by Chris Coyier & Jeff Starr

Secure uploads, upgrade and other directories with .htaccess

Posted by on

It sucks, but a lot of plugins require certain directories to be set at CHMOD 777 for its file permissions. Of course, you should not use any plugin that requires 777 directories, but if you absolutely must, you can help protect the folder by adding a thin slice of htaccess. This works great for any directory requiring "loose-ish" permissions (i.e., anything greater than 755), and may also be useful for other key folders as well.

They key here is that only you and the server need access to the folder that you want to protect, so for example, stuff like:

  • uploads
  • upgrade
  • backups
  • cache-123
  • temp-123
  • etc..

Anything that regular users aren't going to need to access. Then, you'll also need the IP address of your server and your own machine. Once you have that information, use it to edit the following code:

Order Deny,Allow
Deny from all
Allow from 123.456.789.0
Allow from 0.123.456.789

You can emulate the "Allow from" lines to allow more IP addresses. Like maybe you've got a remote office or something. Once the code is ready, just copy and paste into an htaccess file located in the directory you would like to protect. Fix it and forget it, as they say..

I use this code on several sites and it works great. Only takes a minute to setup, and greatly improves the security of otherwise potentially vulnerable directories.

18 Responses

  1. Tips like these are only useful for people on a static IP address, which by far is still the majority, but there are also more and more people on a dynamic IP address and for those htaccess rules like above cannot be used.
    There are no real solutions for that, are there?

    • Jeff Starr

      Good point, not sure about an equivalent sort of thing for dynamic IPs.. will keep an eye out and report back if anything turns up.

  2. It would be fantastic if there would be a way to “dynamically” add your current IP to the .htaccess file. If you happen to find anything, hopefully you can post it back here? Thanks.

    • sorry that comment was supposed to go under yours…

  3. Andrew June 16, 2011

    What if one has dynamic IP?

  4. Johnathan Williamson June 17, 2011

    It’s also possible to Deny by Hostname. So rather than using your IP Address, get signed up for something like DynDNS. That way when your router/modem changes it’s external IP, DynDNS will pick up the change and your hostname will always be the same, making this tip both effective and worthwhile.

    It should be noted however that regardless of .htaccess rules – if you’re hosting on a Shared environment, this will still leave those 777 directories vulnerable should an attacker manage to break into another site on the same server.

    • That could be a nice solution. Would that also work when someone is on a VPN?

      • Johnathan Williamson June 17, 2011

        Providing the VPN’s outward facing IP is in the allow list, I can’t see why not. Most VPN’s are fixed IP’s too, in my experience.

    • Jeff Starr

      ..if you’re hosting on a Shared environment, this will still leave those 777 directories vulnerable should an attacker manage to break into another site on the same server.

      If that happens, you’ve got bigger issues than protecting your uploads directory ;)

  5. Ummm, having a directory with 777 permissions means you are still vulnerable to other users on your server. This usage of .htaccess just protects you attacks via the web. Right?

    • Jeff Starr

      Correct, for shared hosting. Just to be clear, this method is designed to help protect potentially insecure directories. It just adds another layer of protection, not a guarantee of ultimate 100% security for anything.

  6. You can also allow large chunks of IPs by using IP wildcards.

    If you wanted to allow – without writing 256 ip addresses, you could just write the following in your htaccess file

    Allow from 123.123.123

  7. Lucifer Dreams July 23, 2011

    Would you also want to include protection for the htaccess file like adding the below.

    order allow,deny
    deny from all

  8. Lucifer Dreams July 23, 2011

    Sorry forgot it was code.

    <files ~ "^.*.([Hh][Tt][Aa])">
    order allow,deny
    deny from all

    • Jeff Starr

      Good tip for the paranoid among us (such as myself), but technically there’s no need for this as Apache already protects the .htaccess file(s) from external access.

  9. Lucifer Dreams July 23, 2011

    You can place this in your header wordpress theme at the top.

  10. Lucifer Dreams July 23, 2011

    Unless that part of Apache is hacked. Sorry I always go out with two pairs of socks on just in case one wears out.

    Never can be to sure.

    Here is some more paranoid for issues with proxy type attacks.

    <?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) die("Proxy access not allowed"); ?>

    Thanks to Perishable Press.

  11. Can You Give Me A Full .Htaccess For My WordPress

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry