Skip to content
Want to get Premium Web Hosting only at 45₹/Month Signup Now!

How to Protect Your Website from DDoS Attacks Using .htaccess

DDoS (Distributed Denial of Service) attacks overwhelm a website by flooding it with excessive requests, potentially causing slowdowns or even downtime. If your website is on an Apache server, you can add rules to your .htaccess file to mitigate some basic DDoS attacks. This guide will show you how to configure .htaccess to help protect your site.

Step 1: Access Your .htaccess File

  1. Log in to your hosting control panel (cPanel, DirectAdmin, etc.).
  2. Navigate to File Manager and go to the root directory of your site (usually public_html).
  3. Look for the .htaccess file. If it doesn’t exist, create one.
  4. Open the file for editing.

Step 2: Add DDoS Protection Code to .htaccess

Copy and paste the following code into your .htaccess file. This configuration will help reduce DDoS threats by:

  • Limiting requests from individual IP addresses
  • Blocking known bad bots
  • Restricting large POST requests
  • Preventing access to xmlrpc.php

# Protect against some basic DDoS attacks

# Limit the number of requests from a single IP address within a certain timeframe
<IfModule mod_ratelimit.c>
SetEnvIf Request_URI "^" REQUESTS_PER_IP=10
SetEnvIf Remote_Addr "^" REQUESTS_LIMIT=10
<Limit GET POST PUT DELETE>
SetEnvIfNoCase Remote_Addr "^127\.0\.0\.1$" nolog # Allow localhost
SetEnvIfNoCase Remote_Addr "^192\.168\.1\.1$" nolog # Example whitelist
SetEnv rate-limit
</Limit>
# Limit to 10 requests per second per IP address
RateLimitEnv rate-limit 10
</IfModule>

# Block common bad bots (spambots, crawlers, etc.)
SetEnvIfNoCase User-Agent "libwww-perl" bad_bot
SetEnvIfNoCase User-Agent "MJ12bot" bad_bot
SetEnvIfNoCase User-Agent "AhrefsBot" bad_bot
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{ENV:bad_bot} ^1$ [NC]
RewriteRule ^.* - [F,L]
</IfModule>

# Protect against large POST requests
<IfModule mod_security.c>
SecFilterEngine On
SecFilterScanPOST On
SecRule REQUEST_BODY_LENGTH "@gt 102400" "deny,log,status:413"
</IfModule>

# Deny access to XML-RPC (often targeted in DDoS attacks on WordPress)
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

# Block known IP addresses if necessary (replace with actual bad IPs)
<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from 123.123.123.123
Deny from 124.124.124.124
</Limit>

# Custom error message for blocked users (optional)
ErrorDocument 403 "Access Denied."

Explanation of the Code:

  • Rate Limiting: Limits requests to 10 per second per IP address to prevent excessive requests.
  • Blocking Bad Bots: Denies access to commonly known bad bots that may crawl your site excessively.
  • Large POST Request Protection: Prevents very large POST requests, which can be an indication of an attack.
  • Disable XML-RPC: Blocks access to xmlrpc.php, commonly targeted in DDoS attacks, especially for WordPress sites.
  • IP Blocking: Denies access to known IP addresses linked with malicious activities (replace with actual IPs you want to block).

Step 3: Save and Test the Configuration

  1. Save your .htaccess file and close the editor.
  2. Test your website to ensure everything loads correctly.
  3. If you encounter issues, revert the changes by removing the code and saving the file again.

Final Note

While these rules offer some basic protection against DDoS attacks, they may not fully stop sophisticated attacks. For added security, consider using a dedicated DDoS protection service or a CDN with DDoS mitigation like Cloudflare.

By adding these configurations, you’re taking an essential step in protecting your website from common DDoS threats and malicious bots.

Was this article helpful?
YesNo
Back To Top