In my site I've some file used by my application where are putted the log information.
For example a log file is "access.log", and i write in by PHP.
If a visitor go to www.mysite.ext/access.log , can see the file and all the information inside it.
How can I disallow this?
thanks a lot
Put this in your .htaccess
<FilesMatch "\.(htaccess|htpasswd|pinc|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Will block .log and other common files you don't want people to access.
If you want to do this in Apache, you can add the following to your .htaccess:
<files access.log>
deny from all
</files>
Related
I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.
I have log file that contain all users and their IP addresses,
And I just found out that I can access it directly without any restriction, also I have database.sql file with the same problem.
My website is complicated, I used .htaccess files to restrict some places in my server.
But these two files are in the main root, and It's so hard to move them outside the root.
I used this code to only restrict the access to these two files inside .htaccess
<FilesMatch "log">
Order deny,allow
Deny from all
</FilesMatch>
<FilesMatch "database.sql">
Order deny,allow
Deny from all
</FilesMatch>
But my problem is when I use this code my whole website crash!
Can anyone point out for me what I'm doing wrong?
I'm trying to hide all the php and some html file in my server folder only by direct call from url... particularly i need to hide the register.html (this file is for users registration), and other php file.. (these php files contain sensitive data for database connection). How can i do this?? Thanks for any help ;)
Create/edit the .htaccess file in the directory where the files are located.
For denying all direct access to all files in the directory, add this:
Deny from all
For restricting only a specific file:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:
RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]
More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376
You can use this for register.html:
<Files "register.html">
Order Allow,Deny
Deny from all
</Files>
and in the same way for other files.
1) My wp-content is hardened with a .htaccess file containing this code:
<Files *.php>
deny from all
</Files>
2) I want (need) to authorize xml-sitemap-xsl.php Otherwise I get this error in my error log: client denied by server configuration: /home/user/mysite.net/wp-content/plugins/wordpress-seo/css/xml-sitemap-xsl.php, referer: http://mysite.net/sitemap_index.xml
3) I think I should add the following code but I’m not sure if it’s the right code nor where to place it:
<Files "xml-sitemap-xsl.php">
Allow from all
</Files>
The thing I want to avoid is a conflict between the deny and allow commands.
Thanks,
P.
This has not much to do with Wordpress and I am not an expert regarding .htaccess, but I believe that what your file is doing is not denying access to your directory by all .php files, rather, denying access to all the .php files inside the directory.
The <Files> directive is used to add specific rules to specific files and, as far as I know, it cascades.
Considering your comment, this should do the trick
<Files *.php>
deny from all
</Files>
<Files "xml-sitemap-xsl.php">
Order Allow,Deny
Allow from all
</Files>
see: Deny direct access to all .php files except index.php
I am doing PHP web application, with Apache.
There are a few configuration files ( like App.yml) whose content I don't want to expose to users under whatsoever circumstances. Is there anyway that I can tweak my Apache setting so that these files won't be available when hostile users query for them?
The best option would be to place the files outside of your document root.
If that's not possible, you can deny access to them in apache .conf file (or a .htaccess file) with
<Directory /path/to/dir>
Deny from all
</Directory>
You can create a .htaccess file in that directory and place in it
order deny,allow
deny from all
You can also do this if you only want to block one file.
<Files filenamehere>
order deny,allow
deny from all
</Files>