Apache Access Control done right, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

I see it all to often: blog post telling you to use the following part of a .htaccess file to protect a file like wp-config.php:

<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

Unfortunately this doesn’t work anymore with Apache 2.4.6 and higher! And I find it hard to believe so called “WordPress Security” companies still write posts explaining the old, non-functional, syntax without even mentioning the new syntax…

Satisfy, Order, Deny and Allow have all been deprecated and replaced with new Require directives.

Yes, there is Apache’s mod_access_compat, that provides compatibility for old directives like Order, Allow, Deny and Satisfy. But depending on such a module is not recommended, since it’s deprecated by mod_authz_host: https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html.

Access authorization in Apache 2.4.6

So now, for once and for all: how to use the new Apache 2.4.6+ mod_authz_host syntax in your .htaccess:

# Protect wp-config.php
<Files wp-config.php>
	Require all denied
	Require ip 198.51.100.15 # substitute with your IP address
</Files>

For compatibility with older Apache versions, you can wrap this up in a condition:

<Files wp-config.php>
	# Apache 2.2
	<IfModule !mod_authz_core.c>
		Order Deny,Allow
		Deny from all
		Allow from 198.51.100.15
	</IfModule>

	# Apache 2.4
	<IfModule mod_authz_core.c>
		Require all denied
		Require ip 198.51.100.15
	</IfModule>
</Files>

Note: by using an .htaccess file you’d normally leave Nginx and IIS web servers unprotected! You can use .htaccess in IIS though, but don’t rely on just .htaccess files for your website defense.

This may interest you:   Secure WordPress with a Captcha

Psst, here are 7 snippets to use .htaccess as a Web Application Firewall. But normally, .htaccess files should not be used for security restrictions.


Did this post help you solve a problem? Want to say thanks?

Did you find this post interesting? Did it help you solve a problem? If I’ve helped you out and you want to thank me, then why not buy me a coffee?

A small donation of only $5 helps out a lot in the development, research and hosting of this blog.

If I’ve helped you out and you want to thank me, why not buy me a coffee?

Thank you for your support.