This is a tutorial on server hardening using .htaccess.

Step 1: Access your server

To begin, you’ll need to access your server. This can typically be done through an FTP client, such as FileZilla, or through your server’s control panel.

Step 2: Locate the .htaccess file

Once you have access to your server, you’ll need to locate the .htaccess file. This file is typically located in the root directory of your website. If you can’t find it, you may need to enable the “show hidden files” option in your FTP client.

Step 3: Disable directory browsing

The first step in hardening your server is to disable directory browsing. This prevents anyone from being able to see the files and directories on your server. To do this, add the following code to your .htaccess file:

Options -Indexes

This will disable directory browsing, which can reveal the contents of your directories to unauthorized users.

Step 4: Block IP addresses

You can also use your .htaccess file to block specific IP addresses from accessing your website. This can be useful if you’re experiencing attacks from a particular IP address. To do this, add the following code to your .htaccess file:


Order Allow,Deny
Deny from xxx.xxx.xxx.xxx

Replace “xxx.xxx.xxx.xxx” with the IP address you want to block. You can also block multiple IP addresses by adding additional “Deny from” lines.

Step 5: Protect sensitive files

If you have any sensitive files on your server, such as configuration files or databases, you can use your .htaccess file to protect them. To do this, add the following code to your .htaccess file:


<FilesMatch "^(config\.php|database\.sql)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Replace “config.php” and “database.sql” with the names of your sensitive files.

Step 6: Restrict file types

You can also restrict certain file types from being uploaded to your server. This can help prevent attacks that use malicious files to gain access to your server. To do this, add the following code to your .htaccess file:


<FilesMatch "\.(php|exe|pl|cgi|htm|html|js|css)$">
Order Allow,Deny
Deny from all
</FilesMatch>

This code will block any files with the extensions listed in the regular expression.

Step 7: Enable HTTPS

Finally, you can use your .htaccess file to force HTTPS on your website. This encrypts all traffic between your server and your visitors’ browsers, which can help protect sensitive data. To do this, add the following code to your .htaccess file:


RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This code will redirect all traffic to HTTPS.

8. Limit Access to Important Files

You can restrict access to sensitive files on your server by adding the following lines to your .htaccess file:


<FilesMatch "(^\.htaccess|\.htpasswd$)">
Require all denied
</FilesMatch>

This will deny access to the .htaccess and .htpasswd files, which contain sensitive information about your server configuration.

9. Prevent Hotlinking

Hotlinking is the practice of linking to images, videos, or other files on your server from another website. This can increase your server load and bandwidth usage. To prevent hotlinking, add the following lines to your .htaccess file:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

10. Block Bad Bots

To prevent bad bots from accessing your server, add the following lines to your .htaccess file:


RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|bing|Baidu|Yahoo|Yandex) [NC]
RewriteRule .* - [R=403,L]

This will block requests from common bad bots.
This will prevent other websites from hotlinking to images on your server.

11. Disable Server Signature

To hide your server’s identity, add the following lines to your .htaccess file:


ServerSignature Off

This will disable the server signature, which includes the server version number and other information.

12. Set a Time Limit for Script Execution

To prevent long-running scripts from consuming too much server resources, add the following line to your .htaccess file:


php_value max_execution_time 30

This will set a time limit of 30 seconds for PHP script execution.

 

That’s it! By following these steps, you can use your .htaccess file to harden your server and protect your website from attacks.