Coding starts here
Home / Blog

Secure site through HTACCESS

A collection of useful .htaccess codes.
To work all of these, add the following line at the beginning to your .htaccess file.

Options +FollowSymlinks 
RewriteEngine on
RewriteBase /
  • Deny all accessing your site

    Deny All Access
  • Deny All Access Except Yours

    Order deny,allow
    Deny from all
    Allow from xxx.xxx.xxx.xxx	

    Where xxx.xxx.xxx.xxx is your IP Address. If you replace the last three digits with 0/12 for example, this will specify a range of IPs within the same network, thus saving you the trouble to list all allowed IPs separately.

  • Allow All Access Except Spammers’

    Order deny,allow
    Allow from all
    Deny from xxx.xxx.xxx.xxx
    Deny from xxx.xxx.xxx.xxy	
  • Deny Access to Hidden Files and Directories

    Hidden files and directories (those whose names start with a dot `.`) should most, if not all, of the time be secured. For example: `.htaccess`, `.htpasswd`, `.git`, `.hg`…

    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]

    Alternatively, you can just raise a `Not Found` error, giving the attacker dude no clue:

    RedirectMatch 404 /\..*$
  • Deny Access to Backup and Source Files

    These files may be left by some text/html editors (like Vi/Vim) and pose a great security danger, when anyone can access them.

    <FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
        ## Apache 2.2
        Order allow,deny
        Deny from all
        Satisfy All
        ## Apache 2.4
        # Require all denied
  • Disable Image Hotlinking

    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?example.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [NC,F,L]	

    If you want to display a “blocked” banner in place of the hotlinked image

    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?example.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|bmp) http://example.com/blocked.png [R,L]

    Disable Image Hotlinking for Specific Domains

    RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?badsite\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?badsite2\.com [NC,OR]
    RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]	
  • Block Visitors by Referrer

    This denies access for all users who are coming from (referred by) a specific domain.

    RewriteCond %{HTTP_REFERER} somedomain\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} anotherdomain\.com
    RewriteRule .* - [F]	
  • Prevent Framing the Site

    Protect Against ClickJacking. Supported web browsers will prevent an attacker/hacker from putting your website’s content into an iframe on another website.

    <IfModule mod_headers.c>  
      Header always append X-Frame-Options SAMEORIGIN
  • Prevent some cross-site scripting (XSS) attacks

    <IfModule mod_headers.c>  
      Header set X-XSS-Protection "1; mode=block"
  • Block access to a particular file

    Block accessing .htaccess file

    <Files .htaccess>
    order allow,deny 
    deny from all

    Block multiple file types

    <FilesMatch ".(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
    order allow,deny 
    deny from all
  • Changing server signature

    To change the server signature which is displayed as part of the default Apache error documents, use the following code:

    ServerSignature EMail
    SetEnv SERVER_ADMIN nospace@pleasenospace.com 	

    To remove the server signature completely, use the following code:

    ServerSignature Off 	
  • Prevent access to php.ini

    <FilesMatch "^php5?\.(ini|cgi)$">
    Order Deny,Allow
    Deny from All
    Allow from env=REDIRECT_STATUS

This page wouldn’t have such a long without

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x