Why bother doing this?

If somebody is trying to access a file or a folder on your server the least they know the better.
Once the attacker finds out that some files are there and potentially accessible they could start guessing file names to see if you have forgotten some interesting files like passwords for ftp, social media accounts etc.

The how

Add these lines in your .htaccess in the document root folder. If the file doesn't exist create it.

ErrorDocument 403 /error/404.php
ErrorDocument 404 /error/404.php

In the folders that you'd like to protect (e.g. docs/, /includes/, marketing/) so they are not accessible via browser create a new .htaccess file with content:

deny from all

Note: Assuming that you're running Apache web server.

In document root (where your site is) create a folder /error/ and then put create /error/404.php file
We need php to correct the status code (if necessary) because the apache server will return the error page but if we don't override the status code the header will still show as 403 status code.

// Do not let any attacker know that they have just been denied access.
// This code requires php 5.4 or newer.

if ( function_exists( 'http_response_code') && http_response_code() != 404 ) {

@http_response_code( 404 );


echo "Page Not Found.";




This is a pretty basic protection. It should be one of many that you use to protect your sites.
Always keep the software you use up-to-date in order to reduce the risk.
Whenever possible use a managed hosting. The admins know how to protect a server because that's what they do all they long.



  • http://stackoverflow.com/questions/6479198/denying-via-404-instead-of-403
  • http://stackoverflow.com/questions/3258634/php-how-to-send-http-response-code
  • http://php.net/manual/en/function.http-response-code.php
  • http://stackoverflow.com/questions/548156/problem-redirecting-403-forbidden-to-404-not-found


Other possible titles of this post:

  • How to force apache to return 404 instead of 403?
  • How to Redirect 403 Forbidden to 404 Not Found
  • Denying via 404 instead of 403
  • How to Deny Access (Status 403) via Page Not Found (Status 404) Error
  • Showing HTTP/1.1 404 Not Found instead of HTTP/1.1 403 Forbidden
  • HTTP/1.1 403 Forbidden to HTTP/1.1 404 Not Found