Configure. htaccess to improve website security

Website security is not negligible, especially for access to the background management Directory, which requires extra strict control. Otherwise, once the website administrator's password is obtained, you can use the background to manage possible upload operations to win the entire website. However, at present, we generally restrict the permissions for background management through the password of the program itself, and the password of the program itself is subject to its own security restrictions. Therefore, more underlying access restrictions are required to ensure the security of the website. Of course, backup cannot be ignored.

The. htaccess file is a distributed configuration file under Apache. It plays an important role in website function configuration. We can also use this file to restrict access to the website. The configuration method is described as follows:

1. Set an Apache access control password for important website directories (such as background management.

First, create a text file named. htpasswd, and enter the configured Access Control username and password. File Content involves encryption algorithm, first open the http://www.wangqu.org/htaccess/ online generation page, then select "folder password protection" column, let you enter your desired user name and password, and finally click "create. "htpasswd content" button, the content of the file is displayed below.

Note that the content of this file should be similar:

Username: gQQ/SeV/5y2bM

The user name is before the colon and the encrypted password is behind it. Do not change it manually. After the file is created, upload the file to a directory that cannot be accessed through HTTP and record the absolute path of the file.

After the upload, manually create a file named. htaccess with the following content:

AuthUserFile/home/foo/bar/. htpasswd

AuthGroupFile/dev/null

AuthName "Please enter your ID and password"

AuthType Basic

Require valid-user

The first line "/home/foo/bar/. htpasswd" is the absolute address of the. htpasswd file. Modify the address according to the actual situation. Upload the file to the directory to be protected.

At this time, access to the protected directory will pop up a window to log on and obtain access permissions, enter the user name and password you set to see the program login page. In addition, the password is very secure. It is not recorded in the database of the website, nor in the directory of the website. In addition, any access to the protected directory must be authorized. Therefore, the security is very high.

2. prevent some IP addresses from accessing the website.

For example, if you want to block an IP address from accessing the website to improve security, you can directly reject the IP address. It is also implemented through the. htaccess file. Add the following content to the. htaccess file:

Order deny, allow

Deny from 127.0.0.1

The above 127.0.0.1 is the IP address that the website rejects access. Upload the. htaccess file to the root directory of the website.