hack prevention using .htaccess

Sadly, hacking is a very serious problem on the world wide web; many people get targeted by a number of different attacks every single day, so I aim to try and help you prevent the chance of this happening to your website! Hack Prevention using the .htaccess file.

First of all, you want to prevent access to your .htaccess file, you can do that using:

<Files .htaccess>
order allow,deny
deny from all
</Files>

You can then actually rename your .htaccess file to help hide it from potential threats, it does not mean they can’t find it.. but it certainly makes it harder!

AccessFileName thehtfile.ess

Then, there are a number of methods you can use to help prevent “hacks”. First of all, block any scripts that include the <script> tag in the URL:

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

You can then block any script trying to set a PHP Globals variable via a URL:

RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

Block any script trying to use base64_encode via URL:

RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

Block any script trying to modify the a_REQUEST variable via URL:

RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

Finally, disable the use of scripts on your directories..

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Lots of different options, and there are a lot more! These are some of the main ones to use in your .htaccess. I hope these tips on hack prevention help to prevent your business / personal website from being the target of an attack.