How to protect directories such as "core", "includes", "images" etc


I am building a website with PHP and I was wondering the best way to protect some directories that contain critical files or images etc.

For example, I have the following directories:

  • /core/ - contains database details file and functions file.
  • /includes/ - contains header, footer, sidebar and other included files.
  • /images/ - contains images and I don’t want visitors to be able to list the images as a directory listing.

I have this .htaccess file in the /core/ folder:

Deny From All

Shall I add this file to other folders as well? or what else do I need?

You could do that, although I wouldn’t add that to the images directory (otherwise no one will be able to view your images).
For the images you probably just need to put an empty index.html file in your images dir. Check out the Apache docs for DirectoryIndex for more information.

Immerse is correct - that’s NOT the thing to do!

core and includes can (should) be moved out of the webspace (above the public_html directory) if at all possible. The best you can do with images (to prevent a listing) is to use the Apache directive for that: Options -Indexes (in the .htaccess file - DocumentRoot would be best as that would cover all your webspace directories).



Thank you for your feedback. I have “Options -Indexes” in my root .htaccess file now.

David, what do you mean by “core and includes can (should) be moved out of the webspace (above the public_html directory) if at all possible.


Your host likely has you in a directory, say /home/~ademmeda which then has a subdirectory public_html (or www) where your website is located. My recommendation is to move protected files OUT of the public_html (or www) subdirectory into another subdirectory at the same level (in other words, /home/~ademmeda/public_html/core directory would be moved to /home/~ademmeda/core) where it cannot be accessed by an html request. Obviously, php includes and core information can be accessed by your php files (within the website) so things will work perfectly but with your sensitive files protected.

As immerse pointed out, you can’t do that with images as they’re accessed via http to display the images in your webpage. You can use PHP links to access the images outside the webspace but, once the image is served, it’s available to the world (whereas the content, not the output, of php files are protected by the server’s PHP daemon).



David, thanks for your advice. Honestly, this is the first time I hear this. Are you trying to say an .htaccess file with “Deny From All” in the “core” folder will not be enough? What I am working on is a CMS and I guess some popular CMS like WordPress have their critical files within their own folder and I think there is no security problems. I know hiding from a bullet behind a double wall is safer than hiding behind a single wall but if a single wall is certain to block the bullet, I guess it will be enough, am I wrong? :slight_smile:

One more thing: Let’s say I am on a shared hosting and I have the following folder structure:


How will I include functions.php within index.php?


A CMS must rely on protected directories and use Apache’s permissions to help protect in addition to Options -Indexes and requiring a login to the admin directory (and all its subs). I’d say that’s pretty secure but, if you want bulletproof, think about why WP tells you to remove the INSTALL directory.

For your question, include_once(‘…/core/functions.php’); would do the trick. Otherwise, include_once(‘/home/username/core/functions.php’); as you have access to the server’s entire file system (although you’ll lack permissions outside the username directory to access other files).