Block Vulnerability Scanners with .htaccess

TL;DR

Protect your shared hosting account from automated vulnerability scanners by blocking their user agents in your .htaccess file. This guide shows you how.

Blocking Vulnerability Scanners with .htaccess

1. Understand the Risk: Automated scanners try to find weaknesses on websites. While not all are malicious, they can overload your server and potentially identify real vulnerabilities that attackers could exploit.
2. Locate Your .htaccess File: This file is usually in your website’s root directory (e.g., public_html or www). If you can’t find it, create a new text file and name it .htaccess. Make sure your FTP client shows hidden files (usually an option in the settings).
3. Edit Your .htaccess File: Open the .htaccess file with a plain text editor (like Notepad on Windows or TextEdit on Mac – avoid Word processors!). Add the following code to block common scanner user agents.

RewriteEngine On
# Block specific scanners
RewriteCond %{HTTP_USER_AGENT} (Nikto|DirBuster|OWASP ZAP|sqlmap|Burp Suite|Acunetix|Nessus|OpenVAS) [NC]
RewriteRule .* - [F,L]

Explanation:

• RewriteEngine On: Enables the rewrite engine.
• RewriteCond %{HTTP_USER_AGENT} (Nikto|DirBuster|OWASP ZAP|sqlmap|Burp Suite|Acunetix|Nessus|OpenVAS) [NC]: This line checks if the User-Agent header matches any of the listed scanners. [NC] means ‘no case’ – it ignores uppercase/lowercase differences.
• RewriteRule .* - [F,L]: If a match is found, this rule blocks access (F = Forbidden) and stops processing further rules (L = Last).

4. Add More Scanners: You can add more scanner user agents to the list within the parentheses, separated by pipes (|). Research common scanners to keep your blocklist up-to-date. For example:

   RewriteCond %{HTTP_USER_AGENT} (Nikto|DirBuster|OWASP ZAP|sqlmap|Burp Suite|Acunetix|Nessus|OpenVAS|HTTrack Website Copier) [NC]

5. Save the File: Save your changes to the .htaccess file.
6. Test Your Block: Use a tool like WhatIsMyUserAgent to simulate one of the blocked user agents and confirm you get a ‘403 Forbidden’ error when trying to access your website.
7. Monitor Your Logs: Regularly check your server logs for any suspicious activity, even after implementing these blocks. Shared hosting providers usually offer log access through their control panel (cPanel, Plesk, etc.).

Important Considerations

• False Positives: Be careful not to block legitimate tools or search engine crawlers. If you accidentally block something important, your website might not be indexed properly by Google.
• Shared Hosting Limitations: Some shared hosting providers may restrict the use of .htaccess files or certain rewrite rules. Check their documentation for any limitations.
• IP Blocking (Advanced): For persistent scanners, consider blocking their IP addresses in your .htaccess file as well. However, be aware that IPs can change.