By default, Apache allows access to all files & directories in the Document Root folder. They can not only be accessed but also listed. This might not be safe and can expose your website to various attacks. Here’s how to prevent access to files & directories using .htaccess. You can use this solution to selectively block access to sensitive information on your website.
How to Prevent Access to Files & Directories Using .htaccess
Here are the steps to prevent access to files & directories using .htaccess.
Before you proceed, please ensure that you have enabled .htaccess file in your Apache server. Here’s how to do it:
Place your .htaccess file in the root document folder of your website (/var/www/html) and add the following rules to it, depending on your use case.
If you don’t have access to .htaccess, you can place the following rules directly in Apache server config file. You will find it at one of the following locations, depending on your Linux version:
1. Deny Access to .htaccess file
If you want to deny access to .htaccess file itself, add the following code to it.
# Deny access to .htaccess <Files .htaccess> Order allow, deny Deny from all </Files>
2. Disable Directory Listing
Add the following line to prevent search engine bots from accessing directories on your website. This will return a “403:Access forbidden” error when it tries to access a directory, instead of a proper URL.
# Disable directory browsing Options -Indexes
If you don’t want to display “403:Access Forbidden” message, add the following line
# Hide the contents of directories IndexIgnore *
If you want to hide only specific file types, then add the following
# Hide files of type .png, .zip, .jpg, .gif and .doc from listing IndexIgnore *.png *.zip *.jpg *.gif *.doc
3. Prevent Access to Specific file types
The above code only prevents directory listing but allows access. If you want to prevent access too, then add the following code.
To remove unauthorized access to specific file types
# Deny access to files with extensions .ini, .psd, .log, .sh <FilesMatch "\.(ini|psd|log|sh)$"> Order allow, deny Deny from all </FilesMatch>
Deny access to all hidden files, that is, starting with dot (.) like .htaccess, .htpasswd, etc
# Deny access to filenames starting with dot(.) <FilesMatch "^\."> Order allow, deny Deny from all </FilesMatch>
To password protect files & directories. In this case, you need to store username & password in .htpasswd file (here are the steps)
# Password protect files <FilesMatch "^(execute|index|myfile|anotherfile)*$"> AuthType Basic AuthName "Mypassword" AuthUserFile <Full Server Path to .htpasswd file>/.htpasswd Require valid-user </FilesMatch>
That’s it! Remember to restart Apache web server to apply changes.
$ sudo service apache2 restart
You can also place .htaccess file in a sub directory to restrict files & sub directories in it.