Deny access multiple .php files with .htaccess?
There are several problems with the .htaccess you have there.
As BSen linked in the comment above, you should use FilesMatch.
Also, your regular expression is wrong.
The problem with the regular expression is that you have an escaped space at the start, so all files must start with a space character (followed by one of config.php, function.php etc)
Also a small explaination of the Order allow,deny directive:
http://www.maxi-pedia.com/Order+allow+deny
Try this:
<FilesMatch "config\.php|function\.php|include\.php">
Order allow,deny
Deny from all
</FilesMatch>
If you'd like to deny all but a few files, this would read asOrder deny,allow
Deny from all
<FilesMatch "index\.php|index\.html">
Allow from all
</FilesMatch>
.htaccess deny access to specific files? more than one
If you want to exclude files based on regular expressions, you could use FilesMatch instead of Files, e.g.:
<FilesMatch ^((home|test|file)\.php$|mysecretfolder|asecretpicture\.jpe?g)$>
...
</FilesMatch>
Deny access to multiple files in htaccess
To multiple
<FilesMatch "(foo|bar|doo)\.php$">
Deny from all
</FilesMatch>
or go for rewrite rules (RewriteEngine On
)RewriteRule \.(psd|log)$ - [NC,F]
To deny access to all files in the folders:rewriteRule ^www/php/login/pages - [NC,F]
or simply place a `Deny from all' directly in that folder...Update 2015: Using Apache 2.4 or higher, the `Deny from all' would needs adjustment.
How to deny access to multiple folders using one .htaccess?
If you want to deny access to subfolders from root lavel htaccess, you can use the following RewriteRules :
RewriteRule ^folderA/$ - [R=403,L]
RewriteRule ^folderB/$ - [R=403,L]
The rules will return a 403 forbidden error if /folderA/ and /folderB is requested. Deny access to one specific folder in .htaccess
Create site/includes/.htaccess
file and add this line:
Deny from all
Deny access to specific file types in specific directory
The FilesMatch directive works purely on filenames. It doesn't look at the path portion at all.
If you want to specify directives in the root .htaccess file to control a subdirectory, you can use mod_rewrite.
Try this:
RewriteRule ^uploads/.*\.(php|rb|py)$ - [F,L,NC]
The above will block any filename ending in .php or .rb or .py in the /uploads directory or its subdirectories. For example, it will block:- /uploads/something.php
- /uploads/something/more.php
While the above answers your question, it would be safer to allow only specific files rather than trying to block files. Often a server will execute files with extensions other than the ones you've listed.
You could do something like this:
RewriteCond %{REQUEST_URI} ^/uploads [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|gif)$ [NC]
RewriteRule .* - [F,L]
With the above, if the request URI begins with /uploads but does not end with one of the specified extensions, then it is forbidden. You can change the extensions to whatever suits your needs. But that way, you can permit extensions as needed rather than finding out too late that you missed blocking one.This rule (from your question)
RewriteRule ^(uploads/\.php) - [F,L,NC]
will block- /uploads/.php
- /uploads/.phpmore
If you are going to use rewirte rules, you might want to learn more about regexp. I often refer to www.regular-expressions.info when I need to look up something.
deny direct access to a folder and file by htaccess
I would just move the includes
folder out of the web-root, but if you want to block direct access to the whole includes
folder, you can put a .htaccess
file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems. How to deny access to a file in .htaccess
Within an htaccess file, the scope of the <Files>
directive only applies to that directory (I guess to avoid confusion when rules/directives in the htaccess of subdirectories get applied superceding ones from the parent).
So you can have:
<Files "log.txt">
Order Allow,Deny
Deny from all
</Files>
For Apache 2.4+, you'd use:<Files "log.txt">
Require all denied
</Files>
In an htaccess file in your inscription
directory. Or you can use mod_rewrite to sort of handle both cases deny access to htaccess file as well as log.txt:RewriteRule /?\.htaccess$ - [F,L]
RewriteRule ^/?inscription/log\.txt$ - [F,L]
Related Topics
Symfony 3.1.5 Warning: Sessionhandler::Read(): Session Data File Is Not Created by Your Uid
Woocommerce Cart Quantity Base Discount
PHP Class Not Found But It's Included
How to Get Content of Remote HTML Page
PHP - Get Array Value with a Numeric Index
Codeigniter Compatibility with PHP Version
.Htaccess Rewrite: Subdomain as Get Var and Path as Get Var
PHP Script to Log the Raw Data of Post
How to Get Products from a Particular Category in Magento Ecommerce
Type Hinting: Default Parameters
PHP Curl Post Returns a 415 - Unsupported Media Type
Str_Replace() for Multiple Value Replacement
How to Access My Wamp Server on Another Local Computer
Replacing Backslashes with Forward Slashes with Str_Replace() in PHP