The Apache web server uses .htaccess files to give it additional instructions for within a folder and its sub directories. .htaccess files can be used to do many things such as redirecting a user, IP whitelisting, disabling access to certain types of files, and much more.
As I said before, a .htaccess file applies to the directory in which it is contained, and also to that directories sub directories. If one of the sub directories has an .htaccess file inside it, the sub directory’s .htaccess file is processed first.
I’ve included a few snippets as examples. Note that these snippets are for Apache 2.4. If you search for “apache htaccess,” lots of results will appear, but most of these results are for Apache 2.2. Apache 2.2 was declared end of life on 1/1/2018, so hopefully folks have been able to upgrade.
The following snippet forces a website to use HTTPS:
# Placed @ /home/user/ # Requires HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
The following snippet enforces IP whitelisting. IP whitelisting using .htaccess files is not full proof because IP addresses can be spoofed, but it can help. You could place a .htaccess file within the “/wp-admin/” folder with this rule if you wanted only certain IP addresses to be able to access the dashboard.
# Placed @ appropriate folder # Simple IP whitelisting <RequireAll> Require ip 0.0.0.0 </RequireAll>
This snippet enforces IP whitelisting, but this time, it redirects to the home page if the user is not in the whitelist.
# Placed @ appropriate folder # Redirects to home page unless the IP is whitelisted <If "%{REMOTE_ADDR} !='0.0.0.0'" || "%{REMOTE_ADDR} !='0.0.0.0'">; Redirect / </If>
This snippet requires that the user authenticate before being able to access the folder or its contents. A file with usernames and passwords must be created OUTSIDE of the web root directory (For security purposes). The format for the usernames and passwords in this file is username:encrypted-PW – here is a guide on how to generate the encrypted password. The “AuthUserFile” needs to be updated, and the “AuthName” parameter should be updated as well.
# Placed @ appropriate folder # Requires additional authentication. AuthName "Authenticate" AuthUserFile "/PATH/TO/passwd" AuthType Basic Require valid-user
This snippet requires additional authentication only IF the user is not IP whitelisted. The notes about changing the “AuthUserFile” and “AuthName” parameters still apply.
# Placed @ appropriate folder # Requires either IP whitelisting or additional authentication AuthName "Authenticate" AuthUserFile "/PATH/TO/passwd" AuthType Basic <RequireAny> Require valid-user Require ip 0.0.0.0 Require ip 0.0.0.0 </RequireAny>
Really clean site, thankyou for this post.
Very nice thank you!
Oh my goodness! Impressive article dude! Thank you, However I
am experiencing difficulties with your RSS. I don’t understand the reason why I can’t join it.
Is there anybody else having identical RSS problems?
Anyone who knows the answer will you kindly respond?
Thanx!!
Hi there! Quick question that’s completely off topic.
Do you know how to make your site mobile friendly? My blog looks weird when browsing from my iphone.
I’m trying to find a theme or plugin that might be able to fix this problem.
If you have any suggestions, please share.
With thanks!
Its like you read my mind! You seem to know so much about this, like you wrote
the book in it or something. I think that you can do with some pics to drive the message home a bit, but
instead of that, this is magnificent blog.
An excellent read. I’ll definitely be back.