This guide is specifically for Apache or compatible web services. It will not work with Microsoft IIS.
Sometimes you may find it necessary to have a folder on your web hosting with insecure permissions (such as 777 on Linux or allowing the guest write access on Windows) due to the owner of the files being different from the user the web service runs as, this is common if you want to be able to upload files or images onto your website (such as Wordpress or Joomla). This is dangerous as this allows any files to be uploaded to this location by any user.
You can help make this a little more secure by locking the folder down so that only images and other select files inside this folder can be accessed through the website. This is done by placing some code in a
.htaccess file telling the web server to deactivate all scripting options, remove directory indexes and only allow people to view specific file types.
To do this, place the following code into a file named
.htaccess and place it into your insecure folder.
php_flag engine off
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .aspx .htm .html .shtml .sh .cgi
Options -Indexes -ExecCGI
<Files "\.(jpe?g|png|gif|bmp|tiff|swf|flv|mov|avi|mp4)$">
order deny,allow
deny from all
</Files>
You can add extra file types to the list on the top line, separating each with a pipe (the vertical line). The format of the file list is
RegEX so you may want to avoid making too many changes unless you are familiar with how RegEX works.
Keep in mind this doesn't make you impervious to attacks, your folder is still insecure so people can still try and exploit it by uploading into it as another user (especially on a shared hosting platform) but if you absolutely must use 777 permissions on a folder then this will give you a little extra security at no expense.