Answer :
This article explains common .htaccess rules you can use on GHFS Hosting (Apache side) to improve your website’s security. These rules help protect sensitive files, block bad requests, and reduce some types of attacks.
Important: Wrong .htaccess rules can break your site. Always take a backup of your existing
.htaccessfile before editing.
1. Where Is .htaccess in Plesk?
In most cases, .htaccess is located in your domain’s document root:
-
Main domain:
/httpdocs/.htaccess
If it does not exist, you can create a new file called .htaccess in the same folder.
You can edit it via:
-
Plesk → Websites & Domains → File Manager →
/httpdocs/→.htaccess
2. Disable Directory Listing
Directory listing shows a list of files if there is no index file. You usually want this disabled.
Add to .htaccess:
This stops people from browsing your folders directly.
3. Protect the .htaccess File Itself
Prevent visitors from accessing your .htaccess file:
This blocks .htaccess, .htpasswd, and similar files.
4. Block Access to Sensitive Files (config, SQL, backup, etc.)
You can block direct access to common sensitive file types:
This helps protect configuration and backup files if they exist in web-accessible paths.
5. Limit Access to wp-config.php (WordPress)
For WordPress sites, wp-config.php is very sensitive.
Add:
This blocks direct access from the web.
6. Restrict Access to wp-login.php by IP (Optional – For Admin Only)
If you have a fixed IP address, you can limit WordPress login to your IP.
Example (replace with your IP):
-
First line: a single IP
-
Second line: a full subnet (optional)
If your IP changes often, do not use this rule.
7. Disable XML-RPC (If You Don’t Need It)
XML-RPC is often abused for brute-force and DDoS attacks. If you don’t use mobile apps or remote publishing, you can block it:
This stops external access to xmlrpc.php.
8. Block Access to Hidden Files (Dotfiles)
You can block all hidden files (starting with a dot), except those required internally:
This protects hidden files like .env, .git, etc., while allowing .well-known (used by SSL / ACME).
9. Prevent Script Execution in Upload Folders
If you have an uploads or media folder that should only store images/documents, you can block PHP scripts inside it.
Create or edit an .htaccess inside your uploads folder (example: /httpdocs/wp-content/uploads/.htaccess):
This helps prevent malicious scripts from running in upload directories.
10. Basic Hotlink Protection (Optional)
To stop other sites from directly embedding your images:
Replace yourdomain.com with your real domain.
11. Secure File Types from Direct Access (e.g., .php in certain folders)
If you have a folder that should not run any PHP file (e.g. /download/), add an .htaccess inside that folder:
This is useful for download-only areas.
12. Tips Before and After Editing .htaccess
-
Always download a backup of
.htaccessbefore changes -
After editing, test your site:
-
Front page
-
Admin panel
-
Login pages
-
-
If you see a 500 Internal Server Error, revert the last change
-
Edit small parts at a time instead of adding everything at once
13. When to Contact GHFS Hosting Support
Contact support if:
-
Your site shows 500 errors after editing
.htaccess -
You are not sure where .htaccess rules should go
-
Your domain uses nginx-only configuration and .htaccess has no effect
-
You want server-level firewall or WAF rules in addition to .htaccess
Support can review your configuration and suggest the safest rules for your use case.
