Restrict Access to Your Website with .htaccess

Read Time: 3 minutes

When I come across things in my own world of website work, I make note of them so I can share them later. The .htaccess file is a quick way to block an IP address or domain if your website is having security problems or if you wish to restrict access to your site for any other reason.

How to use .htaccess to block a domain and restrict access to your site
The .htaccess file is a hidden configuration file used by the Apache web server. The rules in the file override global settings for the directory in which the it is placed. You may find that .htaccess files are created automatically on your server when you install popular web applications like WordPress, Drupal, and Magento. However, if the file does not exist, it can be easily created in a text editor and uploaded to your server. You can also create one directly from cPanel’s File Manager. As mentioned the .htaccess file is hidden by default so to see the file in your directory, ensure Show Hidden Files is checked in the Preferences panel, then click Save.

How to completely disable access
To prevent direct access to all files and folders on your server, create the .htaccess file in the root (top folder) of your server and add the following rule:
deny from all

How to deny access to specific file types through .htaccess
If you wish to deny access to certain types of files, you can do so with the following rule. This example blocks access to .html files.
<Files ~ "\.html$">
Order allow,deny 
Deny from all

For other file types change the file extension in the first line of the rule. For example, this rule blocks access to .pdf files:
<Files ~ "\.pdf$">
Order allow,deny
 Deny from all

How to deny access to a specific file through .htaccess
Blocking access to a specific file is performed using the following rule:
<Files config.php>
order allow,deny
 Deny from all
This example targets a config.php file held in the same directory as the .htaccess file. To change the file, replace config.php in the first line with your chosen filename.

How to use .htaccess IP deny access
If you wish to block a specific user from accessing your website, you can do so using their IP address or the domain name from which they’re visiting.
Use the following rule (replacing the numbers with the user’s IP address):
deny from 123.456.789.123

To deny access to a block of IP addresses, simply leave off the last octet from the IP address:
deny from 123.456.789.

This blocks access to anyone using an IP in the range of 123.456.789.0 to 123.456.789.255.

How to use .htaccess to block a domain
Denying access via links from specific domains ( is also possible through .htaccess. The following rule will display a 403 Forbidden error to any user accessing your site from a link hosted on the targeted domain:
SetEnvIfNoCase Referer "" bad_referer
Order Allow,Deny
Allow from ALL
Deny from env=bad_referer

Change the domain in the first line of the rule to target the domain you wish to block. For a more subtle approach, this rule displays a 500 Internal Server Error for anyone linking from the target domain:
RewriteEngine on
RewriteCond %{HTTP_REFERER} example\.com [NC,OR]
RewriteRule .* - [F]

How to block all IP addresses except specific ones
If you want to block all IP addresses except specific ones, use this rule:
Order allow,deny
Deny from all
Allow from IP1
Allow from IP2

How to remove access restrictions through .htaccess
If you wish to remove access restrictions from your .htaccess file, simply delete the rule from the file in cPanel File Manager’s text editor and save the file.

The .htaccess file is great tool for controlling access to your website. Hopefully you will find the above to be a good quick reference.

Was this article helpful?
Translate »