Block Access to Hidden Files and Directories

We try to push our code to productions servers without hidden files and directors, like our revision system directors, but that doesn't always happen. This snippet prevents those files from being accessible:

RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F]

See also
How To Block Bots, Ban IP Addresses With .htaccess

General Tips

This lets google crawl the page, lets me access without a password, and lets my client access the page WITH a password. It also allows for XHTML and CSS validation! (
AuthName "Under Development"
AuthUserFile /web/
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from
Satisfy Any
Redirect non-https requests to https server and ensure that .htpasswd authorization can only be entered across HTTPS
SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq ""
ErrorDocument 403
block visitors referred from indicated domains
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} scumbag\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} wormhole\.com [NC,OR]
 RewriteRule .* - [F]
Redirect to a New File
Redirect 301 /old/file.html

SSL wildcard use with subdomains

In the .htaccess file in your public_html directory, for each subdomain that needs an SSL certificate, you will need to add the following:
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub/
RewriteRule ^(.*) /sub/$1
You'll want to replace sub with the appropriate data, of course.
For each subfolder you need the same lines, for example for sub1 and sub2
RewriteEngine on
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub1\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub1/
RewriteRule ^(.*) /sub1/$1
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{HTTP_HOST} ^sub2\.domain\.com$ [NC]
RewriteCond %{REQUEST_URI} !^/sub2/
RewriteRule ^(.*) /sub2/$1
In case you need to redirect all HTTP request to HTTPS you can add after rewriteengine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Securing Your sites - good htaccess ideas

Web Designer Issue 210
order allow,deny
deny from all
# prevent directory browsing
Options -Indexes
# return 403 Forbidden when someone puts script tags or GLOBALS or _REQUEST stuff in the URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Use htaccess file to secure configuration files

Options -Indexes
order allow,deny
deny from all
order allow,deny
deny from all


This page contains information I gathered and thought were very useful. See more notes on the web.

Just to let you know, this page was last updated Saturday, Mar 24 18