The htaccess File

The htaccess File

What the heck is .htaccess?

A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. They are placed inside the web tree, and are able to override a subset of the server’s global configuration for the directory that they are in, and all sub-directories.[1]

The .htaccess file is a limited subset of the Apache server’s configuration file httpd.conf. It is typically located in the WordPress installation folder. It provides a means to restrict access on a per directory level. The advantage of this is that the .htaccess file is read on every request, so changes made here take effect immediately and does not require a server restart as does modifying the httpd.conf file. The disadvantage of this is that it is read on every request, so there is a small performance hit. When practical it is preferable to modify httpd.conf file.

Now that you’re familiar with what the .htaccess file is, this is a partial list of some of the thing it can do.

  • Restrict Access
  • Rewrite URL’s
  • Block Users based on IP addresses or domain
  • Control the display of folder content
  • Changing error pages
  • Redirect Web Page Traffic
  • Enable SSI Server Side Includes
  • Instruct the server how to process various MIME types
  • Control Web Page Caching for improved performance

This is quite a lot so for today we are going to do something simple and learn how to restrict access to the contents of your web folders.

To see if your web site is exposed type the following into your web browser.

“https://yourwebsite.com/wp-includes/” replace yourwebsite.com with your actual website. As long as you have a standard wordpress installation your should see one of two things

  1. Nothing
  2. A whole bunch of files

WordPress Include FilesIf you see something like this going on down the page then you can improve you site’s security significantly by typing the following into your .htaccess file:

# Prevent folder browsing
Options All -Indexes

Now if you enter the /wp-includes/ directory in your browser you will get a 404 error.
Preventing directory browsing is just the first step in securing your web site. I be posting further articles on this subject as time permits.