Latest TweetsNew version of Disable Gutenberg includes options to disable for specific theme templates and/or post/page IDs. wordpress.org/plugins/disable-…
Perishable Press

Improve Security by Protecting .htaccess

As you know, HTAccess files are powerful tools for manipulating site performance and functionality. Protecting your site’s HTAccess files is critical to maintaining a secure environment. Fortunately, preventing access to your HTAccess files is very easy. Let’s have a look..

Different Methods

If you search around the Web, you will probably find several different methods of protecting your HTAccess files. Here are a few examples, along with a bit of analysis and discussion.

Case-sensitive protection

As far as I know, this is the most widespread method of protecting HTAccess files. Very straightforward, this code will prevent anyone from accessing any file named precisely “.htaccess”. This is not ideal because the match is case sensitive. On certain systems, HTAccess files protected with this method may remain accessible via “HTACCESS”, for example.

# CASE SENSITIVE METHOD
<Files .htaccess>
	Order allow,deny
	Deny from all
</Files>

Weak pattern matching

Recently, I have been seeing several instances of this particular technique. Using the same general strategy, this method will prevent access to any file beginning with the characters “.ht”. The assumption here is that HTAccess files are the only files that begin with “.ht”. Thus, by simply matching these first three characters, all HTAccess files — and only HTAccess files — will be protected from external access. Unsafe assumptions aside, this method also relies on a case-sensitive match in order to work. Note, however, the addition of the “Satisfy All” directive in the penultimate line — this is an improvement over the previous method.

# WEAK PATTERN MATCHING
<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
	Satisfy All
</Files>

Strong pattern matching

This is the method that I use here at Perishable Press. Using strong pattern matching, this technique prevents external access to any file containing “.hta”, “.HTA”, or any case-insensitive combination thereof. To illustrate, this code will prevent access through any of the following requests:

  • .htaccess
  • .HTACCESS
  • .hTaCcEsS
  • testFILE.htaccess
  • filename.HTACCESS
  • FILEROOT.hTaCcEsS

..etc., etc. Clearly, this method is highly effective at securing your site’s HTAccess files. Further, this technique also includes the fortifying “Satisfy All” directive. Note that this code should be placed in your domain’s root HTAccess file:

# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
	Order allow,deny
	Deny from all
	Satisfy all
</Files>

Suggestionz

Can you improve on this technique? How do you protect your HTAccess files? Speak up!

Jeff Starr
About the Author Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Archives
25 responses
  1. Haven’t been to your site in awhile, man is it looking amazing, nice work!

    Couple notes: FilesMatch should always be used instead of Files for regex according to Apache (and source).

    Also, the reason that by default the regex is .ht instead of .hta is to also protect .htpasswd files.

    Consider Instead

    <FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

  2. Jeff Starr

    @AskApache: Very nice improvement — thanks for sharing :)

    Also great to see you back in action (online)!

  3. Thanks Jeff.. but I made a big mistake in that code.. Can you figure it out? Here’s the bad code:

    <FilesMatch "^.*(.log|wp-config.php|.[hH][tT].*)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

    Here’s the fixed code.. The above code will deny all requests to .html files!

    <FilesMatch "(.log|wp-config.php|.[hH][tT][aApP].*)">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

  4. Just remembered this little gem. It’s nice because unless the rewrite engine is off, it will always deny access, and it’s case-insensitive

    RewriteRule .ht[ap] - [NC,F]

  5. kalpesh patel May 8, 2012 @ 6:15 pm

    so if i use this code

    # CASE SENSITIVE METHOD
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    will the .htaccess file in my public_html would be readable by bots and any visitors ? i hope there wont be any issue regarding..reading .htaccess ?

    • Jeff Starr

      When placed in your site’s root .htaccess file, that code will prevent anything from accessing your .htaccess files in the root directory and all subdirectories.

      Note that Apache now protects .htaccess files by default, so in most cases there is no need to add this code. It depends on your server setup and general level of paranoia.

  6. Justin Throngard June 28, 2012 @ 9:57 am

    You have any suggestions for Joomla running on Apache?
    I’m getting really tired of trying to protect htaccess files, so I am going to start using:

    # Protect the htaccess file
    order allow,deny
    deny from all

    But if you think there are better methods for Joomla on Apache (which should only be using .htaccess instead of any other version, right?) I’d like to know what the best way is to protect all my sites.

    • Jeff Starr

      Apache protects .htaccess files by default, so you shouldn’t need to add any code to protect them. I do it because I’m paranoid, and because I didn’t realize that Apache already does this in the main configuration file (httpd.conf). I hope this helps.

  7. So someone hacked my site and now there is a script that creates infected .htaccess files. I changed passwords for ftp and hosting, deleted the infected .htaccess files and replaced them with basic and clean ones, but i dont know how to use your code for making them secure. Where exactly do i write the code?

  8. I have the same problem as Antonis. Any suggestions how to protect .htaccess files against malicious backdoor scripts?

  9. Lieven test2 January 17, 2013 @ 1:39 am

    # STRONG HTACCESS PROTECTION
    <Files ~ "^.*\.([Hh][Tt][AaPp])">
    order allow,deny
    deny from all
    satisfy all
    </Files>

[ Comments are closed for this post ]