Linux Tips I Wish I Knew Long Ago – Using the Apache File Directive to block critical files

This is a cool little security piece I learned quite some time ago but it continues to be beneficial: I use emacs as my editor of choice, when editing files it makes a backup that has a ~ added to the extension. Some time ago I learned that malware looks for these backup files on common configs like wp-config.php~ in order to get things like sensitive password files or configs that contain credentials. In order to protect against any accidental leakage like this I use the Files Directive in Apache to block this type of files and other configs, I typically add this in to the main config so it applies to any sites on the server and not just one site.

<Files ~ “~$”>
Order allow,deny
Deny from all
Satisfy All
</Files>

I’ve also used a similar rule for files with the .inc extension (typical include files):

<Files ~ “.inc$”>
Order allow,deny
Deny from all
Satisfy All
</Files>

Leave a Reply

Your email address will not be published. Required fields are marked *