: Removing the dot or period from htaccess files - A dangerous move? Removing the dot or period from htaccess files (and thus making it unhidden) - A dangerous move? I tried to search in Google

@Sarah324

Your web host ( or Apache server ) will not be able to detect it is a ".htaccess" file, instead, it will see it as a file with no extension.

So, I wouldn't say its DANGEROUS, but it certainly would not operate correctly, or at all.

Vote Up Vote Down

@Carla537

No, you should not do this. It is dangerous, incorrect, and the wrong answer to the problem.


If you remove the dot, it changes it to a different filename. Apache is programmed specifically to look for the filename with the dot, so it won't see your renamed file as being anything special. Your server config commands in the file won't get loaded, and your site probably won't work as intended. This can be worked around by making changes to the core Apache config, but obviously only if you have access to it (which you probably don't if you're on shared hosting), but in general it's best not to change that kind of thing.
If you remove the dot, then the file will become accessible to web browsers, thus making key parts of your server config visible to hackers and potentially giving them information that will help them attack you. It is possible to work around this and make sure the file remains hidden, but that involves further messing around in the main server config.
Your FTP client will have a setting that allows you to see hidden files. (if it doesn't, get yourself a better FTP client!)
While we're talking about FTP -- don't use it. Always use SFTP instead. the "S" stands for "Secure". If you're using FTP without the 'S', you're not secure. (unbelievably, there are some web hosting companies that only give you FTP access, not SFTP. If you're on one of them, find a better hosting company as soon as you can).

Vote Up Vote Down

@Looi9037786

Removing the dot or period from htaccess files and thus making it unhidden - A dangerous move?


You definitely have to be careful how you do it, as you might otherwise compromise the security of your server.

There are basically two dangers that you could encounter:

Reading your htaccess File

htaccess files are nothing special, and if you just rename .htaccess to htaccess, anyone can now read it, as it will be served as a normal file by Apache. It doesn't matter here if you changed AccessFileName or not. Access to .htaccess is denied by these lines in your Apache config, which will not catch htaccess:

<FilesMatch "^.ht">
Require all denied
</FilesMatch>


This may have negative consequences, such as leaking of information. Your htaccess file may for example contain absolute paths, and possibly other sensitive information such as database passwords defined via SetEnv.

htaccess File not working

Of course, if you rename your .htaccess file, it will not be parsed anymore. This means that you have to change AccessFileName.

But if you just change AccessFileName .htaccess to AccessFileName htaccess, this might be dangerous, as some other applications on the same server may rely on .htaccess files being parsed. There are quite a few applications whose security heavily relies on .htaccess files being parsed properly, for example because it denies access to files containing passwords, uploaded PHP files, etc (relying on .htaccess files being parsed isn't ideal, but it does happen frequently).

Doing it right: Adding additional .htaccess file names

If you want to rename your .htaccess file, you have to do two things:

Add the new name to AccessFileName (do not remove the default .htaccess name):

AccessFileName .htaccess htaccess


And add a deny rule for it:

<FilesMatch "^htaccess">
Require all denied
</FilesMatch>



[it isn't quite clear to me if you want to rename your htaccess file permanently or just temporarily while editing it, but the dangers I described above apply in either case, as does the solution proposed]

Vote Up Vote Down

@Mendez628

Removing the dot is renaming the file.
Once you do that, the web server won't be able to find the file, so its contents will no-longer effect web server behavior.

If after considering all the disadvantages of running a non-standard set-up you you still want to rename, it you can configure apache to look for the file under a different name, but it may make sense to make the name clearly different to .htaccess

eg: to change it to config add this to your web-server's configuration:

AccessFileName config

However the apache documentation recommends not using .htaccess at all, and doing all configuration in the server configuration file.

Vote Up Vote Down

@Lee4591628

It's dangerous in the sense that it won't work if you do. Apache will look for .htaccess and apply those rules as it serves content. Without finding that file, Apache will proceed assuming no additional directives are necessary.

.htaccess includes a leading . because it's a "hidden file" in Linux systems (which run most web servers).

Vote Up Vote Down

@Si4351233

Your FTP client has a setting to show hidden files. Turn it on. Or use a client that allows . hidden files to be seen.

And use SFTP as FTP sends clear-text credentials (clear-text => unencrypted as in you can retrieve them by running tcpdump or similar traffic analysis and capturing the packets).

Vote Up Vote Down