Sometimes one needs to quickly block access to offending scripts – like for instance when a site has been hacked and malicious files have been uploaded to the account and are used to send out spam emails.

You should of course lock down the whole account and get started on the cleanup instantly, but in weird cases the website needs to remain active for just a little more time (minutes, hours) but with the malicious content blocked.
Apache provides a simple way to block out files from being accessible to visitors. And since most intrusions involve uploading php files and then accessing them directly, the bit of content below will do wonders at blocking out those direct calls while leaving the main site fully functional (sort of).

Add this to your root .htaccess file to temporarily block direct access to all .php files on your site, except index.php.

<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>

This bit will only work if the site in question uses URL rewrites, making the main index.php file handle everything, without any direct calls to separate php script files.

You can use it as a basis for blocking other files/filetypes as well.

Leave a Reply