.
Antonis 2012/08/26 6:13 am

So someone hacked my site and now there is a script that creates infected .htaccess files. I changed passwords for ftp and hosting, deleted the infected .htaccess files and replaced them with basic and clean ones, but i dont know how to use your code for making them secure. Where exactly do i write the code?
Lio 2012/10/04 7:25 pm

I have the same problem as Antonis. Any suggestions how to protect .htaccess files against malicious backdoor scripts?
- Jeff Starr 2012/10/04 9:31 pm • Post Author
  
  Have you looked at the 5G Blacklist?
  
  https://perishablepress.com/5g-blacklist-2012/
Lieven test2 2013/01/17 1:39 am

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][AaPp])">
order allow,deny
deny from all
satisfy all
</Files>

« Previous Comments • 12