Removing the dot or period from htaccess files - A dangerous move?
It's dangerous in the sense that it won't work if you do. Apache will look for .htaccess
and apply those rules as it serves content. Without finding that file, Apache will proceed assuming no additional directives are necessary.
.htaccess
includes a leading .
because it's a "hidden file" in Linux systems (which run most web servers).
Your FTP client has a setting to show hidden files. Turn it on. Or use a client that allows .
hidden files to be seen.
And use SFTP as FTP sends clear-text credentials (clear-text => unencrypted as in you can retrieve them by running tcpdump or similar traffic analysis and capturing the packets).
Removing the dot or period from htaccess files and thus making it unhidden - A dangerous move?
You definitely have to be careful how you do it, as you might otherwise compromise the security of your server.
There are basically two dangers that you could encounter:
Reading your htaccess File
htaccess files are nothing special, and if you just rename .htaccess
to htaccess
, anyone can now read it, as it will be served as a normal file by Apache. It doesn't matter here if you changed AccessFileName
or not. Access to .htaccess
is denied by these lines in your Apache config, which will not catch htaccess:
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
This may have negative consequences, such as leaking of information. Your htaccess file may for example contain absolute paths, and possibly other sensitive information such as database passwords defined via SetEnv.
htaccess File not working
Of course, if you rename your .htaccess
file, it will not be parsed anymore. This means that you have to change AccessFileName
.
But if you just change AccessFileName .htaccess
to AccessFileName htaccess
, this might be dangerous, as some other applications on the same server may rely on .htaccess files being parsed. There are quite a few applications whose security heavily relies on .htaccess
files being parsed properly, for example because it denies access to files containing passwords, uploaded PHP files, etc (relying on .htaccess files being parsed isn't ideal, but it does happen frequently).
Doing it right: Adding additional .htaccess file names
If you want to rename your .htaccess file, you have to do two things:
Add the new name to AccessFileName
(do not remove the default .htaccess name):
AccessFileName .htaccess htaccess
And add a deny rule for it:
<FilesMatch "^htaccess">
Require all denied
</FilesMatch>
[it isn't quite clear to me if you want to rename your htaccess file permanently or just temporarily while editing it, but the dangers I described above apply in either case, as does the solution proposed]