Using the .htaccess file to help secure your website and also block IPs

[Mark]

In this tutorial i'll be showing you how to secure your website(s) and a few other tricks using the .htaccess file.

What we'll be covering

1. URL Redirection
2. Custom error pages
3. Protecting folders and directories
4. Blocking specific users from your site
5. Set server time zone
6. Stopping script execution
7. Securing your .htaccess


What is .htaccess?
On an Apache server, .htaccess (hypertext access) is the default name for the directory-level configuration file that allows for decentralized management of a web server's configuration. The .htaccess file is able to override a subset of the server's global configuration; the extent of this subset is defined by the web server administrator.


URL Redirection

We'll start of with an easy one, how to redirect a web page.

SYNTAX

Code:

Redirect [URL to redirect] [URL to redirect to]

EXAMPLE

Code:

Redirect /old/file.html http://yoursite.com/new/file.html

Protecting Folders/Directories

This again is simple yet effective.

SYNTAX - (For a single file)

Code:

<Files secure.php>
AuthType Basic
AuthName “Password Required”
AuthUserFile /home/path/.htpasswd
Require valid-user
</Files>

SYNTAX - (For a directory)

To password protect a directory, you need to create two files in the directory you wish to password protect.

One needs to be called ".htpasswd" and the other ".htaccess", the contents of ".htpasswd" are as follows:

In this file you need to specify usernames as passwords in the format; "username:password" - the password needs to be encrypted and can be done so via the following website(s):

http://www.4webhelp.net/us/password.php
http://shop.alterlinks.com/htpasswd/htpasswd.php

That's your password file complete, now on to the .htaccess file.

Code:

AuthType basic
AuthName “This directory is password protected, GTFO”
AuthUserFile /home/account/public_html/directory/.htpasswd
Require user username

There are a few different ways to have the .htaccess file but after an hour or so trying them all, this one worked best for me.


Blocking IP addresses / specific users

This is a very effective way to stop viewers from accessing your site, this feature supports domains and wild cards.

There are two main commands, "deny" and "allow".

SYNTAX

Code:

order allow,deny
deny from 111.222.333.444
deny from isp_name.com
deny from 192.168.
allow from all

Stopping script execution

This is a useful command that will stop certain script types from being executed on your server, this can be used to prevent shells.

SYNTAX

Code:

Options -ExecCGI
AddHandler cgi-script [File extension(s) separated with a space]

EXAMPLE

Code:

Options -ExecCGI
AddHandler cgi-script .asp .cgi .htm .pl .py .php .jsp  .shtml .sh

If you've got any problems, please post them below.

[Mark]

Just updated password protecting a directory with .htaccess and .htpasswd as i've just used this on another site i own.

[Drumm]

Now this is a sweet tutorial :tongue. Will show this to my uncle. He did it some real complicated way. Modifying the htpasswd would probably be so much easier. Cheers.

[andrew steven]

.htaccess file is necessary to secure our website from many threats. If you want to be really safe, use .htaccess to limit admin panel access to only to your IP. I am using .htacess file for avoiding problem of copy content. If you are using this then post perfect code for running .htaccess file. .htaccess files are able to handle configuration changes on a per-directory basis.