By default on properly configured servers, the .htaccess and .htpasswd files are protected from all external access. This is super important because you do not want anyone or anything to access these sensitive and powerful files. If you are unsure, or just want to be extra secure, continue reading to learn how to protect all of your .htaccess and .htpasswd files.
First, take a moment to request one of your .htaccess files in a browser. This will let you know if the files are accessible on the Web. You may also want to try requesting the file using other, non-browser techniques such as Telnet, SSH, et al. All should be locked down by default; if not, ask your host why .htaccess files are accessible to the public. In either case, if you want to lock things down or add an extra layer of security just to be safe, continue reading for various techniques.
Protect with Apache Core
The following techniques can be used to secure the .htaccess and .htpasswd files on any Apache server.
# protect .htaccess <Files ~ "^.*\.([Hh][Tt][Aa])"> Order allow,deny Deny from all Satisfy all </Files>
# protect .htpasswd <Files ~ "^.*\.([Hh][Tt][Pp])"> Order allow,deny Deny from all Satisfy all </Files>
Protect both files
# protect .htaccess and .htpasswd <Files ~ "^.*\.([Hh][Tt])"> Order allow,deny Deny from all Satisfy all </Files>
Protect all files beginning with a dot
# protect all dot files <Files ~ "^.*\."> Order allow,deny Deny from all Satisfy all </Files>
Protect with mod_alias
Here is a simple .htaccess snippet that will protect all files that begin with a dot:
# protect files beginning with . RedirectMatch 403 /\.(.*)
This will protect all .htaccess files, .htpasswd files, and any other file that begins with a literal dot. You could refine the technique a bit by requiring that the dot be proceeded by the letters “ht”:
# protect files beginning with .ht RedirectMatch 403 /\.ht(.*)
This is more specific, so better if you are concerned about false positives.
Protect with mod_rewrite
Here is the same basic technique as before, but using Apache’s
# protect files beginning with . RewriteRule /\.(.*) - [NC,F]
As before, this could be tweaked to be more specific, requiring the letters “ht”.