January 09 2013

Using .htaccess Protect Your Site

Tagged Under : , ,

Except from apache you can let your .htaccess file tighten up your site’s security and give extra level of protection.

I am going listing out few example and show you how to use it or where to use it. You don’t have to use every single one, just whatever you feel would help you improve your site security.

Disable directory browsing
Prevent your site produce directory listing. Because it will let user know all of your file/folder and which component or plugin you are using now. Sometimes, any other files that might give away too much information about your site.

In your .htaccess file just add the following code.
Options All -Indexes

Protect configuration file
Some of the CMS or Framework have their own configuration file.
and all of them file name are different. for example:
– Joomla is configuration.php
– WordPress is wp-config.php
– and Yii is main.php

In your .htaccess file add the following code to prevent any access to that file.
Remember replace {FILENAME} to correct filename.
<Files {FILENAME}>
	order allow,deny
	deny from all
</Files>

Protect file start with “hta”
This script basically stops anyone viewing any file on your site that begins with “hta”, this will protect it and make it somewhat safer.
<Files ~ "^.*\.([Hh][Tt][Aa])">
	order allow,deny
	deny from all
	satisfy all
</Files>

Only your IP can access
You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your admin folder.

Please note if you use dynamic IP, you might have to regularly alter this file otherwise you will be denied access by yourself!
order deny,allow
allow from 192.168.1.100 #replace with your IP address
deny from all

Ban bad users IP
If you found have same IP address trying to access your content or trying to brute force your admin pages, you can ban this person using .htaccess with this simple snippet
<Limit GET POST>
	order allow,deny
	deny from 192.168.1.99 #replace the IP you want to ban
	allow from all
</Limit>
If have more then 1 IP address trying brute force your site. You can do like this.
<Limit GET POST>
	order allow,deny
	deny from 192.168.1.99 #replace 1 IP you want to ban
	deny from 192.168.3.90 #replace 2 IP you want to ban
	allow from all
</Limit>

Prevent folder access
Sometimes we want avoid outsiders accessing the folder.

Create a new .htaccess and add to the folder which you want prevent outsiders access it
Order deny,allow
Deny from all
If you have image or css file to allow outsiders see. you can do like this:
Order deny,allow
Deny from all
<Files ~ ".(css|jpe?g|png|gif)$"> #provide the file extension
	Allow from all
</Files>

Make a Comment

You must be logged in to post a comment.