Use .htaccess To Block Access To File

On a particular PHP web project that I am working on, I have a configuration file in the document root that I don’t want people to be able to access.  It seems pretty simple, but it took me a while to figure out how to do this.  The solution that works for me requires an Apache web server with the .htaccess file enabled.

To deny access to a single file, add this to the .htaccess file in your document root.


Comments & Discussions

    • jtmadmin

      The best information I’ve found on what you want to do is here:

      If you just want to block a single referring site, you can use the following to get you started.

      RewriteEngine On
      RewriteCond %{HTTP_REFERER} ^*
      RewriteCond %{HTTP_REFERER} ^*
      RewriteCond %{HTTP_REFERER} ^*
      RewriteCond %{HTTP_REFERER} ^*
      RewriteRule ^mysubdir/myothersubdir/myfile.php$ - [NC,F]

      Make sure to change the 4 mysite.coms to the domain you wish to block, and mysubdir/myothersubdir/myfile.php to the path, relative to your site’s root (where .htaccess is stored), you wish to block. Be careful to leave all the symbols.

      You’ll need the mod_rewrite Apache module installed and enabled for this to work. There’s a good chance it is, but if not you’ll need to get your hosting provider to enable it, or enable it yourself if you run the server. If you need to do it yourself, just Google “install mod_rewrite on “.

      Now, let me explain what’s going on. RewriteEngine On enables the Apache server’s mod_rewrite module and tells it to pay attention.

      RewriteCond %{HTTP_REFERER} ^* tells mod_rewrite to apply the upcoming RewriteRule only when the specified condition is met. In this case, the condition is that the referring website has a URL base of The .* at the end is a wildcard telling mod_rewrite that anything can go at the end and not violate the conditional. Effectively, anytime a page at refers to your website, the condition is matched. The other 3 RewriteCond are the same but include missing www and https instead of http. Therefore, if any of the 4 conditions are matched, the RewriteRule is applied.

      RewriteRule ^mysubdir/myothersubdir/myfile.php$ – [NC,F] redirects mysubdir/myothersubdir/myfile.php to the second parameter. In your case, you want to block it, not redirect it. The blocking is done at the end, so a placeholder of – is used for the second parameter. The [NC,F] does the blocking. NC tells mod_rewrite to ignore capitalization. This is important because,, FACEBOOK.COM, FaCeBoOk.CoM, and are all the same. URLs are case insensitive. F tells mod_rewrite to forbid access to the file using a 403 forbidden HTTP status code.

  1. Kgosi Kekana


    I want to add audio files that I can play back on a site using html5Audio however I want people to not be able to access these audio files directly. I’ve seen it on google images where you click to view full image and it gives you a “403” error however you can view the image on the site or on google. How do I do that?


    • John Morris

      What you are referring to is called hotlink protection. I’ve never done it with audio files, but I can’t think of any reason that it would be any different than image files.

      The easiest way to do it for images is to use an online generator for the correct .htaccess code. This one looks pretty solid: htaccess Tools: Hotlink Protection.

      To make it work for images, simply input your domain(s) and change the files to protect to the audio file’s extension (e.g. mp3/wav/ogg).

      Here’s an example of what the generator output:

      RewriteEngine on
      RewriteCond %{HTTP_REFERER} !^$
      RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
      RewriteRule \.(mp3|wav|ogg)$ - [NC,F,L]

      You can find instructions for doing it manaully here:


Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">