Importance of .htaccess file

htaccess file importance


 BASICS:

With out knowing the importance of anything we should not just go in an blind manner.In this post you are going to know everything  about .htaccess file which is very important for any site from its functionality to privacy.

I want all to understand its importance and how to use .htaccess file instead of just creating it or manipulating  file according to your use.Even any thing  we have to do it fullfilly in point of view if you want to become a good security  researcher or webmaster.Because half knowledge is very dangerous rather than nothing,with having half knowledge with us we not only becomes fool in front of others ,but also leads to do big damages if experimented.

WHAT IS HTACCESS FILE AND WHAT ARE ITS FUNCTIONS

.htaccess files are called as Hypertext ACCESS files.With this file we can control our website functionality ,keep our website from intruders,and this file also controls our directories.It is an APACHE based web server which recognises whenever landed on a apache server.If your webserver is an apache then you should have a htaccess file in your public__html directory.

This is likely a small text file can be edited with simple notepad.You can make changes by taking out it with a FTP program like FILEZILLA and replace it.

NOTE :You should be very carefull with this file ,if any small mistake happen it can ruin your website.

Where do you find your .htaccess file

This is a mandatory file if your websites are hosted on Apache servers,and even in some web hosting companies they don’t provide or basically Hide these type of file without letting users to change their settings.I recommend you if you are planning to take web hosting first of all ask them for that file and then decide.some of the good hosting providers who give access to htaccess files .

your file can be finded in root directory of “PUBLIC_HTML”, this can be seen in FTP file server such as filezilla  or just login to your website cpanel and check out root directory ,it would some thing looks like this.

You are in great danger of compromising if you don’t have this file in your server.But don’t fear i will show you the simple way to create and upload it .

Upload  Htacess  to server

whenever we upload  file we should keep things in our mind always:

* should be uploaded in ASCII MODE

* CHMOD THE CREATED HTACCESS FILE TO 644(so that it can’t be seen in browser ,who want to do malicious things).

Before going into the actual setup i want to give full picture  on htaccess file uses and advantages ,there are also disadvantages but we can take them as negligible.

1. Gives us full control on website.

2. Makes website indexing or crawling easy without errors

3. Can helpful in redirecting non-www to www or vice versa

4. Restrict users with IP address.

5. Secure your content from indexing(Even measurable steps are taken  it is proved in a security  reasearch that somehow information in google dorks are getting leaked which can lead to damage)

6.   Blocking Access to  secured directories.

How to create a htaccess file

There are soo many ways to create htaccess files ,but the simple one i am representing here.

1. Open your notepad and type the above codes or simply copy bolded sentences  from here in separate lines

RewriteEngine On          (This is to enable search engine rules to rewrite as our need)

RewriteCond %{HTTP_ USER_AGENT} ^WGET [OR]  

(To prevent  your  server from retrieving information,this  can help from attacks )

 RewriteRule ^.* – [F,L] .

Save this notepad with name” .htaccess” and upload it to “PUBLIC_HTML” to your server.This is basic .htaccess file we created ,there are soo many other commands we can include and we are going to look  even those here.

Before creating those i recommend ,to add # for heading so that they are considered as comments.

     ex; # Index Page (THIS IS TAKEN AS COMMENT)        

  According to security

If anybody planned to attack on your website or to harm to your website,they first check for XSS VULNERABILITIES ,SQL INJECTIONS ,ROOTKITS BACKDOORS ETC.. If you are safe from these then if the attacker is very clever (not script kiddie) then he will definitely check for your  file anyhow.To prevent this add these following codes in the same .htaccess file we have created earlier

here we use FILE name in order to protect  file ,because you can see this is a file not any .txt

# Block people seeing the htaccess file
<Files .htaccess>
order deny,allow
deny from all
</Files>

you are done and now save the changes.

Redirect 404 error to Other pages

when any of your post or file is missing then it looks disgusting and leads to bad opinion towards site,to disallow this you have to add the below codes in order to redirect your visitors to similar pages of that category and save your Bounce rate,this option will be embedded in most themes if you don’t have that ,this is gonna save you.

This kind of errors some times reveal us the actual server running behind ,which can give hacker a very good clue for searching vulnerability in those servers and hack your website from backdoor rootkits.

This something looks like this,if you are not a security researcher you will take it easy and think it is just showing something which is unimportant .But i am telling you guys be carefull with that ,if your hosting provider doesn’t update their servers this can be a real problem.

EX:

Apache/2.1.3 (Unix os) mod_ssl/2.2.9 openedSSL/0.9.7h mod_bwlimit/1.6 PHP/5.2.6 Server at yourwebsite.com Port no 88

you can see here it is showing your website server name ((apache)) with operating system running on server,ssl security to bypass attack,port no on which pages loading information .

This is good enough information to search for a payload suitable for creating Tunnel and attack when ports are opened.There are tools in information security which are specially designed to extract these info while hacking a target and you are giving all information without any efforts to attackers.

Now ,how to secure these ,there are 2 main steps .

1. create a page in wordpress naming 404.PHP  ,I am not going to explain it how because i believe you all are well aware of that.And write the below give sentences to show the visitors a humble request.

” IT SEEMS YOU ARE REDIRECTED TO WRONG PAGE ACCIDENTALLY ,BECAUSE THIS PAGE DOESN’T EXISTS .CHECK WHETHER YOU HAVE ENTERED A WRONG URL OR CLICKED ON BROKEN URL.WHY WON’T YOU VISIT OUR HOME PAGE AND HAVE LOOK SIMILAR TO WHAT YOU ARE SEARCHING..THANK YOU”

Or the style you want to wish ,it doesn’t matter.This is good practice to keep visitors stay on your site.

2. After setting 404 PAGE ,PASTE THE BELOW LINE IN YOUR .HTACCESS FILE WHICH WE CREATED EARLIER

ErrorDocument 404 /404.php

HANDILING 301 REDIRECT

A 301 error response is to tell search engines that a particular page ,post,or entire website has been moved PERMINANTLY TO ANOTHER PLACE.This is very important if you move from Blogger to wordpress or change your domain services etc..paste the following code if you see this is necessary or else don’t use this.

Redirect 301 old_location new_location

The old location is path of your root server and new location is http.

SETTING 301 Redirectory

suppose you are having a domain or you have another website and moved all your stuff to other domain and want all traffic to new domain then simply make use of the below code .This is optional if you dont have any domains extra.

Redirect 301 / http://www.yournewdomainname.com/

Restrict Any person by IP address

If any body is creating lot of spam with bad comments and if seeking for backlink from comments then you can block his ip address so that he can never again comment or land on our webpages .This is how FORUMS BLOCK YOU ,WHEN YOU SPAM THEIR FORUM OR GONE BEYOND THEIR RULES.

#ban users from visiting the site
order allow,deny
deny from IP address                                                (place the ip address you want to ban)
allow from all

similarly if you want to ban soo many visitors at a time

#ban users from visiting the site
order allow,deny
deny from ip address
deny from  ip address
deny from  ip address
allow from all

This is to be done every time and you have to upload htaccess file ,this can be hell there is another simple method .just paste ip address in dashboard of  wordpress .

Protect Directory with password

sometimes we have some important files which we want only some people or only we should access them,then this is very useful.

Add the following code to .htaccess file

AuthType Basic
AuthName ” your secure area name”
AuthUserFile /fullpath/to/your/directory/.htpasswd
require valid-user

SECURE AREA CAN BE anything you wish

fullpath/to/your/directory    This is path of directory wher you have saved your .htpasswd file in server.

Create a file named .htpasswd and create a username and password .

To create user name and password

The username and password must be in this format in .htpasswd file

username:encryptedpassword

we are encrypting the password

Ex: grayhat: NDFBjsdd73jJBSF.SBFJru

USE THIS SITE TO GENERATE THE ABOVE USERNAME AND PASSWORD .Leave the SALT option as it is.

Now paste the result in .htpasswd file and save upload .

I will release video as soon as possible ,so be connected with our social pages to get regular updates.

THat’s all .With these steps i can assure you are 99% safe on internet.

Leave a Reply

Your email address will not be published. Required fields are marked *