The first in a four-part series on securing a web directory in Apache.
Something that is common with most website packages is the inclusion of an administration area in order to manage it. Whilst these administration areas normally require a valid user with administration privileges to log in to make any changes, over the years a number of such website packages have been shown to have issues with these login systems, enabling hackers to compromize the site. If you have a public-facing website it’s advisable to restrict unauthorized access to these secure areas. One such way is to rename the directory in which the administration files reside, and while this can work with some packages, it doesn’t with all. A better solution is to use your web server’s built-in security features in order to secure the administration directory.
We’ll look at the Apache web server here, as according to statistics sites this is the web server that powers more than half of the websites on the internet. This method can be applied to protect the admin areas of any website packages that use a directory to store the admin pages. For example, you could use it with WordPress by placing the .htaccess file in the wp-admin directory.
The first thing to understand is: what is a .htaccess file?
The answer is it’s a method for altering the configuration that the Apache web server uses on a per-directory basis. This means that any configuration placed in the .htaccess file will override Apache’s default configuration. Note here that Apache can be configured to limit the configuration that can be accepted from a .htaccess file. So while the examples I will show should be valid whether you host on a dedicated server or VPS that you control or whether you are using a shared web hosting platform, shared hosting platform users may find that some configuration options for the .htaccess files are limited by their host. Normally, the use of .htaccess files is enabled by default in most Apache installations and shared hosting environments.
Making use of the file is quite easy: simply navigate to the directory you want to protect and create a file in there with the filename “.htaccess”, noting here that the file must start with the dot. Within this file you can place any of the configuration options that you wish, with one placed per line. Apache refers to these configuration lines as directives. You can also place comments in these files by starting a line with the hash symbol (#) – this can make things easier later on when you look over a file you created many months before to see what the initial intention of the following directives was.
Something to note before you start creating your first .htaccess file is that an incorrectly written file can cause the Apache web server to stop serving pages when it is read, providing an end user with “500 – Internal Server Error” pages. This means that it can often be easier to configure one or a few directives at a time, check that the changes work and then move on to extending them rather than crafting a long and complicated .htaccess file at the start and subsequently spend a long time figuring out which line may be causing Apache to stop serving pages.
Apache maintains a very nice page describing all the directives available on their site: http://httpd.apache.org/docs/trunk/mod/core.html. Note that not all the directives contained on that page may be available for use in a .htaccess file. Nevertheless, it’s well written and helps make sense of the various directives you could be using in your .htaccess file.
That about wraps this article up, and in part 2 we will be looking at directives we can use in the .htaccess file in order to secure the directory in which it is placed.
Keep an eye on the 100TB Blog for part two of this series.
The post Securing A Web Directory In Apache Part 1: Understanding .htaccess appeared first on 100TB.com.