Removing the dot or period from htaccess files - A dangerous move?

It's dangerous in the sense that it won't work if you do. Apache will look for .htaccess and apply those rules as it serves content. Without finding that file, Apache will proceed assuming no additional directives are necessary.

.htaccess includes a leading . because it's a "hidden file" in Linux systems (which run most web servers).


Your FTP client has a setting to show hidden files. Turn it on. Or use a client that allows . hidden files to be seen.

And use SFTP as FTP sends clear-text credentials (clear-text => unencrypted as in you can retrieve them by running tcpdump or similar traffic analysis and capturing the packets).


Removing the dot or period from htaccess files and thus making it unhidden - A dangerous move?

You definitely have to be careful how you do it, as you might otherwise compromise the security of your server.

There are basically two dangers that you could encounter:

Reading your htaccess File

htaccess files are nothing special, and if you just rename .htaccess to htaccess, anyone can now read it, as it will be served as a normal file by Apache. It doesn't matter here if you changed AccessFileName or not. Access to .htaccess is denied by these lines in your Apache config, which will not catch htaccess:

<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

This may have negative consequences, such as leaking of information. Your htaccess file may for example contain absolute paths, and possibly other sensitive information such as database passwords defined via SetEnv.

htaccess File not working

Of course, if you rename your .htaccess file, it will not be parsed anymore. This means that you have to change AccessFileName.

But if you just change AccessFileName .htaccess to AccessFileName htaccess, this might be dangerous, as some other applications on the same server may rely on .htaccess files being parsed. There are quite a few applications whose security heavily relies on .htaccess files being parsed properly, for example because it denies access to files containing passwords, uploaded PHP files, etc (relying on .htaccess files being parsed isn't ideal, but it does happen frequently).

Doing it right: Adding additional .htaccess file names

If you want to rename your .htaccess file, you have to do two things:

Add the new name to AccessFileName (do not remove the default .htaccess name):

AccessFileName .htaccess htaccess

And add a deny rule for it:

<FilesMatch "^htaccess">
    Require all denied
</FilesMatch>

[it isn't quite clear to me if you want to rename your htaccess file permanently or just temporarily while editing it, but the dangers I described above apply in either case, as does the solution proposed]

Tags:

Htaccess