The .htaccess is a very useful file in web servers such as Apache HTTP Server. It can be used to change the behavior of the web server. I have written few other articles on how you can use the .htaccess to modify different aspects of your website. We can also use it to increase the security.
Using cPanel
Most of the following functions are available via popular web hosting control panel, cPanel. If you have access to cPanel, I would recommend using cPanel to update your .htaccess data. However, the cPanel also writes your requests to .htaccess files and it is not fool proof. You should have an idea about what cPanel is doing in case you need to rollback manually. You can look into cPanel, IP Blocker, Directory Privacy, etc.
Warning!
Editing the .htaccess file may result in complete failure of the web server because it overrides global configuration settings. As a result, incorrect entries may put your website out of service. If you are hesitant about something, hire a professional. I take no responsibility for any issues arise out of the following instructions.Please remember to make a backup of your .htaccess file before editing. You should not have more than one .htaccess files per directory. Your .htaccess edits may be overridden by your hosting provider.
Prevent .htaccess file access
You can prevent a user from accessing the .htaccess file using HTTP request (from their web browser) by adding the following code inside the .htaccess file. Note, you can add comments in .htaccess file by entering leading character “#” for the comment line.
# block access to htaccess <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
You may also block access to all hidden files on your server by adding the following code to .htaccess file in the root directory or individual sub-directories.
RewriteEngine on RewriteRule (^\.|/\.) - [F]
The above code sets will result in 403 Forbidden error for anyone who tries to access the .htaccess or other hidden files (files starting with dot).
Prevent directory listing
If you end up with folders exposed to the Internet that has no index file (index.php, index.html, default.php, etc), a user can either intentionally or accidentally view the content of these folders. Disabling directory listing will prevent items within a folder being listed via HTTP requests.
Add the following code in the .htaccess file to prevent directory listing:
#prevent listing Options -Indexes
Ban access via IP address
You can add the following to the root web directory .htaccess file to prevent known attackers, hackers and individuals or entities from accessing your website.
order allow,deny deny from 192.123.456.789 deny from 151.192.345.678 allow from all
Make sure to replace the IP address shown above (192.123.456.789, 151.192.345.678) with the addresses that you would like to block. You may also combine multiple individual IP addresses into a one single deny line. For example, both 192.123.456.789, 151.192.345.678 can be blocked using:
order allow,deny Deny from 192.123.456.789 151.192.345.678 allow from all
Other blocking formats includes the following.
| IP formats | |
|---|---|
| Single IP Address | 10.5.3.333 (Single IP block) |
| Implied Range | 154.5.3.3-154.5.3.40 (Blocks a range of IPs that fit the parameters between IP 154.5.3.3 and 154.5.3.40) |
| CIDR Format | 154.5.3.3/32 (Blocks all IPs in the 154.3.3 range from 154.3.3.00 to 154.3.3.32) |
| Implied IP Address | 10. Implies 10.*.*.* (Blocks all IPs starting with 10.) |
These IP blocking codes will result in 403 – Forbidden error for targeted clients.
Prevent code injection
Hackers may able to inject code into your web server in order to gain control of the site. They can also use it to run additional scripts to breach your databases, block incoming traffic, display ads, etc. These nefarious scripts exploit weaknesses in HTML, CSS, JavaScript, PHP and other languages. Add the following inside the .htaccess file inside the root folder and it will prevent unauthorized code injection.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
If the above code result in 500 – Internal server error, make sure you have AllowOverride Options privileges to use Options in the Apache HTTP Server.
Prevent PHP in folders
You can disable execution of php files, which can be used to execute scripts. However, you should not add the following .htaccess code to root directory or directories that requires php files. Content Management Systems (CMS) such as WordPress and Drupal require PHP access. But certain folders including some CMS folders such as wp-content/uploads/ folder should not require PHP execution privileges. Another reason to add this code is in folders that only contain files that are downloadable (.zip, .pdf, .exe, etc). They have no .php files and there is no need for a user to access that folder directly.
<files *.php> deny from all </files>
Please makes sure you only add the above code to .htaccess file inside the particular directory that you want the PHP disabled. Do not add the code inside a .htaccess file in the root directory or a directory that is in an upper level causing lower level directories also to disable .php execution.
Block specific files
Some folders within a web server should not be severing certain files. For example, if you have a folder that only contain your .php files and should not contain any .exe files, you can add the following code in the .htaccess to prevent .exe files from executing within the folder.
<FilesMatch "(?i)\.(exe)$"> Order Deny,Allow Deny from All </FilesMatch>
You may add the following code in the .htaccess inside your WordPress uploads folder (YOUR_SITE/wp-content/uploads/), which should only contain media files in order to prevent any .php files from executing. Some WordPress attackers use this type of older to run their .php scripts because it may be a folder that is often overlooked.
<FilesMatch "(?i)\.(php|php3?|phtml)$"> Order Deny,Allow Deny from All </FilesMatch>
WordPress config file
If you have a website running on popular WordPress CMS, the wp-config.php file is a vital file that contains information such as your database connection credentials. You can block access to the wp-config.php file by adding the following code inside the .htaccess file of your WordPress install folder.
<files wp-config.php> order allow,deny deny from all </files>
Brute Force Attacks on WP admin
You can add the following code to your .htaccess file in the WordPress install directory to prevent attackers from guessing your administrator account credentials.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?sanuja\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
Replace the sanuja\.com with your own domain name.
Prevent WP Admin access via IP
Add the following code to your .htaccess file inside the WordPress wp-admin directory.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all #Allowed IP#1 allow from 12.345.67.890 #Allowed IP#2 allow from 175.765.543.128 </LIMIT>
Please make sure to update the IP address (12.345.67.890, 175.765.543.128) with your own IP addresses. You may add more IP addresses by adding additional allow from XXX.XXX.XXX.XXX.
Prevent WP comment spammers
You can add the following code in your WordPress install directory .htaccess file to prevent spammers from posting comments on your website.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*sanuja.com.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Note the above code will only prevent bots that requests the comments box (wp-comments-post.php) without loading the page. The .htaccess code will prevent those bots from accessing the WP comments box.
You may replace line 4, RewriteCond %{HTTP_REFERER} !.*sanuja.com.* [NC,OR] with RewriteCond %{HTTP_REFERER} !^http://(sanuja.com|manuja.net|example.com) [NC,OR] to add additional domains if you have multiple WordPress installs and you are adding the above code in the .htaccess file in the root folder (most upper level folder that contains all the WordPress installs folders).
These .htaccess tricks will help you fortify your website and discourage hacking from exploiting known vulnerabilities. Again, please make sure to backup your current .htaccess files before modifying. If you are not comfortable with updating your .htaccess file, feel free to contact me.