Drupal Dilatant: How to Get Drupal NOT to Protect a Folder

Drupal by default protects the all folders from web access. This is for security purposes.

No one, for example, can go to your /files/images/ folder and access all your images. They get your default Drupal template with a 404 page-not-found error.

However, sometimes you do want the world access certain folders. For example, you might want a client to access a /drafts/ folder in which you’re displaying proposed template mock-ups.

On an Apache server, here’s how to get Drupal to leave that folder alone and expose it to the web user:

In your Drupal .htaccess file (it’s in the root of your Drupal installation), place the following code:

<IfModule mod_rewrite.c>
RewriteEngine on
#
# stuff to let through (ignore)
RewriteCond %{REQUEST_URI} “/NAME_OF_TARGET_DIRECTORY/” [OR]
# RewriteCond %{REQUEST_URI} “/folder2/”
#
 </IfModule>

If there is more than one folder, just uncomment the second RewriteCond line and add more as needed, with an [OR] at the end of each line.

Drupal already has this line in its htaccess:

<IfModule mod_rewrite.c>
RewriteEngine on

and it has </IfModule> at the end.

Just find it and put it the above the code inside the top and bottom comment characters (#). No need to re-tell Apache to “RewriteEngine on” and open and close mod_rewrite tags.