Demotic Security: How To Secure Your HTACCESS And Configuration Files
Online security important in the Internet Age. Securing some of your site's important files should be your goal.
Demotic has 2 really important files that ensure your site is running: the HTACCESS file and the configuration file "config.php" file. You'll need to protect these if you want to prevent malicious users from getting into your site or server.
1. Protecting Demotic's HTACCESS File
Let's start with this one. Your installation's HTACCESS file that runs your entire website usually resides on the root. What the HTACCESS files does is:
- Rewrite your URLs to "Pretty URLs" (mostly the frontend) while funneling the requests to these URLs to the main entry point file of your site.
- Handling access privileges to certain files in your installation.
- Setting Cache directives that are applied to your site's assets (disabled on a fresh install but you can enable them by uncommeting them)
- Setting memory limits, upload limits (disabled by default on a fresh install. Enable if you have prime access to your server's resources)
- Et cetera.
Now, we need to forbid direct access to your site's HTACCESS file. A simple blocking via file name could work but sometimes malicious users can use different strategies to access it (e.g. changing the case of the file request, using "SpOnGeBoB" format to access the file and so on). To cover for all these scenarios we need to use Regexes. Let's dive in to the code. Copy the following code to your HTACCESS file, save it and upload it to your server:
#Prevent your .htaccess file from being accessed directly. This uses Regex rules.
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order deny,allow
Deny from all
Satisfy all
</Files>
Now try accessing your site's HTACCESS file using the URL: http://www.your-website.com/.htaccess. Does it return a bold "403 - Forbidden" page? If it does then, hooray, you've finally protected it.
2. Protecting Demotic's Configuration File
Your site's "config.php" file is a really important one. It holds the most important information that allows your site to access the database while setting up some "global" variables that are called everywhere in the sourcecode. It also has your site's "secret login URI". This is a major security risk if it's not protected. Sometimes things happen. Your web host could be updating the servers disabling the execution of PHP files temporarily. Now imagine if your "config.php" instead of being executed is dumped on a user's browser as a simple text file. Oops! Your users will get to see some of these secret information that they should never see.
Now, let's protect it. Copy these directives to your HTACCESS file, save and upload the file to your server:
#Prevent your config.php configuration file from being accessed directly
<Files "config.php">
Order deny,allow
Deny from all
</Files>
Now try accessing your site's configuration file using the URL: http://www.your-website.com/config.php. Does it return a bold "403 - Forbidden" page? If it does then, congratulations, your configuration is now safe from prying eyes online.
That's it for now. Secure your Demotic website today!