Knowledgebase

How to block access to files on your hosting account

You can protect particular files or all files belonging to particular file types by putting a few Apache directives in your .htaccess file(s). If you want to protect whole folders with all the files inside them check out the article on protecting folders.

Blocking access to files and file types is done in a very similar way. For example, let's say that you want to block access to a file called example.php. To do this create/edit the .htaccess file that's in the directory containing the file that you want to protect and put the following rules in the .htaccess file:

<FilesMatch "example\.php$">
Deny from all
</FilesMatch>

Now when clients visit your site they won't be able to open the file and see it's output with their internet browsers. Keep in mind that with the above directive files with the same name that are in subdirectories of the directory containing the .htaccess will also be blocked.

You can also protect more that one file. For example:

<FilesMatch "(example\.php|example\.html|example\.css)$">
Deny from all
</FilesMatch>

will block access to the files example.php, example.html and example.css.

If you want to, you can restrict access for everybody except for requests coming from a certain IP address(es) or from a particular range of IP address. For example, if you want to block access to example.php for everybody except you and some other person, list your IP address as well as that of the other person after the allow from directive:

<FilesMatch "example\.php$">
Order Deny,Allow
Deny from all
Allow from 12.34.56.78 23.45.67.89
</FilesMatch>

You can list more IP addresses; just separate them with a single space.

You can also list whole IP ranges. For example:

<FilesMatch "example\.php$">
Order Deny,Allow
Deny from all
Allow from 12.34 23.45.67
</FilesMatch>

will block access to example.php for all IP addresses except those beginning with 12.34 and 23.45.67.

In addition to preventing people from accessing specific files you can block access to files belonging to a particular file type. For example, with the following you can block access to all PHP files for everybody except for requests coming from the listed IP address (e.g. yours):

<FilesMatch "\.php$">
Order Deny,Allow
Deny from all
Allow from 12.34.56.78
</FilesMatch>

You can block access to more file types and allow more IP addresses or whole ranges as described above. For example:

<FilesMatch "\.(php|html)$">
Order Deny,Allow
Deny from all
Allow from 12.34.56.78 23.45
</FilesMatch>

will block access to all PHP and HTML files. Only requests from the IP address 12.34.56.78 and from those beginning with 23.45 will be allowed to access the files.

By using different variations of the above directives you can protect the files and/or file types that you want, and you can control who can access them.

It's also possible to block access to all files from a specific file type but exclude some files that belong to that type. For example, let's say that you want to protect all PHP files, but you want everybody to be able to access the files example.php and example2.php, then you can use the following directives:

<FilesMatch "\.php$">
Deny from all
</FilesMatch>
<FilesMatch "(example\.php|example2\.php)$">
Allow from all
</FilesMatch>

Was this answer helpful?

 Print this Article

Also Read