Securing sensitive files on your site is important, and the easiest method to accomplish this is to block file access through .htaccess. If you’re protecting configuration files, sensitive uploads, or important data, .htaccess directives allow you to manage access from your server. It only takes a few lines of code to deny unauthorized access to view or download important files. Let’s explore how you can use .htaccess to block specific files, folders, and even hidden system files effectively.
Block Specific File Using .htaccess
For some cases, you want to protect a particular file such as a configuration file or a database backup, you can use similer rule inside your .htaccess file.
<Files "config.php">
Order Allow,Deny
Deny from all
</Files>Above rule will block anyone from opening the file directly via a browser. For instance, if you attempt to open https://yourdomain.com/config.php, you will be presented with a forbidden error rather than seeing the content of the file’s source code.
There is one thing you need to keep in mind while restricting single or specific file from accessing is that you have to provide full path for that file.
Blocking Multiple Files by Type via .htaccess
You might wish to ban an entire range of file types such as .log, .sql, or .zip that might hold sensitive data. You can accomplish that through the use of this code snippet:
<FilesMatch "\.(log|sql|zip)$">
Order Allow,Deny
Deny from all
</FilesMatch>This will prevent all files with those extensions from being accessed publicly. For example, in the event your backup or logs are kept in your root directory, it will hide and safeguard them from anyone attempting to check them out.
Block Entire Folder Using .htaccess
In case you want to block an entire folder, for example, an upload or a backup folder, then you can utilize this method:
<Directory "/var/www/html/backups">
Order Allow,Deny
Deny from all
</Directory>This will render the whole folder inaccessible via the web. You can use this rule to guard internal folders where you have confidential information or system assets.
Restrict Access to Dotfiles
Dotfiles such as .env or .htpasswd usually hold crucial configuration information and must never be publicly accessible. To prevent them, use this rule:
<FilesMatch "^\.">
Order Allow,Deny
Deny from all
</FilesMatch>This command will prevent anyone from viewing hidden files starting with a dot. It’s an easy but effective method of making your environment files secure.
Conclusion
Utilizing .htaccess for access control is an efficient and speedy method to secure your website’s internal folders and files. These small adjustments, like blocking dotfiles, directories, or specific files, can greatly improve your website’s security. Test your configurations to ensure they block only the desired regions.
Optimize your website speed as well? Take a look at our tutorial on cache lifetime using Htaccess
to accelerate your website effectively.