How To Use a htaccess File To Improve Security
Hypertext Access, commonly known as htaccess, is a configuration file that controls the directory it is placed in, and all the subdirectories underneath it. It is a powerful tool for
manipulating and configuring sites. A webmaster can use it to redirect pages and password protect directories.
Here are some of the techniques to protect your website with .htaccess.
1. Hotlinking protection. Hotlinking (also known as leeching, inline linking, bandwidth theft) is the use of an image from one site by a web page belonging to a second site. [2] Websites that steal images without reuploading it to their servers is a bad practice because they not only steal your images, they steal your bandwidth as well. To prevent other sites from using and displaying your images, you can use a hotlink protection. Include these lines in your htaccess file:
- RewriteBase /
- RewriteCond %{HTTP_REFERER} !^$
- RewriteCond %{HTTP_REFERER} !^http://(www.)?yoursite.com/.*$ [NC]
- RewriteRule .(gif|jpg|swf|flv|png)$ /feed/ [R=302,L]
2. Block unwanted IPs. You can block certain IPs from accessing your site completely. Don’t
wait for some sites to send spams or attack your site (this usually happens in Internet forums
and blog authors) before banning them. Add the following code to your htaccess file to block
unwanted visitors:
- RewriteEngine on RewriteCond %{HTTP_REFERER} spamteam.com [NC,OR]
- RewriteCond %{HTTP_REFERER} trollteam.com [NC,OR]
- RewriteRule .* – [F]
3. Password Protect a Directory. You can restrict access to a directory using an .htaccess file. The server will check this .htaccess file before allowing access in the same directory. The .htaccess file belongs to the directory you are protecting. You can create an .htaccess file in every directory in your site.
4. Prevent Directory Listing. It is good practice not to allow your directories to be listed by
default so malicious users will have a hard time to check out your site’s vulnerabilities. This
is useful especially if you have third-party scripts on you site such as maintaining a blog site.
A “Forbidden” error page will be displayed when a user tries to access a directory that doesn’t
have an index file.
5. Redirect 404 error to a custom page. A 404 error message is a very common error on the web when the visitor cannot communicate with the server. It is displayed when the visitor tries to visit a page that has either been deleted or has been moved somewhere else. It is very important to create a 404 page on your site and redirect traffic from incorrect urls and it is very easy to create with .htaccess.There are cool things that you can do with .htaccess files but you should also be informed of some of the issues on using these files. .htaccess is extremely sensitive that a missing semi-colon, incorrect letter, or an extra backlash can mess everything in the site. Make sure that every code is correct and input properly. If a company has multiple .htaccess files on multiple directories, it is more difficult for the company’s system administrators to prepare a global access or authentication strategy and keep up with changes. Another disadvantage that has been noted is that it is easy to override .htaccess files, which causes problems when accessing directories. Also, it is possible for unauthorized users to open or retrieve .htaccess files.