Protect Folders and Files using .htaccess

Not all folders and files in your webfolder should be accessible to anyone. Configuration or debug informations should be kept secret. Also it can be pretty annoying if crawlers keep ignoring the rules from your robots.txt and just index and list all files they find. In this article I will explain to you how you can restrict access to files and folders.

Restrict access to folders

To protect a certain folder from unauthorized access, we first need to create a .htaccess-file within the folder itself. Restricting access from anyone isn't that complicated. A few lines in the file are enough to accomplish that.

Order allow,deny
Deny from all

You don't want to restrict access for everybody and e.g. allow it for certain people or yourself? Than you have multiple options. If you are one of the lucky few who actually possess a static IP address, you can just allow access for this specific IP. Let's just say our IP is in this example.

Order allow,deny
Allow from

Unfortunately I do not own a static IP address. So I need to rely on the protection of a basic authentication using a .htpasswd-file. For this to work you need to create a .htpasswd-file somewhere on your server and take note of the absolute path the file is located. In the .htpasswd-file you need to add username & password pairs. Its best practice to create the file outside of your web folder. To create the password files you can just use one of the free password generators. The complete file (with two users in this case) would look something like this:


To setup your basic authentication you need to some lines to your .htaccess-file. First you need to add the AuthType (1). Then you need to define the path to your .htpasswd-file using the AuthUserFile directive (2). Via **AuthName" you can add a description to the password dialog which will pop up, when a user tries to access the restricted folder (3). Lastly you tell Apache to demand a valid user before proceeding.

AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthName "Password Protected Area"
Require valid-user 

A single .htpasswd file can be used by multiple .htaccess directives. It may contain multiple username password combinations. You must define one user per line using the scheme in the example above.

Restrict access to single files or certain file types

Instead of restricting access for a whole folder, it may be more suitable to just restrict access to certain files. The following lines will protect a file named "secret.pdf" from being accessed through the web.

The FilesMatch directive can be used to restrict a rule to certain files or file types. It is defined using a regex pattern. This way you can search for any string in a filename.

<FilesMatch "(secret.pdf)$">
Order allow,deny
Deny from all

You may for example create a regular expression to just filter files with a certain extension. In the example below access to all PDF- and ZIP-files is restricted.

<FilesMatch "(.pdf|.zip)$">
Order allow,deny
Deny from all

Obviously you can use the same directives used in the chapter before. You can restrict access to certain IP addresses or add a basic authentication dialog. In principle you shouldn't place "secret" files in a web accessible folder in the first place. But sometimes you just want to make the NSA happy or you might just need to protect user uploads of your CMS. In this case the directives I explained above may come in handy.

There are no comments yet.