I’m just finishing up my first site and want to give site security a lot of thought before going live. My first question, then is how to keep certain folders to be seen by anyone; in these folders I have config files with database passwords. I just noticed that upon creating a phpAdmin database backup, my host (GoDaddy) put the backup in a folder that it created with a file named
That particular code will present a username/password screen to anyone who visits the directory (or any subdirectory within that directory) where the .htaccess resides.
The username/password combinations are stored in the file /home/content/a/b/c/html/stats/.statspwd
Normally for directories containing config files etc you’d just want to deny access to anyone, which you can do with the following .htaccess:
deny from all
Yes, it that’s simple
PS. Even better would be to put the config files in a directory outside the public html directory, but not all hosts allow this.
Thanks so much for the quick reply. And just to clarify then, the folder with the “deny all” .htaccess will not allow anyone to get in to any of the files?
Also, why would it be “better” to move them from the public directory?
In other words, just how secure is my .htaccess folder?
The folder with the “deny all” will indeed lock everyone out.
I personally think it’s better to have the directory with configs etc out of the public directory because that way it’s not accessible by anyone browsing your website period. If you ever remove that .htaccess or the server goes bonkers and doesn’t process .htaccess files the way it should the directory is wide open.
Then again, this is probably more a mild form of paranoia than anything else, but if you have the option to put files outside the public directory I’d take it
