Advertising agency

Security tips for php htaccess developers

Security tips for php htaccess developers

Those who have ever created any webproject or website may have been facing problem with hackers or crackers, that are infecting your php code with it's malware code and use it for sending spam emails or something like that. In these cases it's important to understand the problem and try to avoid it.

If you are using apache webserver, then you have a wonderful option to use .htaccess file to control access to directories.

First tip

Never allow php code to be executed in apache writable folders or in folders where should never be any php or other executable file, like directories for images etc. In these directories use .htaccess file with this code:

php_value engine off

Turning off php engine for this directory will make sure that any code somehow posted there will not be executable.

Second tip

Make sure that all .htaccess files are not writable by apache.

Third tip

Every website has folders that contains mostly include files. Make sure that these directories are not accessible from outsite. To to this, put .htaccess file in top directory for these include files with code:

order allow,deny
deny from all
< / Limit >

* Remove white spaces before and after Limit

This will block all direct requests in this directory. 


If you are using php, then you can include as php file anything. It's possible to include for instance *.sec or *.include or anything you can imagine as php file. Basically - you can rename your include.php to include.sec and use it in your php code like include("include.sec"); and it will be included normally.

If your php server will not be configured to execute sec like php, then you can be sure that all files with extension sec will stay safe and could not be executed directly if they will be infected somehow.

If you are using this method, don't forget to limit access to your sec files. Put in in your root folder .htaccess with code

< Files ~ ".sec$" >
Order allow,deny
Deny from all
< / Files >

* Remove white spaces before and after Files

This will protect all sec files from beeing seen from outside.

Basic idea is to use as possible less files with executable extension. Work through one or few php files with includes.