Ever heard of .htaccess file? If you engage in web development often then surely you must have heard of it. It is one of those things that might seem trivial but in reality, is much more important.
‘.htaccess’ is a file that is regularly referred to when talking about website security. It is analogous to a gatekeeper who handles the initial security check for all types of visitors in a building, along with several other functions.
We will be getting into the details of how .htaccess can help us to secure our websites in a minute. But before that let’s understand what this file really is and how it is used.
What is .htaccess file?
Htaccess file is a simple text file that is used for configuring web servers. In case you do not have access to native webserver configurations then you can use this file to configure your web server. Using this file you can control access to files and folders.
When a web server like Apache detects an htaccess file, it executes it and gives access to files and folders according to rules stated in this file. Since this file starts with a dot (.), this file is hidden in UNIX based systems.
How is this file used?
Htaccess is a text file that can be created using Notepad or any text editor. Once you complete the content of the file, save it as ‘.htaccess’. ‘.htaccess’ is not a file extension but the name of the file itself. Once the file is ready, upload it using an FTP program (File Transfer Protocol) such as FileZilla. While uploading the file, ensure that the mode is set to ‘ASCII’. Once you upload this file, browse to the file using your web browser and verify if the upload is successful.
In case you are not able to view the file (since this is a hidden file), your FTP program might be hiding it. One possible reason behind this could be flawed files and folder permissions. To solve this issue, change permissions for this file. You need to set the permissions as ‘755’. If the issue persists, get in touch with your web service provider.
Why is .htaccess used?
The ‘.htaccess’ file is used to control access to files and folders. Using this file you can also control access to any particular IP address. Besides that, you can also use .htaccess file to:
- Decide which IPs can access your site
- Redirect visitors to correct sites or pages
- Protect sensitive areas from bots or humans
- Speed up page loads by providing browsers with custom cache directives
What can you do with the .htaccess file?
If configured correctly you can perform various functions. Below is a list of things that you can do with a ‘.htaccess’ file:
- Redirecting traffic: With this, you can redirect traffic to a new page or website. For example, if you want to redirect IPs from an old website to a new website, you will need to specify this in your ‘.htaccess’ file.
- Rewriting URLs: This allows you to separate URLs from the resources.
- Showing custom error pages: With this functionality, you can display custom made error pages when visitors do not find a particular page.
- Restricting access to specific files or folders: You can protect certain files or folders by using passwords through this action. You can also choose to apply these settings to a particular domain or IP address.
- Denying access to clients with bad user agents: With this feature, you can block access to users with bad user agents (bad bots, etc.) and redirect the user to the same address it came from.
- Enabling IE rendering mode: If you wish to ensure that IE uses the highest rendering mode, you can code this feature in ‘.htaccess.’
These are just a couple of things you can do with ‘.htaccess’.
In the next segment, we will be looking at all those ways attackers can use this file to damage your website if not configured properly. Also, we will be seeing how an absence of the ‘.htaccess’ file can make your website vulnerable.
Ways hackers exploit the .htaccess file
Knowing how an ill configured ‘.htaccess’ can endanger our website, is the first way to protect it.
The ‘.htaccess’ file may look very trivial but it controls some of the most important aspects of a website (including redirections, access controls, rewriting URLs, etc.).
If this file is absent or inadequately configured, attackers can cause a lot of damage to your website. Here is how:
1. Redirect visitors to malicious websites or malware:
This is a very common attack that makes use of functionality in ‘.htaccess’. If your website gets attacked, attackers can edit this file to configure it using a similar code as shown below.
This code detects whether a user is arriving from a search engine. In such a case, this file will redirect such users to a site with malware. Sometimes, attackers add numerous spaces before any malicious code line to make it harder to detect by a text editor.
2. Redirect users on error pages to harmful sites:
This attack is very similar to the preceding attack. The only change here is that the below code does not redirect all traffic, but only those who happen to be on an error page.
If a user lands on an error page, it will redirect the user to either the attacker’s domain or to a malicious page.
3. Append malware to your website:
This is an attack that is becoming very common nowadays. Instead of redirecting users to harmful sites, attackers can program ‘.htaccess’ to load malware from discrete locations.
By using the below snippet of code, attackers can append the content of a malicious file to every PHP file (below example attaches content of ‘13063671977873.php to every other PHP file ). This can become harder to detect if attackers append images or some other content.
4. Gain access to files, if not protected:
Your files and folders can be completely vulnerable if you do not configure your htaccess file with password protection. In such cases, attackers can manipulate the ‘.htaccess’ to add password protection and lock you out of those folders.
Without any password protection, attackers can also have free access to all your website’s files, which is a truly worrisome prospect for you as the owner of a website. Make sure you always configure this file to protect all files and keep your website secure.
5. Steal your server bandwidth:
Other websites can display content from your website which in turn uses your bandwidth. This is called ‘bandwidth theft’ and this will cost you money. Using ‘.htaccess’, you can prevent other websites from showing your content and stop hotlinking. To do this you need to make sure ‘mod_rewrite’ enabled on your server. After that, you need to configure your htaccess file
Scan your website for files or email address using bad bots: You must have come across incidents when your email address was available with a website you never visited. This is a result of bots scanning websites for email IDs and then spamming them. As an owner of a website, you need to ensure that emails of your visitors are secure on your website. To stop bots from rummaging through your website, you can configure the htaccess file. You will easily find names of bots that are commonly used and then add them to your htaccess file.
6. List all important files:
If you do not want to list all files in your directory, then you can configure ‘.htaccess’ to do so. In case you have important files then listing them in your directory can be a security hazard. The htaccess has a function which can hide such important files from getting listed.
7. Attempt SQL Injection attacks using special characters:
SQL Injection is a method to inject malicious code into a website to make it vulnerable for further attacks. You can stop all requests with invalid or special characters by configuring your ‘.htaccess’ to detect such characters in a request
Few quick useful links to enhance your site security
If you use this simple file with the correct configurations, you can control all important aspects of your website. On the other hand, if not configured properly, then attackers can wreak havoc using this same file.
As a website owner, you can never be perpetually safe. But, surely you can strengthen your website’s security with a dedicated security solution as Astra. Astra’s firewall, malware scanner, and other security tools make sure you do not have to worry about your site’s security again.
You can take an Astra Demo from here.
Thanks for the informative post on .htaccess. Can you please suggest me your guide WordPress Malware removal?
I see that hackers have modified my .htaccess file.
You’re welcome, Agrafena.
Here is the link to WordPress Malware Removal- https://www.getastra.com/blog/911/wordpress-site-hacked-malware-backdoor/
Also, the .htaccess file is modified in the case of SEO Spam. You can check these URLs – https://www.getastra.com/blog/911/remove-japanese-seo-spam-from-website/