.Htaccess Deny Access to Specific Files? More Than One

Deny access multiple .php files with .htaccess?

There are several problems with the .htaccess you have there.

As BSen linked in the comment above, you should use FilesMatch.
Also, your regular expression is wrong.

The problem with the regular expression is that you have an escaped space at the start, so all files must start with a space character (followed by one of config.php, function.php etc)

Also a small explaination of the Order allow,deny directive:
http://www.maxi-pedia.com/Order+allow+deny

Try this:

<FilesMatch "config\.php|function\.php|include\.php">
  Order allow,deny
  Deny from all
</FilesMatch>

If you'd like to deny all but a few files, this would read as

Order deny,allow
Deny from all
<FilesMatch "index\.php|index\.html">
  Allow from all
</FilesMatch>

.htaccess deny access to specific files? more than one

If you want to exclude files based on regular expressions, you could use FilesMatch instead of Files, e.g.:

<FilesMatch ^((home|test|file)\.php$|mysecretfolder|asecretpicture\.jpe?g)$>
...
</FilesMatch>

Deny access to multiple files in htaccess

To multiple

<FilesMatch "(foo|bar|doo)\.php$">
    Deny from all
</FilesMatch>

or go for rewrite rules (RewriteEngine On)

RewriteRule \.(psd|log)$ - [NC,F]

To deny access to all files in the folders:

rewriteRule ^www/php/login/pages - [NC,F]

or simply place a `Deny from all' directly in that folder...

Update 2015: Using Apache 2.4 or higher, the `Deny from all' would needs adjustment.

How to deny access to multiple folders using one .htaccess?

If you want to deny access to subfolders from root lavel htaccess, you can use the following RewriteRules :

RewriteRule ^folderA/$ - [R=403,L]
RewriteRule ^folderB/$ - [R=403,L]

The rules will return a 403 forbidden error if /folderA/ and /folderB is requested.

Deny access to one specific folder in .htaccess

Create site/includes/.htaccess file and add this line:

Deny from all

Deny access to specific file types in specific directory

The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.

If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.

Try this:

RewriteRule ^uploads/.*\.(php|rb|py)$ - [F,L,NC]

The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:

/uploads/something.php
/uploads/something/more.php

Note that there is no leading slash in the rewrite rule. The path that you need to use in the directive will be different depending on where it's placed. The above directive, if placed in the document root's .htaccess file, will work for files in a directory called uploads that is directly beneath document root.

While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.

You could do something like this:

RewriteCond %{REQUEST_URI} ^/uploads [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]

With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.

This rule (from your question)

RewriteRule ^(uploads/\.php) - [F,L,NC]

will block

/uploads/.php
/uploads/.phpmore

but it does not allow for anything between the directory name and the file extension.

If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.

deny direct access to a folder and file by htaccess

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

How to deny access to a file in .htaccess

Within an htaccess file, the scope of the <Files> directive only applies to that directory (I guess to avoid confusion when rules/directives in the htaccess of subdirectories get applied superceding ones from the parent).

So you can have:

<Files "log.txt">  
  Order Allow,Deny
  Deny from all
</Files>

For Apache 2.4+, you'd use:

<Files "log.txt">  
  Require all denied
</Files>

In an htaccess file in your inscription directory. Or you can use mod_rewrite to sort of handle both cases deny access to htaccess file as well as log.txt:

RewriteRule /?\.htaccess$ - [F,L]

RewriteRule ^/?inscription/log\.txt$ - [F,L]