Tip: Please give your vote in at least one Picks Poll to enable search results. Thank you.
Search for phrase rather than keywords

Restricting access to files with .htaccess

26th January 2014

Page: prev. | 1 | next

Updated 23rd June 2014.
Section on preventing hotlinking removed. Please refer to Using htaccess to stop image hot linking instead.

An .htaccess file is the de facto method of restricting access to sections of a site—content in a members area for example—but can also be used to restrict access to individual files, particular file types, or directories in areas accessable to all—you may need to prohibit access to log or configuration files to all or restrict to a certain IP address for example.

Access to a particular file or file type can be restricted by the Allow and Deny directives ( A good start is to prevent access to the .htaccess file itself which is usually protected by default but it does not hurt to deny access just in case incorrect permissions have been set on the server and serves as a good starting example.

No Access
.htaccess can be used to restrict access to a file, files, or particular file types to a specific IP address, domain or to all.
  1. #Deny access to .htaccess in case
  2. #incorrect permissions are set on the server
  3. <Files .htaccess>
  4. order deny,allow
  5. deny from all
  6. </Files>

Here’s a line-by-line break down.

The first two lines are comments, started with a hash (#) character which are ignored when the .htaccess file is processed.

The third line sets the file (.htaccess). This could be applied to any file you wish to restrict access to by naming the path from the root here, e.g. protectMe.txt or directory/protectMe.txt.

The forth is the Order directive (order deny,allow). The order of deny,allow specified in the directive ( is important but all examples here will use deny,allow.

The fifth denies access from all, meaning any attempt to access is denied (deny from all), attempted access returning a 403 forbidden error code.

403 Forbidden error
A 403 Forbidden error returned.

Allow access only to a specified IP address

You may wish to restrict access to a particular file only to a specified IP address.

  1. #Deny access to protectMe.txt except from
  2. #a specified IP address
  3. <Files protectMe.txt>
  4. order deny,allow
  5. deny from all
  6. allow from
  7. </Files>

Most lines are as in the example above, but here line six only allows access to the specified IP address ( here for example. What’s your IP address?). Multiple IP addresses could be allowed by seperating them with a comma (e.g.,

Restrict access to particular file types

Configuration files often protected this way by .htaccess include .ini files which may, for example, contain PHP configuration settings when PHP is run as CGI/FastCGI. Depending on the version of PHP installed, you may wish to restrct to a custom .ini file name, often php.ini or .user.ini by default (, or to all .ini files.

  1. #Deny access to all .ini files
  2. <Files ~ "\.ini$>
  3. order deny,allow
  4. deny from all
  5. </Files>

Here line three prevents access to all fils with the extension .ini. Note that the period character in .ini in Files is necessarily escaped with a preceding backslash character as the period is reserved for special use in this directive , i.e. \.ini). This was not necessary in the allow from directive in the previous example where the text is treated literally. The string is terminated with a dollar character ($) to specify that it is at the end of the string (e.g. name.ini would be restricted whereas name.inifile would not).

Restricting access by User-Agent to fend-off bad bots

The BrowserMatch directive ( and its case-insensitive compliment BrowserMatchNoCase to restrict access via User-Agent, to fend-off bad bots ans scrappers for example. Specific files can be restricted as in the above examples or all files by including without the <Files> directive.

  1. #Deny access to all files from specified bad bots
  2. order allow,deny
  3. BrowserMatchNoCase botname1 bad_bot
  4. BrowserMatchNoCase botname2 bad_bot
  5. deny from env=bad_bot
  6. allow from all

Here the Order directive has been importantly been swtiched to allow,deny. Access is prohibited if the User-Agent HTTP request header ( matches a specified string (botname1 and botname2 in the example). Note that the string is matched against the string outside of the parentheses. Most bots will set their User-Agent to the name of the bot but be aware that User-Agent is very easy to spoof. You could of course also use this to deny access to a particular browser if you really, really hated it so, but this will doubtless not impress a visitor with a preference for a browser that you do not share!

I hope you can combine these examples together to put to use as you require.


• An .htaccess file can be a tricky thing, and if you are new to creating one, please read up a bit first as errors can tie-up your site until fixed. Here is a great guide to creating an .htaccess file: Comprehensive guide to .htaccess.

Page: prev. | 1 | next

Tags: .htaccess.


Illustrations, paintings, and cartoons featuring caricatured celebrities are intended purely as parody and fantasised depictions often relating to a particular news story, and often parodying said story and the media and pop cultural representation of said celebrity as much as anything else. Who am I really satirising? Read more.

Privacy policy

No cookies, ad and tracker free. Read more.