Deny access to all PHP files in a directory using .htaccess

Question

I'm attempting to deny access to anyone surfing for PHP files in a specific directory:

example.com/inc/

I've created an example.com/inc/.htaccess file with the contents:

Order deny,allow
Deny from all

This results in a 403 Forbidden response when I try to access one of the files. For example: example.com/inc/file.php

The problem is, my web server is also denied access and my application stops working.

How can I deny access to people surfing for such PHP files but allow my shared web server access?

Note: I'm using GoDaddy shared hosting.

Answer 1

I would would just use a rule and block the access that is entered by the user. This will block any php file that is entered.

RewriteEngine On
RewriteRule ^.*\.php$ - [F,L,NC]

Edit based on your comment. Try this way.

<Files (file|class)\.php>
order allow,deny
deny from all
allow from 127.0.0.1
allow from 192.168.0.1
</Files>

Replace 192.168.0.1 with your server IP address.

Answer 2

Use proper directory structure put your files to lib/ directory for example and include them from file which is not present in this directory. This is how common frameworks works.

You can even map your url to web/ directory and put lib one directory up then you are sure that there is no access to your .php file but only index.php and assets.

You can read how it is solved for example in Symfony2 http://symfony.com/doc/current/quick_tour/the_architecture.html it'll give you some clues.

Answer 3

To only deny access to php files you can use this:

<Files *.php>
order allow,deny
deny from all
</Files>

Answer 4

To block navigation access to all files ending in .php you can use:

RedirectMatch 403 ^.*\.php$