{"id":10850,"date":"2024-12-17T07:32:02","date_gmt":"2024-12-17T07:32:02","guid":{"rendered":"https:\/\/blog.trustedhosting.in\/?p=10850"},"modified":"2024-12-17T07:32:02","modified_gmt":"2024-12-17T07:32:02","slug":"information-and-guidance-about-htaccess","status":"publish","type":"post","link":"https:\/\/www.webystrata.com\/blog\/information-and-guidance-about-htaccess\/","title":{"rendered":"Information and guidance about .htaccess"},"content":{"rendered":"

\"Information<\/a><\/h1>\n

Information and guidance about .htaccess<\/h1>\n

The\u00a0.htaccess<\/span><\/code>\u00a0file is used by Apache to allow configuration changes to be made per vhost without having to access the main Apache configuration files. You can have a\u00a0.htaccess<\/span><\/code>\u00a0file in any folder of your web files but the minimum is usually to have one in your document root. Here are some\u00a0.htaccess<\/span><\/code>\u00a0configuration examples.<\/p>\n

\n

Lock down access to site\/page<\/h2>\n

You can lock down pages completely, by source IP or with a password.<\/p>\n<\/section>\n

\n

Lock down completely<\/h2>\n

There may be some files that you want to lock down so nobody can access these via your web serve<\/a>r. Here is an example to lock down access to a file called\u00a0xmlrpc.php<\/span><\/code>. This is used by some CMS\u2019 but can be used to brute force a site.<\/p>\n

\n
\n
  <Files<\/span> xmlrpc.php<\/span>><\/span>\r\n    Order<\/span> allow,deny\r\n    Deny<\/span> from all<\/span>\r\n  <\/Files><\/span>\r\n<\/pre>\n<\/div>\n<\/div>\n<\/section>\n
\n
Lock down to specific IP(s)<\/h2>\n
You may want some files to be locked down to specific IPs. Here we lock down the\u00a0wp-admin.php<\/span><\/code>\u00a0file to the IPs\u00a0123.123.123.121<\/span><\/code>,\u00a0123.123.123.122<\/span><\/code>\u00a0and\u00a0123.123.123.123<\/span><\/code>.<\/p>\n
\n
\n
  <IfModule<\/span> mod_rewrite.c<\/span>><\/span>\r\n    RewriteEngine<\/span> on<\/span>\r\n    RewriteCond<\/span> %{REQUEST_URI} ^(.*)?wp-login\\.php(.*)$ [OR]\r\n    RewriteCond<\/span> %{REQUEST_URI} ^(.*)?wp-admin$\r\n    RewriteCond<\/span> %{REMOTE_ADDR} !^123\\.123\\.123\\.121$\r\n    RewriteCond<\/span> %{REMOTE_ADDR} !^123\\.123\\.123\\.122$\r\n    RewriteCond<\/span> %{REMOTE_ADDR} !^123\\.123\\.123\\.123$\r\n    RewriteRule<\/span> ^(.*)$ - [R=403,L]\r\n  <\/IfModule><\/span>\r\n<\/pre>\n<\/div>\n<\/div>\n
You can include as many IPs as you need in this example.<\/p>\n<\/section>\n
\n
Lock down using .htpasswd<\/h2>\n
You can use the\u00a0.htpasswd<\/span><\/code>\u00a0file to hold usernames and passwords which can be referenced by the\u00a0.htaccess<\/span><\/code>\u00a0file. First of all you need to create the\u00a0.htpasswd<\/span><\/code>\u00a0file. Although a webserver should be configured not to deliver any file beginning with a dot, it is still good practice to create the\u00a0.htpasswd<\/span><\/code>\u00a0file outside the document root. For example, for a site with document root\u00a0\/var\/www\/vhosts\/firstdomain.com\/htdocs<\/span><\/code>, we will create the\u00a0.htpasswd<\/span><\/code>\u00a0in the path\u00a0\/var\/www\/vhosts\/firstdomain.com\/.htpasswd<\/span><\/code>.<\/p>\n
This command will add a user to that file:<\/p>\n
\n
\n
htpasswd -c \/var\/www\/vhosts\/firstdomain.com\/.htpasswd admin\r\n<\/pre>\n<\/div>\n<\/div>\n
You will get prompted for the password. The command can be used for all subsequent users, replacing the user\u00a0admin<\/span><\/code>\u00a0with the new user name.<\/p>\n
To use this you then need to add the following to your\u00a0.htaccess<\/span><\/code>\u00a0file.<\/p>\n
\n
\n
  ErrorDocument<\/span> 401<\/span> \"Denied\"<\/span>\r\n  ErrorDocument<\/span> 403<\/span> \"Denied\"<\/span>\r\n  <files<\/span> wp-login.php<\/span>><\/span>\r\n    AuthType<\/span> Basic\r\n    AuthName<\/span> \"Password Protected Area\"<\/span>\r\n    AuthUserFile<\/span> \/var\/www\/vhosts\/firstdomain.com\/.htpasswd<\/span>\r\n    Require<\/span> valid-user\r\n  <\/files><\/span><\/pre>\n<\/div>\n<\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"
Information and guidance about .htaccess The\u00a0.htaccess\u00a0file is used by Apache to allow configuration changes to be made per vhost without…<\/p>\n","protected":false},"author":1,"featured_media":10808,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-10850","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/posts\/10850","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/comments?post=10850"}],"version-history":[{"count":3,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/posts\/10850\/revisions"}],"predecessor-version":[{"id":10853,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/posts\/10850\/revisions\/10853"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/media\/10808"}],"wp:attachment":[{"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/media?parent=10850"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/categories?post=10850"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webystrata.com\/blog\/wp-json\/wp\/v2\/tags?post=10850"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}