[MyBB Security] Protecting the INC Directory 07-04-2015, 08:58 PM
#1
Let's face it - the ./inc/ directory shouldn't be accessible to the public. It's merely a collection of classes and functions. It also houses sensitive information such as database configurations and settings.
Protecting the directory from public access is simple and requires little effort. We'll be addressing this issue in MyBB 2.0 by allowing files to sit below the webroot so they cannot be accessed. For now, this will have to suffice.
This little tip assumes you're using an Apache webserver. For NGINX/lighttpd/etc. you'll need to refer to your webserver's manual.
[hide]
Firstly, create a file called htaccess.txt. This will be renamed later but due to files that are prefixed with a period being hidden by default this is the best method.
You want to edit this file with a text editor such as Notepad++ or even Notepad itself will do (Although not recommended) and put the following line at the top:
Now simply save it and upload to the ./inc/ directory on your webhost. You will then need to rename it to .htaccess
You can test it's working by going to http://yoursite.com/inc/
If you receive a 403 error then everything is working as planned and is inaccessible to the real world.
[/hide]
Protecting the directory from public access is simple and requires little effort. We'll be addressing this issue in MyBB 2.0 by allowing files to sit below the webroot so they cannot be accessed. For now, this will have to suffice.
This little tip assumes you're using an Apache webserver. For NGINX/lighttpd/etc. you'll need to refer to your webserver's manual.
[hide]
Firstly, create a file called htaccess.txt. This will be renamed later but due to files that are prefixed with a period being hidden by default this is the best method.
You want to edit this file with a text editor such as Notepad++ or even Notepad itself will do (Although not recommended) and put the following line at the top:
Code:
deny from allNow simply save it and upload to the ./inc/ directory on your webhost. You will then need to rename it to .htaccess
You can test it's working by going to http://yoursite.com/inc/
If you receive a 403 error then everything is working as planned and is inaccessible to the real world.
[/hide]
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)