Deny access to my site with an .htaccess file
Contents
- 1 How to Deny Access to my Site with an .htaccess file
- 1.1 Deny access to files
- 1.2 Denying access to "hidden" files
- 1.3 Denying access to a directory listing
- 1.4 Denying access during a specific hour of the day
- 1.5 Denying access to a directory
- 1.6 Denying access from specific IP addresses
- 1.7 Allowing access from a specific IP
- 1.8 Denying access from a specific domain
How to Deny Access to my Site with an .htaccess file
Deny access to files
Denying access to specific file extensions The following code forces any file ending in .inc to throw a 404 Forbidden error when visited:
<Files ~ "\.inc$"> Order Allow,Deny Deny from All </Files>
File names beginning with a dot are considered "hidden" by UNIX. Usually, you don't want to serve them to visitors.
RedirectMatch 403 /\..*$ Deny access to folders
Denying access to a directory listing
If you don't have an index file in your directory, all of your files are listed in a directory list for anyone to view. The following code forces this directory listing to throw a 404 Forbidden error instead when visited:
Options -Indexes
Denying access during a specific hour of the day
If you wish to block access to files in a directory during a specific time of day, then you can do so by adding the following code to an .htaccess file:
RewriteEngine On # If the hour is 16 (4 PM) RewriteCond %{TIME_HOUR} ^16$ # Then deny all access RewriteRule ^.*$ - [F,L]
If someone visits the directory anytime between 4:00 – 4:59 pm, a 500 Internal Server error is thrown. You can also specify multiple hours as well:
RewriteEngine On # Multiple hour blocks # If the hour is 4 PM or 5 PM or 8 AM RewriteCond %{TIME_HOUR} ^16|17|08$ # Then deny all access RewriteRule ^.*$ - [F,L]
Denying access to a directory
If you have a directory named 'blah' that you want to block, but it can occur anywhere in your directory tree, use the following:
RewriteEngine On RewriteRule (^|/)topsecret(/|$) - [F]
Denying access from specific IP addresses
If you have problems with certain visitors to your website, you can easily ban them. There are two different ways to ban visitors:
Using their IP address, or the domain name from which they are visiting.
Here's an example that denies a user by their IP address:
deny from 192.236.241.100
When the user tries to connect to your site from that specific IP, they see a 403 Forbidden page instead. If you want to block an entire block of IPs, just leave the last octet off. For example:
deny from 192.236.241.
This denies access from anyone using an IP in the range from 192.236.241.0 all the way up to 129.236.241.255.
Allowing access from a specific IP
If you need to deny access to your site to everyone while still allowing yourself or another specific IP address to visit it, you can use something like this:
order deny,allow deny from all allow from <YOUR_IP_ADDRESS>
Denying access from a specific domain
This denies access from anyone connecting to your site from www.example.com. If someone clicks on a link at example.com that redirects to your site, they then see a 403 Forbidden error:
SetEnvIfNoCase Referer "example.com" bad_referer Order Allow,Deny Allow from ALL Deny from env=bad_referer
This example throws a 500 Internal Server Error for anyone linking from example.com:
RewriteEngine on RewriteCond %{HTTP_REFERER} example\.com [NC,OR] RewriteRule .* - [F]
The following example redirects any visitor connecting from example.com to google.com:
RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://example.com/ RewriteRule /* http://www.google.com [R,L]