Deny access to a site with an .htaccess file

Overview

This article explains the different ways you can deny access to your website or specific parts of your site using an .htaccess file.

This article shows examples for both Apache versions 2.2 and 2.4.

All DreamHost servers currently run version 2.4, but older 2.2 code will still function.

Creating an .htaccess file on your DreamHost web server

The code examples in this article must be placed in the .htaccess file of your website. View the following article for instructions on how to create an .htaccess file on your web server:

If the file already exists, view the following articles for instructions on how to update it (depending on if you're using an FTP client or SSH):

Once the file has been created, you can add the code examples below to it. 

Deny access to an entire website

The following code prevents anyone from viewing your website. Visitors will instead see a 403 when viewing your website.

Apache 2.2

Order deny,allow
Deny from all

Apache 2.4

Require all denied

Deny access to files

Denying access to specific file extensions

The following code forces any file ending in .inc to throw a 403 Forbidden error when visited:

Apache 2.2

<Files ~ "\.inc$">  
  Order Allow,Deny
  Deny from All
</Files>

Apache 2.4

<FilesMatch "\.(inc)$">
Require all denied
</FilesMatch>

Denying access to "hidden" files

File names beginning with a dot are considered "hidden" by UNIX. Usually, you don't want to serve them to visitors.

DreamHost already disallows retrieving .htaccess and .htpasswd, but you can recursively deny all access to all hidden files by placing the following into a top-level .htaccess:

RedirectMatch 403 /\..*$

Deny access to folders

Denying access to a directory listing

If you don't have an index file in your directory, all of your files are listed in a directory list for anyone to view. The following code forces this directory listing to throw a 403 Forbidden error instead when visited:

Options -Indexes

Denying access during a specific hour of the day

If you wish to block access to files in a directory during a specific time of day, then you can do so by adding the following code to an .htaccess file:

RewriteEngine On
# If the hour is 16 (4 PM)
RewriteCond %{TIME_HOUR} ^16$
# Then deny all access
RewriteRule ^.*$ - [F,L]

If someone visits the directory anytime between 4:00 – 4:59 pm, a 500 Internal Server error is thrown. You can also specify multiple hours as well:

RewriteEngine On
# Multiple hour blocks
# If the hour is 4 PM or 5 PM or 8 AM
RewriteCond %{TIME_HOUR} ^16|17|08$
# Then deny all access
RewriteRule ^.*$ - [F,L]

Denying access to a directory

If you have a directory named blah that you want to block, but it can occur anywhere in your directory tree, use the following:

RewriteEngine On
RewriteRule (^|/)blah(/|$) - [F]

Denying access from specific IP addresses

If you have problems with certain visitors to your website, you can easily ban them.

Apache 2.2

There are two different ways to ban visitors:

  • using their IP address, or
  • the domain name from which they are visiting.

Here's an example that denies a user by their IP address:

deny from 173.236.241.100

When the user tries to connect to your site from that specific IP, they see a 403 Forbidden page instead. If you want to block an entire block of IPs, just leave the last octet off. For example:

deny from 173.236.241.

This denies access from anyone using an IP in the range from 173.236.241.0 all the way up to 173.236.241.255.

The following link is a useful online tool that automatically generates an IP range for you:

Apache 2.4

<RequireAll>
Require all granted
Require not ip xxx.xxx.xxx.xxx
</RequireAll>

Allowing access from a specific IP

If you need to deny access to your site to everyone while still allowing yourself or another specific IP address to visit it, you can use something like this:

Apache 2.2

order deny,allow
deny from all
allow from <YOUR_IP_ADDRESS>

Apache 2.4

<RequireAny>
Require all denied
Require ip <YOUR_IP_ADDRESS>
</RequireAny>

Denying access from a specific domain

This denies access from anyone connecting to your site from www.example.com.

Apache 2.2

If someone clicks on a link at example.com that redirects to your site, they then see a 403 Forbidden error:

SetEnvIfNoCase Referer "example.com" bad_referer
Order Allow,Deny
Allow from ALL
Deny from env=bad_referer

This example throws a 500 Internal Server Error for anyone linking from example.com:

RewriteEngine on
RewriteCond %{HTTP_REFERER} example\.com [NC,OR]
RewriteRule .* - [F]

The following example redirects any visitor connecting from example.com to google.com:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://example.com/
RewriteRule /* https://www.google.com [R,L]

Apache 2.4

<RequireAll>
  Require all granted
  Require not host example.com
</RequireAll>

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?