How to Deny Access to Directory and Subdirectories using htaccess Ubuntu

How to Deny Access to Directory and Subdirectories using htaccess Ubuntu

Apache allows access to everything inside the Document Root folder by default. This means directory and its all the subdirectories and their contents can be listed and accessed. However, you can use .htaccess to harden the security of your Server, and to access the deny directory or folder and its content using .htaccess in Ubuntu Apache server.

Restrict access to a folder with htaccess; Through this tutorial, we will show you how to restrict/deny or block a folder or any file using htaccess with Apache web server.

Here are three solutions to access deny folders, directory and subdirectories using .htaccess file in ubuntu apache server; as follows:

  • Deny Access to Folder htaccess
  • Access Deny Directory Listing using htaccess
  • Deny access to certain files using htaccess

1. Deny Access to Folder htaccess

Open .htaccess file and add the following line of code to prevent access to .htaccess file itself; as follows:

# Deny access to .htaccess
<Files .htaccess>
Order allow,deny
Deny from all

2. Access Deny Directory Listing using htaccess

The following line in .htaccess will remove directory indexing and make the server respond with a 403 forbidden message.

# Disable directory browsing 
Options -Indexes

To simply hide all the contents of the directory without forbidden message, use the IndexIgnore directive.

# Hide the contents of directories
IndexIgnore *

To hide some filetypes only, use

# Hide files of type .png, .zip, .jpg, .gif and .doc from listing
IndexIgnore *.png *.zip *.jpg *.gif *.doc

3. Deny access to certain files using htaccess

Even if you remove directories and files from listing, they are still accessible if you type the path.

To remove unauthorized access to cetain file extensions, use

# Deny access to files with extensions .ini, .psd, .log, .sh
<FilesMatch "\.(ini|psd|log|sh)$">
Order allow,deny
Deny from all

To prevent access to all filenames starting with dot(.) like .htaccess, .htpasswd, .env and others use

# Deny access to filenames starting with dot(.)
<FilesMatch "^\.">
Order allow,deny
Deny from all

You may also password protect files and directories and store the passwords in a .htpasswd file

# Password protect files
<FilesMatch "^(execute|index|myfile|anotherfile)*$">
AuthType Basic
AuthName "Mypassword"
AuthUserFile <Full Server Path to .htpasswd file>/.htpasswd
Require valid-user

Replace the <Full Server Path to .htpasswd file> with your actual path.

You may also place .htaccess file inside each sub-directory with specific over-rides. The access rules can be directly defined inside Apache’s main configuration file httpd.conf. But if you don’t have access to the main configuration file (which is normally the case if your using a shared hosting service), you have to resort to .htaccess based access rules.

Note: Over-riding httpd.conf settings using .htaccess is only allowed if the AllowOverride Directive is set inside httpd.conf which is the default case.

Recommended Ubuntu Tutorials


Greetings, I'm Devendra Dode, a full-stack developer, entrepreneur, and the proud owner of My passion lies in crafting informative tutorials and offering valuable tips to assist fellow developers on their coding journey. Within my content, I cover a spectrum of technologies, including PHP, Python, JavaScript, jQuery, Laravel, Livewire, CodeIgniter, Node.js, Express.js, Vue.js, Angular.js, React.js, MySQL, MongoDB, REST APIs, Windows, XAMPP, Linux, Ubuntu, Amazon AWS, Composer, SEO, WordPress, SSL, and Bootstrap. Whether you're starting out or looking for advanced examples, I provide step-by-step guides and practical demonstrations to make your learning experience seamless. Let's explore the diverse realms of coding together.

Leave a Reply

Your email address will not be published. Required fields are marked *