Block access to Drupal sensitive files / directories like update.php install.php

Profile picture for user a.berramou
Azz-eddine BERRAMOU 26 January, 2023

The 'install.php' and 'update.php' files in a Drupal website can pose significant security risks if they remain accessible after the initial setup. These files are crucial during the installation and update processes of Drupal, but they contain sensitive information and functionalities that should not be accessible to unauthorized individuals once the website is up and running.

To address this issue, we will restrict access to these files. Specifically, we will enact appropriate entries in either the Apache web server configuration or the htaccess file, effectively limiting accessibility.

To restrict Access To 'install.php' Or 'update.php' Files In Drupal, you have two options:

  1. Add this configuration to your Apache virtual host configuration:
    RedirectMatch 403 "/(install|update).php"
  2. Or add those lines to your .htaccess file
    # Protect files and directories from prying eyes.
    <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|cron\.php|install\.php|update\.php|^(CHANGELOG|COPYRIGHT|INSTALL.*|LICENSE|MAINTAINERS|README|UPDATE).txt$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
         order deny,allow
         deny from all


And that's it you are done now all sensitive files / directories are not accessible for example now returns 403 response.