Htaccess limit

Apache server software provides distributed (i.e., directory-level) configuration via Hypertext Access files. These .htaccess files enable the localized fine-tuning of Apache’s universal system-configuration directives, which are defined in Apache’s main configuration file. The localized .htaccess directives must operate from within a file named .htaccess. The user must have appropriate file permissions to access and/or edit the .htaccess file. Further, .htaccess file permissions should never allow world write access — a secure permissions setting is “644”, which allows universal read access and user-only write access. Finally, .htaccess rules apply to the parent directory and all subdirectories. Thus to apply configuration rules to an entire website, place the .htaccess file in the root directory of the site.

Restricting directory access might be one of the most frequently used .htaccess techniques out there. As a site grows, there always are some areas that you don’t want visitors to look at such as merchandise warehouse where you store digital products for sale.

You want a programmed server-side script to serve the download after confirming payment instead of risking the users downloading them directly from the directory without paying you.

Performance Issues

.htaccess directives provide directory-level configuration without requiring access to Apache’s main server cofiguration file (httpd.conf). However, due to performance and security concerns, the main configuration file should always be used for server directives whenever possible. For example, when a server is configured to process .htaccess directives, Apache must search every directory within the domain and load any and all .htaccess files upon every document request. This results in increased page processing time and thus decreases performance. Such a performance hit may be unnoticeable for sites with light traffic, but becomes a more serious issue for more popular websites. Therefore, .htaccess files should only be used when the main server configuration file is inaccessible. See the “Performance Tricks” section of this article for more information.

To deny all requests for the restricted directory or folder, prepare a .htaccess text file in that directory and put the following directive in it:

deny from all


Say you have a permanent IP and you want to administer the site via /admin and protect the directory from the rest of the world once ‘n’ for all, then you will want the following .htaccess directives:

order deny, allow
deny from all
allow from

Wherein is your IP.

Or if you have an IP range for an entire country, you can allow visits to your site from that particular country only with this technique.

Or if you are operating the site from LAN you can allow only LAN IP to access certain directories such as /admin:

order deny, allow
deny from all
allow from 192.168.0


You get the idea. To allow all visits except from a few identified spam bots, just reverse the deny and allow order like this:

order allow, deny
# is a bad bot here
deny from
allow from all