Now a days this is a common issue with the websites is that they are getting hacked or malware affected. Everyday millions of website are getting hacked and blocked by Google. In many cases the hacker or malware add malicious codes in your HTML or PHP files, edit your .htaccess file, add or edit your MySql database, some time even they delete all records from database tables by using truncate table command. Also they uploaded files to web server. How is it possible to upload files, editing database or changing files without knowing the passwords? Yes, this is possible for hackers, because the they are are the best.
The following are few of my findings to stop hacking, but the hackers can say better how to protect them..
Protect through .htaccess file
.htaccess file contains the configuration statements/ commands to customize the Apache Web server as per user requirement.
Disable php global
Some web server allow user to change php settings through .htaccess file, if your host provides this option then you can disable php global through .htaccess file. Write down the following code in the first line of your .htaccess file. If you see 500 internal sever error after adding the code, then remove this code from your .htaccess file.
php_flag register_globals off
Turn off Server Signature
It is better to turn off your server information, so the hacker will get less information about your server.
Disable Directory Listing
This is a best practices to disable your directory listing. If your fancy indexing is enable then it should also disable. Fancy indexing is used to display file size, type modified date etc.
Opptions -Indexes IndexOptions -FancyIndexing
Deny access to Directories
You can create a separate .htaccess file and upload it to those folders which you want deny access.
Order Deny, Allow Deny from all
Disallow the access of any file
You can protect your config files and other important files by adding the following in your htaccess file.
<files .htaccess> order allow,deny deny from all </files> <files php.ini> order allow,deny deny from all </files> <files config.php> order allow,deny deny from all </files>
If you give option to your to upload files then there will be more possibility, your site will be hacked or affected by malware. In that case create a .htaccess file save it in your user uploaded directory.
deny from all <Files ~ "^\w+\.(gif|jpe?g|png)$"> order deny,allow allow from all </Files>
RewriteRule \.(gif|jpg|js|css)$ - [F]
URL Rewrite or SEO Friendly URL
This is a best practices to use SEO friendly URL. If your page url is
Then the hacker can easily enter into your database through id, so you can change your URL to something like this
http://wwww.domain.com/test/6/ or http://wwww.domain.com/test-6/
So your final .htaccess file will look something like this
php_flag register_globals off RewriteEngine on RewriteBase / ServerSignature Off RewriteRule \.(gif|jpg|png|js|css|php)$ - [F] Opptions -Indexes IndexOptions -FancyIndexing /* URL Rewrite code goes here */ <files .htaccess> order allow,deny deny from all </files>