We Keep Coding

How to deny access to users for a file but not to the plugin which uses the file using htaccess?

I have a plugin which is using an xml file located in the plugin folder.
example.com/wp-content/plugins/myplugin/myxml.xml
I want to deny access to the file for users but not to the plugin. If I type the URL I can read the file. I used the following in htaccess inside my plugin's folder
<Files ~ "\.xml$">
Order Allow,Deny
Deny from All
</Files>
I get the 403 error but the plugin cannot read the file
I used Options -Indexes as well
How can I fix this?

<Files ~ "\.xml$">
Order Allow,Deny
Deny from All
Allow from localhost
</Files>

This will only work if you place it in the main .htaccess. Then the file is not accessible from outside but accessible from the wordpress

The recommended solution for this issue is, Set proper file permission and user group. So all the application can access the file, but Public Users can't.
For more information visit Linux File permission

There are a couple of ways to go about this:
Load the file from the filesystem and not over the network if possible.
Use access control as #Jamie_D has suggested.
His code might not work if example.com doesn't resolve to localhost (check your /etc/hosts). It the file has to be accessed over the public internet, use your public IP.
For reference, here is the documentation for mod_access.
Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in
environment variables.
And you could also use authentication for that file.

i want to block access to folder and its content php

i got folder called recordings on my server and i want to block access from anyone to it and its content and at the same time i want the ability to call the files inside the folder from other pages
i tried htaccess rule
Options -Indexes
its just block access to the folder but when i write specific file inside the folder the browser open it and i do not want that
and i tried another htaccess rule :
deny from all
but it make me not able to call the files on other pages and i want to be able to call them
so can anyone help me ?

Use below rule,
<Files ~ "*.php">
order deny,allow
deny from all
allow from 127.0.0.1
</Files>

Preventing a file being downloaded or accessed on a server

I want to be able to prevent people from accessing a file on a server, such as a document if they were to directly link to it via the URL. This is for security purposes so that documents on the site just can't be stumbled upon and downloaded...
What is the best approach for this?
I've tried using the .htaccess to deny access to docs and txts for examples, but you can still download the files it just prevents you from accessing the directory...which isn't what I want to do.
<Files ~ "\.(doc|txt)$">
order allow,deny
deny from all
</Files>

put it in a directory outside the public space and provide it via a custom PHP page which requires login or what you prefer
echo file_get_contents(/var/www/example.com/file.txt);
should works I guess

Try putting this in your .htaccess
<FilesMatch "\.(doc|txt)">
Order deny,allow
Deny from all
</FilesMatch>

The best thing to do is to not put it in the web server's document root in the first place.

You can in your .htaccess redirect all requests to files in that folder to a special PHP page that only allows logged in users to download the file but denies those unauthorized to access it.
Also it's a good idea putting the target file itself in a folder above public_html.

How to block direct requests to php files in specified directory?

I have a master folder where I hold all of my resources such as js, css, images, etc. called /resources/.
In /resources/, I have php files I include on pages of my website, however, they're currently directly accessible if entered into the browser.
Is there a way for me to use .htaccess in that directory to prevent direct requests to any files of certain extensions such as PHP?
Hotlinking prevention isn't really what I'm looking for. I just need a way to kill any sort of direct request to these PHP files(in the /resources/ directory specifically) made by anything other than the website itself.
Any help is appreciated. Thank you very much.

Add a .htaccess in your /resources/ folder containing the following
<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>
It should prevent access to all .php files

protect an xml file on server

I read here lot of answers about protecting a file on apache server, some told htaccess is only for deny user access for files. For me not..
Using the following lines I cant reach the xml, BUT my php script also can't!
<Files sample.xml>
Order allow,deny
Deny from all
</Files>
So how to protect a file from users, so that my php script could access it. The file is in the root dir.

If you are on a linux server, have a shell access to it, you change your file permissions to
chmod 0700 yourxmlfile.xml # this will make it readable/writable/executable only by the creator of the file.
or in your .htaccess file, you can do this:
RewriteEngine on
RewriteRule ^yourfile.xml$ 404.html
where your 404.html could be either a page not found page or any garbage page, which will display as invalid url.

If by users you mean people accessing your website from outside, you have several solutions:
The best way would be to move it out of the web root (if you can). That will surely protect it from outside access.
If you can't put file outside the web root, use a htaccess to protect the file by allowing access from the local machine only :
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
I also suggest putting it in a protected subfolder where you could store all your private files.

You can also redirect the user to a 404 page by adding the code below to your .htaccess:
RewriteEngine On
RewriteRule ^(.*)your_file(.*)\.xml$ [R=404,L]