.htaccess: Deny From All – Prohibit, Forbid or Restrict Directory Access

by Yang Yang on January 27, 2009

Restricting directory access might be one of the most frequently used .htaccess techniques out there. As a site grows, there always are some areas that you don’t want visitors to look at such as merchandise warehouse where you store digital products for sale.

You want a programmed server-side script to serve the download after confirming payment instead of risking the users downloading them directly from the directory without paying you.

To deny all requests for the restricted directory or folder, prepare a .htaccess text file in that directory and put the following directive in it:

deny from all

That’s it.

Allow and enable access from certain IP

Say you have a permanent IP and you want to administer the site via /admin and protect the directory from the rest of the world once ‘n’ for all, then you will want the following .htaccess directives:

order deny, allow
deny from all
allow from

Wherein is your IP.

Or if you have an IP range for an entire country, you can allow visits to your site from that particular country only with this technique.

Or if you are operating the site from LAN you can allow only LAN IP to access certain directories such as /admin:

order deny, allow
deny from all
allow from 192.168.0
Disallow and deny access from certain IP

You get the idea. To allow all visits except from a few identified spam bots, just reverse the deny and allow order like this:

order allow, deny
# is a bad bot here
deny from
allow from all

Another blocking method via robots.txt.

CT May 7, 2010 at 2:53 pm

I know that this article is quite old but I wanted to show my appreciation for your hard work and say that after I’ve been googling for more than half an hour for how to prevent access to files in a directory I’ve found your article which helped me getting there with just one line of code. Thank you very much!

keep up the good work! 🙂


Yang Yang May 9, 2010 at 4:08 pm

Hey, really glad it helped!

endless beginning May 28, 2010 at 11:23 pm

hi, if i want to redirect a request of a directory to another directory/page, is that possible plz?

MCB Web Design May 28, 2010 at 11:45 pm

Exactly what I was looking for! Did the trick perfectly for a Facebook app. I was developing, where I didn’t want people to view the files from the domain it was hosted on.

Pradeep August 16, 2010 at 8:30 pm

So Simple yet powerful. Thanks for this info.

Pradeep August 16, 2010 at 8:33 pm

Is it possible not be IP specific (for bots). And check them using their some other identity. And then stop them.

Also, is it possible to block some of my users based on their userid?

fdafdasf June 6, 2012 at 1:12 am

If you want to block specific bots, try a robots.txt file:


Of course, this is only for bots that obey the standard. You can’t really block bad bots; they can just lie about their names.

As for your second question, I have no idea what you mean by userid.

Cao Tri March 18, 2011 at 4:55 pm

Very simple but very powerful. Thanks for your shared, it’s very helpful for my job

sak July 6, 2011 at 12:23 am

you should NOT leave a space between “deny” and “allow”
order deny,allow <– good
order deny, allow <– apache error

Jim S. Smith January 15, 2013 at 2:23 pm


I just now find this out! And this post is over two-years old.

Still valid with today’s versions of Apache.

Sree February 16, 2012 at 3:54 am

Very useful. Thanks it helped me alot

gangol May 22, 2012 at 5:26 am

Could you also please tell me how to restrict path

allow subdomain.domain.com/addon_domain/folder
deny http://www.domain.com/subdomain/addon_domain/folder
deny http://www.addon_domain.com/folder

Dom July 20, 2012 at 8:19 pm

Thanks for the help.

To deny public access but allow internal processes use this in the htaccess of the folder you want to restrict access to:

order deny,allow
deny from all

zak October 4, 2012 at 6:44 pm


I am trying to deny access to a directory. Then check a cookie set with a directory name.
Then use the cookie name and allow access to the directory.
For example cookie name my_dir. if the value in my_dir = “zaks_directory” then
allow access to “zaks_directory”.

Do you know how to do this.


joomir October 10, 2012 at 9:24 pm

Thanks alot, very good article

Jim S. Smith January 15, 2013 at 2:21 pm

Short and sweet!

Great way to secure any “forbidden” folder!

Thanks a bundle.

Comments on this entry are closed.

{ 5 trackbacks }

Previous post:

Next post: