htaccess Security Tips: Secure Your Website

Posted by HostAsean Editor on 25 04 2018. in Coding & Web Development, Website Security

Securing a website is a challenge, there are many different aspects of website security and countless holes to plug. We have collected some useful htaccess security tips, tweaks and code snippets to fix common website security issues. These fixes all work great on our web hosting platform. Security scanners will often pick up issues like these so here is how to fix them to improve the overall security of your website. You can use these htaccess security tips and code snippets for WordPress and also any other website.

What is a .htaccess file?

.htaccess is a file used by Apache web server to set server environment variables and configuration settings for the specified directory only. It is usually found in your website root directory, e.g. /home/username/public_html/.htaccess

1. Enable HTTP Strict Transport Security (HSTS) in .htaccess

HTTP Strict Transport Security (HSTS) support is often flagged up by SEO and security scanners. What does it do? It simply tells web browsers that you want your website to only be accessed over a valid https connection. To enable it just add this line to htaccess:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

2. Block PHP code execution in specified directories in .htaccess

This is a quick .htaccess website security tweak that works for WordPress or any other custom website that has directories you want to protect from PHP code execution. Using this .htaccess trick you can easily block PHP execution in your core WordPress directories to stop common attacks, but check your website carefully in case it breaks existing theme or plugin functionality. For finer control, we recommend the Sucuri WordPress security plugin which enables you to whitelist specific files while blocking the rest. To implement this just create a .htaccess file in each of the directories that you want to protect and add this code:

<FilesMatch "\.(?i:php)$">
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>  

3. Limit access by IP address in .htaccess

If you have a static IP address then you can use this to control access to specific files or directories on your website such as your login page or admin area. This is often used to secure WordPress websites by restricting the wp-login.php and /wp-admin/ directory, but works equally well for other content management systems and custom websites and apps.

To limit access to a specific file:

<Files <YOUR FILENAME>.php>
Order deny,allow
Deny from all
Allow from <YOUR IP ADDRESS>
</Files>

To limit access to a whole directory, create a .htaccess file in the directory you want to protect, and add this code:

Order Deny,Allow
Deny from all
Allow from <YOUR IP ADDRESS>

4. Prevent directory browsing in .htaccess

This one is often set by default by your hosting provider, but if not then you can add the following line to your .htaccess file to prevent browsing of your directories via a web browser.

Options All -Indexes

5. Prevent image hotlinking in .htaccess

This stops other websites displaying images hosted on your website. This isn’t a huge issue but if the culprit has a lot of traffic it can quickly use up your bandwidth and cause your website to be suspended or incur extra bandwidth costs. You can also replace the image with one that shows your website name and address to give yourself a bit of promotion, or replace it with something a bit cheeky as you see fit. Just add this code to your .htaccess file and change yourdomain and your no hotlinking image URL as appropriate:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
RewriteRule .(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG)$ https://www.yourdomain.com/no-hotlinking.png [R,L]

6. Header for Cross-Origin Resource Sharing (CORS)

This was flagged by a recent website security scan on a client website. Basically this header limits access to resources like CSS stylesheets, images, and scripts to only the specified domain. We suggest reading more about CORS on the Mozilla Developers website, and then if you want to enable this just add the following line to .htaccess:

Header set Access-Control-Allow-Origin https://www.yourdomain.com

7. Disable HTTP Track & Trace

Another one often flagged up by security scans is to disable HTTP TRACE and HTTP TRACK methods. This can be done in Apache either by adding TraceEnable Off to your httpd.conf or by adding the following code to your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

We’ve previously posted our website performance & SEO tweaks which also use the .htaccess file. Looking for more htaccess security tips to secure your website? Check out our developer resource code.hostasean.com for more code snippets and also our own WordPress plugins. Having problems or got more tips? Let us know in the comments.