{"id":10850,"date":"2024-12-17T07:32:02","date_gmt":"2024-12-17T07:32:02","guid":{"rendered":"https:\/\/blog.webystrata.co.uk\/?p=10850"},"modified":"2024-12-17T07:32:02","modified_gmt":"2024-12-17T07:32:02","slug":"information-and-guidance-about-htaccess","status":"publish","type":"post","link":"https:\/\/www.webystrata.co.uk\/blog\/information-and-guidance-about-htaccess\/","title":{"rendered":"Information and guidance about .htaccess"},"content":{"rendered":"<h1><a href=\"https:\/\/www.webystrata.co.uk\/cpanel-hosting.html\"><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone wp-image-10808 size-full\" title=\"Information and guidance about .htaccess\" src=\"https:\/\/blog.webystrata.co.uk\/wp-content\/uploads\/2024\/12\/6802364_26958.jpg\" alt=\"Information and guidance about .htaccess\" width=\"2000\" height=\"2000\" srcset=\"https:\/\/www.webystrata.co.uk\/blog\/wp-content\/uploads\/2024\/12\/6802364_26958.jpg 2000w, https:\/\/www.webystrata.co.uk\/blog\/wp-content\/uploads\/2024\/12\/6802364_26958-300x300.jpg 300w, https:\/\/www.webystrata.co.uk\/blog\/wp-content\/uploads\/2024\/12\/6802364_26958-1024x1024.jpg 1024w, https:\/\/www.webystrata.co.uk\/blog\/wp-content\/uploads\/2024\/12\/6802364_26958-150x150.jpg 150w, https:\/\/www.webystrata.co.uk\/blog\/wp-content\/uploads\/2024\/12\/6802364_26958-768x768.jpg 768w, https:\/\/www.webystrata.co.uk\/blog\/wp-content\/uploads\/2024\/12\/6802364_26958-1536x1536.jpg 1536w\" sizes=\"(max-width: 2000px) 100vw, 2000px\" \/><\/a><\/h1>\n<h1>Information and guidance about .htaccess<\/h1>\n<p>The\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htaccess<\/span><\/code>\u00a0file is used by Apache to allow configuration changes to be made per vhost without having to access the main Apache configuration files. You can have a\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htaccess<\/span><\/code>\u00a0file in any folder of your web files but the minimum is usually to have one in your document root. Here are some\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htaccess<\/span><\/code>\u00a0configuration examples.<\/p>\n<section id=\"lock-down-access-to-site-page\">\n<h2>Lock down access to site\/page<\/h2>\n<p>You can lock down pages completely, by source IP or with a password.<\/p>\n<\/section>\n<section id=\"lock-down-completely\">\n<h2>Lock down completely<\/h2>\n<p>There may be some files that you want to lock down so nobody can access these via your <a href=\"https:\/\/www.webystrata.co.uk\/cpanel-hosting.html\">web serve<\/a>r. Here is an example to lock down access to a file called\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">xmlrpc.php<\/span><\/code>. This is used by some CMS\u2019 but can be used to brute force a site.<\/p>\n<div class=\"highlight-apacheconf notranslate\">\n<div class=\"highlight\">\n<pre>  <span class=\"nt\">&lt;Files<\/span> <span class=\"s\">xmlrpc.php<\/span><span class=\"nt\">&gt;<\/span>\r\n    <span class=\"nb\">Order<\/span> allow,deny\r\n    <span class=\"nb\">Deny<\/span> from <span class=\"k\">all<\/span>\r\n  <span class=\"nt\">&lt;\/Files&gt;<\/span>\r\n<\/pre>\n<\/div>\n<\/div>\n<\/section>\n<section id=\"lock-down-to-specific-ip-s\">\n<h2>Lock down to specific IP(s)<\/h2>\n<p>You may want some files to be locked down to specific IPs. Here we lock down the\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">wp-admin.php<\/span><\/code>\u00a0file to the IPs\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">123.123.123.121<\/span><\/code>,\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">123.123.123.122<\/span><\/code>\u00a0and\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">123.123.123.123<\/span><\/code>.<\/p>\n<div class=\"highlight-apacheconf notranslate\">\n<div class=\"highlight\">\n<pre>  <span class=\"nt\">&lt;IfModule<\/span> <span class=\"s\">mod_rewrite.c<\/span><span class=\"nt\">&gt;<\/span>\r\n    <span class=\"nb\">RewriteEngine<\/span> <span class=\"k\">on<\/span>\r\n    <span class=\"nb\">RewriteCond<\/span> %{REQUEST_URI} ^(.*)?wp-login\\.php(.*)$ [OR]\r\n    <span class=\"nb\">RewriteCond<\/span> %{REQUEST_URI} ^(.*)?wp-admin$\r\n    <span class=\"nb\">RewriteCond<\/span> %{REMOTE_ADDR} !^123\\.123\\.123\\.121$\r\n    <span class=\"nb\">RewriteCond<\/span> %{REMOTE_ADDR} !^123\\.123\\.123\\.122$\r\n    <span class=\"nb\">RewriteCond<\/span> %{REMOTE_ADDR} !^123\\.123\\.123\\.123$\r\n    <span class=\"nb\">RewriteRule<\/span> ^(.*)$ - [R=403,L]\r\n  <span class=\"nt\">&lt;\/IfModule&gt;<\/span>\r\n<\/pre>\n<\/div>\n<\/div>\n<p>You can include as many IPs as you need in this example.<\/p>\n<\/section>\n<section id=\"lock-down-using-htpasswd\">\n<h2>Lock down using .htpasswd<\/h2>\n<p>You can use the\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htpasswd<\/span><\/code>\u00a0file to hold usernames and passwords which can be referenced by the\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htaccess<\/span><\/code>\u00a0file. First of all you need to create the\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htpasswd<\/span><\/code>\u00a0file. Although a webserver should be configured not to deliver any file beginning with a dot, it is still good practice to create the\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htpasswd<\/span><\/code>\u00a0file outside the document root. For example, for a site with document root\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">\/var\/www\/vhosts\/firstdomain.com\/htdocs<\/span><\/code>, we will create the\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htpasswd<\/span><\/code>\u00a0in the path\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">\/var\/www\/vhosts\/firstdomain.com\/.htpasswd<\/span><\/code>.<\/p>\n<p>This command will add a user to that file:<\/p>\n<div class=\"highlight-bash notranslate\">\n<div class=\"highlight\">\n<pre>htpasswd -c \/var\/www\/vhosts\/firstdomain.com\/.htpasswd admin\r\n<\/pre>\n<\/div>\n<\/div>\n<p>You will get prompted for the password. The command can be used for all subsequent users, replacing the user\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">admin<\/span><\/code>\u00a0with the new user name.<\/p>\n<p>To use this you then need to add the following to your\u00a0<code class=\"docutils literal notranslate\"><span class=\"pre\">.htaccess<\/span><\/code>\u00a0file.<\/p>\n<div class=\"highlight-apacheconf notranslate\">\n<div class=\"highlight\">\n<pre>  <span class=\"nb\">ErrorDocument<\/span> <span class=\"m\">401<\/span> <span class=\"s2\">\"Denied\"<\/span>\r\n  <span class=\"nb\">ErrorDocument<\/span> <span class=\"m\">403<\/span> <span class=\"s2\">\"Denied\"<\/span>\r\n  <span class=\"nt\">&lt;files<\/span> <span class=\"s\">wp-login.php<\/span><span class=\"nt\">&gt;<\/span>\r\n    <span class=\"nb\">AuthType<\/span> Basic\r\n    <span class=\"nb\">AuthName<\/span> <span class=\"s2\">\"Password Protected Area\"<\/span>\r\n    <span class=\"nb\">AuthUserFile<\/span> <span class=\"sx\">\/var\/www\/vhosts\/firstdomain.com\/.htpasswd<\/span>\r\n    <span class=\"nb\">Require<\/span> valid-user\r\n  <span class=\"nt\">&lt;\/files&gt;<\/span><\/pre>\n<\/div>\n<\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>Information and guidance about .htaccess The\u00a0.htaccess\u00a0file is used by Apache to allow configuration changes to be made per vhost without having to access the main Apache configuration files. You can have a\u00a0.htaccess\u00a0file in any folder of your web files but the minimum is usually to have one in your document root. Here are some\u00a0.htaccess\u00a0configuration examples. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":10808,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-10850","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/posts\/10850","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=10850"}],"version-history":[{"count":3,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/posts\/10850\/revisions"}],"predecessor-version":[{"id":10853,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/posts\/10850\/revisions\/10853"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/media\/10808"}],"wp:attachment":[{"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=10850"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=10850"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webystrata.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=10850"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}