How to Improve Your Website’s Security and Protection Using .htaccess File

.htaccess is a configuration file used on various web servers which run the Apache Web Server program. If Apache detects the .htaccess file, it will then try to execute the .htaccess file where custom commands for configuring a lot of functionalities and features in delivering your site to the public are. The file .htaccess is just so powerful that's why in this article, we will try to utilize its capabilities.

In this tutorial, we will learn the following .htaccess commands and controls:

Customizing Error Pages

Syntax:

ErrorDocument [error code] [/directory/filename.extension]

Example:

ErrorDocument 404 /error-pages/notfound.html

In the above code, any error code equivalent to 404 will be redirected to
/error-pages/notfound.html.

The same with:

ErrorDocument 400 /errorpages/badrequest.html
ErrorDocument 401 /errorpages/authreqd.html
ErrorDocument 403 /errorpages/forbidden.html
ErrorDocument 500 /errorpages/servererror.html

By the way, you can also use an exact URL (http://yourdomain.com/error-pages/badrequest.html) instead of the virtual URL (like the "/errorpages/badrequest.html"). Check this out for more error codes.

URL Redirection

Syntax:

Redirect [Virtual URL to be Redirected] [Full or Exact Url You Want the Request Redirected to]

Example:

Redirect /olddirectory/oldfile.html http://yoursite.com/newdirectory/newfile.html

or Directory Redirection

Redirect /olddirectory http://yoursite.com/newdirectory/

Through a Directory Redirection you can now bring all the requests for any subdirectories or files inside the old directory to the new directory or page.

Disabling Directory Listing

Code:

IndexIgnore *

The * is a wildcard which is equivalent to all files. Thus if you place the above line of code in the .htaccess file in a directory, nothing from that directory will be listed and shown to your site viewers or users.

But if you only want certain files in a directory not to be listed then you can use:

Code:

IndexIgnore *.gif *.jpg

This would give you a list of all files excluding the ones ending with the file extensions .gif and .jpg.

And if you like a specific directory to be shown as a list then you just put this code snippet in the htaccess file in that directory:

Code:

Options +Indexes

The plus sign (+) denotes that you allow that directory and its subdirectories to be shown as a directory list. If you want otherwise, you just replace the plus sign (+) with a minus sign (-).

Applying a Default Page for Each Directory

Syntax:

DirectoryIndex [filename.extension or could be /directory/filename.extension]

Example:

DirectoryIndex myindex.html

You can also set it this way (ordering is important!):

DirectoryIndex myindex.html index.htm /pages/subpages/index.php

In this way your /pages/subpages/index.php page will be shown if neither myindex.html nor index.htm is found in their respective directory. If none of those set "index" or default pages is found then it will just show a directory listing (if not disabled) or perhaps a 404 error page.

Password-Protecting the Directories and Files

Protecting a Single File Code:

<Files secure.php>
AuthType Basic
AuthName “Prompt”
AuthUserFile /home/path/.htpasswd
Require valid-user
</Files>

Protecting a Directory Code:

resides
AuthType basic
AuthName “This directory is protected”
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user

Locate for the .htpasswd file path in your web server to fill AuthUserFile path. Remember that the .htpasswd file is not a web accessible file like http://yourdomain.com/.htpasswd, it is usually located in a directory above your www folder in your web server. If you still can't find your .htpasswd file then you can create one here.

Blocking Specific Users

Code:

order allow,deny
deny from 123.45.6.7
deny from 231.45.6.
allow from all

With this you are blocking any access based on the specific IP address (123.45.6.7) and IP block (231.45.6.*). In the case of IP blocking, any IP address that belongs to the said IP block (for instance 231.45.6.1, 231.45.6.2, and so on) will be denied from accessing your website.

In the event that you only want to allow a small number of specific users, using the same code above simply interchange allow and deny. Like this, allow from all to deny from all. Then deny from 123.45.6.7 to allow from 123.45.6.7 for the IP address you allow.

You can also replace the IP addresses with real URLs. For example, in lieu of an IP address or IP block you will place .domain.com, www.domain.com or subdomain.domain.com, so on and so forth.

Stop Hotlinking of Images and Other Files

Hotlinking refers to the use of direct links to a website's files like the images, video, etc. Hotlinking is notoriously known as bandwidth stealing simply because the other website's bandwidth is being exploited by the other unsolicited websites. But using the power of .htaccess we can prevent this bandwidth theft from happening to your website.

Through .htaccess, we can block or deny any requests of the other websites for your site's files. Here is the code:

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?otheralloweddomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]

In this code, we only allow two sites, namely http://www.mydomain.com (our own site) and http://www.otheralloweddomain.com, which can have an access to certain files (from our own site) which have the extensions .gif, .jpg, .js and .css. Line 2 means we also allow any requests for the said files from blank referrers. Blank referrers are those users like companies or individuals which use a firewall or proxy in surfing the net. Don't worry because blank referrers are not really the "hotlinkers".

You can show a replacement image to your hotlinked images. This only works for image files.

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|bmp)$ http://www.mydomain.com/nohotlinking.jpg [R,L]

Simply replace http://www.mydomain.com/nohotlinking.jpg with the link of your own replacement image.

Disable Script Execution

Prevent scripts in certain languages from executing.

Syntax:

Options -ExecCGI
AddHandler cgi-script [file extension or file extensions separated with spaces]

Example:

Options -ExecCGI
AddHandler cgi-script .pl .py .php .jsp .htm .shtml .sh .asp .cgi

Adding MIME Types

MIME stands for Multipurpose Internet Mail Extensions. There are some web servers which are not able to deliver certain file formats correctly. Formats like MP3 and SWF. By adding the following code snippet we would be able to let our server work properly on dealing with those file formats.

Syntax:

AddType [application string] [file extension or file extensions separated with spaces]

Example:

AddType application/x-shockwave-flash swf

If the file extensions belong to the same application string then you can just place them on one line like this:

AddType image/jpeg .jpeg .jpg .jpe .JPG

Here is a list of common MIME types with their corresponding application string and extension.

Impose File Upload Limits for PHP.

Limit the maximum file size for uploading in PHP, also its maximum execution time. Just put this code:

php_value upload_max_filesize 10M
php_value post_max_size 10M
php_value max_execution_time 200
php_value max_input_time 200

Line 1 is the maximum file size for an upload. Line 2 is the maximum size for post data. Line 3 is the maximum time in seconds a script can run before it’s terminated. And line 4 is the maximum amount of time in seconds a script is allowed to parse input data.

Compress File Output Using GZIP.

Code:

<IfModule mod_gzip.c>
    mod_gzip_on         Yes
    mod_gzip_dechunk    Yes
    mod_gzip_item_include file          \.(html?|txt|css|js|php|pl)$
    mod_gzip_item_include handler       ^cgi-script$
    mod_gzip_item_include mime      ^text\.*
    mod_gzip_item_include mime      ^application/x-javascript.*
    mod_gzip_item_exclude mime      ^image\.*
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

This will compress all the files with extensions specified in line 4. GZIP compression is helpful in reducing bandwidth use.

Blocking Offline Browsers and "Bad Bots"

Syntax:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BOTNAME [OR]
RewriteCond %{HTTP_USER_AGENT} ^BOTNAME
RewriteRule ^.* - [F,L]

Replace BOTNAME with the name of a Bad Bot. Do you notice the [OR] in the code? It indicates that another BOTNAME follows, but if you only want to add one BOTNAME (which is not usually the case) then you may remove [OR] and Line 3.

Bad bots and site strippers are really BAD because they try to access the files in your site indefinitely. Indefinitely in the sense that they access your site with no real human user interaction. They access almost every file in your site that could lead your bandwidth usage bloating up. In case of the site strippers, they will download every accessible file from your site, so that it can be browsed offline. See, that sounds real bad because that would mean an increase in your bandwidth usage.

The following are the usual bad bots and site strippers. This is already compiled in a ready code for .htaccess:

Code:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

Setting Server Timezone

The time used in setting your web server's timezone is based on the Eastern Standard Time (EST). But we can set the timezone for our site accordingly. We just have to use this syntax of code:

SetEnv TZ [Location]

Example:

SetEnv TZ America/Los_Angeles

Click here for other time zones.

Protect Access of .htaccess File

Some people place their password protection in the .htaccess file which makes it vulnerably exposed to potential hackers. But there is one way in order to stop those prying eyes in accessing the .htaccess file(s) located in your site. Simply add this:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Closing Remarks

I know there is still a lot of hacks and tricks for .htaccess but I can't list them all here. It would be great for you if you can devote time in reading Apache User's Guide. You will certainly enhance your power more in web development.

I hope you learned something from this little tutorial. Thanks for reading. Keep posted!