Overview
This article explains the different ways you can deny access to your website or specific parts of your site using an .htaccess file.
Creating an .htaccess file on your DreamHost web server
The code examples in this article must be placed in the .htaccess file of your website. See this article for instructions on how to create an .htaccess file on your web server.
If the file already exists, view the following articles for instructions on how to update it (depending on if you're using an FTP client or SSH):
Once the file has been created, you can add the code examples below to it.
Deny access to an entire website
This line prevents anyone from viewing your website. Visitors will instead see a 403 when viewing your website.
Require all denied
Denying access to files
These examples deny access to specific extensions and hidden files.
Deny access to specific file extensions
This forces any file ending in .inc to throw a 403 Forbidden error when visited:
<FilesMatch "\.(inc)$">
Require all denied
</FilesMatch>
File names beginning with a dot are considered "hidden" by UNIX. Usually, you don't want to serve them to visitors. DreamHost already disallows retrieving .htaccess and .htpasswd, but you can recursively deny all access to all hidden files by placing the following into a top-level .htaccess:
RedirectMatch 403 /\..*$
Denying access to directories
These examples deny access to a directory or prevent users from viewing the contents of a directory.
Deny access to a directory
If you have a directory named abcxyz that you want to block, but it can occur anywhere in your directory tree, use the following:
RewriteEngine On RewriteRule (^|/)abcxyz(/|$) - [F]
Deny access to a directory listing
If you don't have an index file in your directory, all of your files are listed in a directory list for anyone to view. The following code forces this directory listing to throw a 403 Forbidden error instead when visited:
Options -Indexes
Denying access during a specific hour of the day
This example blocks access to files in a directory during a specific time of day.
RewriteEngine On # If the hour is 16 (4 PM) RewriteCond %{TIME_HOUR} ^16$ # Then deny all access RewriteRule ^.*$ - [F,L]
If someone visits the directory anytime between 4:00 – 4:59 pm, a 500 Internal Server error is thrown. You can also specify multiple hours as well:
RewriteEngine On # Multiple hour blocks # If the hour is 4 PM or 5 PM or 8 AM RewriteCond %{TIME_HOUR} ^16|17|08$ # Then deny all access RewriteRule ^.*$ - [F,L]
Denying access to IPs
These examples block a single IP as well as a range of IP addresses.
Deny access from specific IP addresses
This example denies access to a single IP address:
<RequireAll>
Require all granted
Require not ip 173.236.241.100
</RequireAll>
When the user tries to connect to your site from that specific IP, they see a 403 Forbidden page instead. If you want to block an entire block of IPs, just leave the last octet off. For example:
<RequireAll>
Require all granted
Require not ip 173.236.241.
</RequireAll>
This denies access from anyone using an IP in the range from 173.236.241.0 all the way up to 173.236.241.255. See this online tool that automatically generates an IP range for you.
Allowing access from a specific IP
The following code blocks everyone except a specific IP address. You can use this to allow only yourself to view your site while denying access to everyone else.
<RequireAny>
Require all denied
Require ip <YOUR_IP_ADDRESS>
</RequireAny>
Denying access from a specific domain
This denies access from anyone connecting to your site from www.example.com.
<RequireAll>
Require all granted
Require not host example.com
</RequireAll>