This is a tutorial on server hardening using .htaccess.
Step 1: Access your server
To begin, you’ll need to access your server. This can typically be done through an FTP client, such as FileZilla, or through your server’s control panel.
Step 2: Locate the .htaccess file
Once you have access to your server, you’ll need to locate the .htaccess file. This file is typically located in the root directory of your website. If you can’t find it, you may need to enable the “show hidden files” option in your FTP client.
Step 3: Disable directory browsing
The first step in hardening your server is to disable directory browsing. This prevents anyone from being able to see the files and directories on your server. To do this, add the following code to your .htaccess file:
Options -Indexes
This will disable directory browsing, which can reveal the contents of your directories to unauthorized users.
Step 4: Block IP addresses
You can also use your .htaccess file to block specific IP addresses from accessing your website. This can be useful if you’re experiencing attacks from a particular IP address. To do this, add the following code to your .htaccess file:
Order Allow,Deny
Deny from xxx.xxx.xxx.xxx
Replace “xxx.xxx.xxx.xxx” with the IP address you want to block. You can also block multiple IP addresses by adding additional “Deny from” lines.
Step 5: Protect sensitive files
If you have any sensitive files on your server, such as configuration files or databases, you can use your .htaccess file to protect them. To do this, add the following code to your .htaccess file:
<FilesMatch "^(config\.php|database\.sql)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Replace “config.php” and “database.sql” with the names of your sensitive files.
Step 6: Restrict file types
You can also restrict certain file types from being uploaded to your server. This can help prevent attacks that use malicious files to gain access to your server. To do this, add the following code to your .htaccess file:
<FilesMatch "\.(php|exe|pl|cgi|htm|html|js|css)$">
Order Allow,Deny
Deny from all
</FilesMatch>
This code will block any files with the extensions listed in the regular expression.
Step 7: Enable HTTPS
Finally, you can use your .htaccess file to force HTTPS on your website. This encrypts all traffic between your server and your visitors’ browsers, which can help protect sensitive data. To do this, add the following code to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This code will redirect all traffic to HTTPS.
8. Limit Access to Important Files
You can restrict access to sensitive files on your server by adding the following lines to your .htaccess file:
<FilesMatch "(^\.htaccess|\.htpasswd$)">
Require all denied
</FilesMatch>
This will deny access to the .htaccess and .htpasswd files, which contain sensitive information about your server configuration.
9. Prevent Hotlinking
Hotlinking is the practice of linking to images, videos, or other files on your server from another website. This can increase your server load and bandwidth usage. To prevent hotlinking, add the following lines to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
10. Block Bad Bots
To prevent bad bots from accessing your server, add the following lines to your .htaccess file:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|bing|Baidu|Yahoo|Yandex) [NC]
RewriteRule .* - [R=403,L]
This will block requests from common bad bots.
This will prevent other websites from hotlinking to images on your server.
11. Disable Server Signature
To hide your server’s identity, add the following lines to your .htaccess file:
ServerSignature Off
This will disable the server signature, which includes the server version number and other information.
12. Set a Time Limit for Script Execution
To prevent long-running scripts from consuming too much server resources, add the following line to your .htaccess file:
php_value max_execution_time 30
This will set a time limit of 30 seconds for PHP script execution.
That’s it! By following these steps, you can use your .htaccess file to harden your server and protect your website from attacks.