Advanced .htaccess security and block access using .htaccess file

Block access to files using htaccess

1. Block access to .htaccess file
Add the following code block to your htaccess file to add an extra layer of security.Any attempts to access the htaccess file will result in a 403 error message.Your first layer of security to protect htaccess files involves permissions via CHMOD to 644.

# secure your htaccess file
<Files .htaccess>
order allow,deny
deny from all

2. Block access to a Specific File
To restrict access to a specific file, add the following code block and edit the file name, “secure_file.jpg”, with the name of the file that you wish to protect.

# prevent viewing of a specific file
<files secure_file.jpg>
order allow,deny
deny from all

3. Block access to multiple file types
To restrict access to a variety of file types, add the following code block and update the file types within parentheses to match the extensions of any files that you wish to protect.

<FilesMatch “\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$”>
Order Allow,Deny
Deny from all

4. Block unauthorized Directory Browsing
Prevent unauthorized directory browsing by instructing the server to serve a “xxx Forbidden – Authorization Required” message for any request to view a directory. For example, if your site is missing it’s default index page, everything within the root of your site will be accessible to all visitors. To prevent this, include the following htaccess rule.

# disables directory browsing
Options All -Indexes

To enable directory browsing, use the following directive.

# enables directory browsing
Options All +Indexes

Likewise, this rule will prevent the server from listing directory contents.

# prevent folder listing
IndexIgnore *

And, finally, the IndexIgnore directive may be used to prevent the display of select file types.

# prevent display of select file types
IndexIgnore *.wmv *.avi *.mp4 *.etc

Definition of .htaccess Regex Characters

Definition of .htaccess Regex Characters & htaccess regular expression special characters


The # instructs the server to ignore the line. It is used for including comments. Each line of comments requires its own #. When including comments, it is good practice to use only letters, numbers, dashes, and underscores. This will help eliminate/avoid potential server parsing errors.


Forbidden: Instructs the server to return a 403 Forbidden to the client or browser.


Last rule: Instructs the server to stop rewriting after the preceding directive is processed.


Next: Instructs Apache to rerun the rewrite rule until all rewriting directives have been achieved.


Gone: Instructs the server to deliver Gone (no longer exists) status message.


Proxy: Instructs server to handle requests by mod_proxy


Chain: Instructs server to chain the current rule with the previous rule.


Redirect: Instructs Apache to issue a redirect, causing the browser to request the rewritten/modified URL.


No Case: Defines any associated argument as case-insensitive.


Pass Through: Instructs mod_rewrite to pass the rewritten URL back to Apache for further processing.


Or: Specifies a logical “or” that ties two expressions together such that either one proving true will cause the associated rule to be applied.


No Escape: Instructs the server to parse output without escaping characters.


No Sub request: Instructs the server to skip the directive if internal sub-request.


Append Query String: Directs server to add the query string to the end of the expression (URL).


Skip: Instructs the server to skip the next “x” number of rules if a match is detected.


[E=variable: value]
Environmental Variable: Instructs the server to set the environmental variable “variable” to “value”.


Mime Type: Declares the mime type of the target resource.


Specifies a character class, in which any character within the brackets will be a match. e.g., [xyz] will match either an x, y, or z.


Character class in which any combination of items within the brackets will be a match. e.g., [xyz]+ will match any number of x’s, y’s, z’s, or any combination of these characters.


Specifies not within a character class. e.g., [^xyz] will match any character that is neither x, y, nor z.


A dash (-) between two characters within a character class ([]) denotes the range of characters between them. e.g., [a-zA-Z] matches all lowercase and uppercase letters from a to z.


Specifies an exact number, n, of the preceding character. e.g., x{3} matches exactly three x’s.


Specifies n or more of the preceding character. e.g., x{3,} matches three or more x’s.


Specifies a range of numbers, between n and m, of the preceding character. e.g., x{3,7} matches three, four, five, six, or seven x’s.


Used to group characters together, thereby considering them as a single unit. e.g., (perishable)?press will match press, with or without the perishable prefix.


Denotes the beginning of a regex (regex = regular expression) test string. i.e., begin argument with the proceeding character.


Denotes the end of a regex (regex = regular expression) test string. i.e., end argument with the previous character.


declares as optional the preceding character. e.g., monzas? will match monza or monzas, while mon(za)? will match either mon or monza. i.e., x? matches zero or one of x.


Declares negation. e.g., “!string” matches everything except “string”.


A dot (or period) indicates any single arbitrary character.


Instructs “not to” rewrite the URL, as in “…* – [F]”.


Matches one or more of the preceding character. e.g., G+ matches one or more G’s, while “+” will match one or more characters of any kind.


Matches zero or more of the preceding character. e.g., use “.*” as a wildcard.


Declares a logical “or” operator. for example, (x|y) matches x or y.


Escapes special characters ( ^ $ ! . * | ). e.g., use “\.” to indicate/escape a literal dot.


Indicates a literal dot (escaped).


zero or more slashes.


Zero or more arbitrary characters.


Defines an empty string.


The standard pattern for matching everything.


Defines one character that is neither a slash nor a dot.


Defines any number of characters which contains neither slash nor dot.


This is a literal statement — in this case, the literal character string, “http://”.


Defines a string that begins with the term “domain”, which then may be proceeded by any number of any characters.


Defines the exact string “”.


Tests if string is an existing directory


Tests if string is an existing file


Tests if file in test string has a non-zero value


Hope the above will help you a lot, if you have any issue in htaccess rules…post your valuable comment below.