htaccess files

Block Access to Hidden Files and Directories

We try to push our code to productions servers without hidden files and directors, like our revision system directors, but that doesn't always happen. This snippet prevents those files from being accessible:

RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F]

See also
How To Block Bots, Ban IP Addresses With .htaccess

General Tips

This lets google crawl the page, lets me access without a password, and lets my client access the page WITH a password. It also allows for XHTML and CSS validation! (w3.org)
AuthName "Under Development"
AuthUserFile /web/sitename.com/.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from 208.113.134.190 w3.org htmlhelp.com googlebot.com
Satisfy Any
 
Redirect non-https requests to https server and ensure that .htpasswd authorization can only be entered across HTTPS
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "askapache.com"
ErrorDocument 403 https://askapache.com
 
block visitors referred from indicated domains
 
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} scumbag\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} wormhole\.com [NC,OR]
 RewriteRule .* - [F]
 
 
Redirect to a New File
Redirect 301 /old/file.html http://www.askapache.com/new/file.html
 

SSL wildcard use with subdomains

In the .htaccess file in your public_html directory, for each subdomain that needs an SSL certificate, you will need to add the following:
 
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub/
RewriteRule ^(.*) /sub/$1
 
You'll want to replace sub with the appropriate data, of course.
 
 
For each subfolder you need the same lines, for example for sub1 and sub2
 
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub1\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub1/
RewriteRule ^(.*) /sub1/$1
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub2\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub2/
RewriteRule ^(.*) /sub2/$1
 
 
In case you need to redirect all HTTP request to HTTPS you can add after rewriteengine on
 
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Securing WordPress sites - good htaccess ideas

Web Designer Issue 210
 
//step10//
 
//code//
# don't allow wp-config.php to load
 
order allow,deny
deny from all
 
# BEGIN WordPress
 
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
 
# END WordPress
 
//step11//
//code//
$table_prefix  = 'wp_';
To
$table_prefix  = 'movie_';
 
//step12//
//code//
# prevent directory browsing
Options -Indexes
 
//step13//
 
//code//
# protect the htaccess file,
 
order allow,deny
deny from all
 
 
//step14//
 
//code//
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# authorised IP address
allow from ??.???.???.???
# authorized IP address
allow from ??.???.???.???
 
 
//step16//
 
//code//RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
 
//step17//
 
//code//
 
# return 403 Forbidden when someone puts script tags or GLOBALS or _REQUEST stuff in the URL
#
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
 
 
//CODE LIBRARY//
The HTACCESS File in Full
 
//code snippet//
 
# don't allow wp-config.php to load
 
order allow,deny
deny from all
 
 
# prevent directory browsing
Options -Indexes
 
# protect the htaccess file
 
order allow,deny
deny from all
 
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# authorised IP address
allow from ??.???.???.???
# authorized IP address
allow from ??.???.???.???
 
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]# BEGIN WordPress
 
RewriteEngine On
RewriteBase /
# return 403 Forbidden when someone puts script tags or GLOBALS or _REQUEST stuff in the URL
#
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
 
# END WordPress
 
 

Use htaccess file to secure configuration files

Options -Indexes
 
order allow,deny
deny from all
 
 
order allow,deny
deny from all