The same as all other files: 0644. Anything else doesn't make sense: it won't stop a hacker with write access to your filesystem but it will frustrate you.
The notion of using 04xx is misguided. 0644 means that only the owner user, i.e. the same user you use for FTP/SFTP, can write to the file. I would argue that if an attacker has full, unfettered access to the one user account that has write access to your entire site your problems are far greater than your site being redirected to a different location because of a rogue and simple to detect .htaccess.
Like, if I was that hacker I'd probably add an innocuously named user plugin on your site which emails me the username, email and password of anyone logging into your site. Then I could try these credentials on other sites such as Amazon, eBay etc for profit. Or I could do the simple, lame and profitable thing of using your site as a spam hub, botnet node etc. I would certainly NOT modify your .htaccess to do something patently obvious to even the laziest site admin. But maybe that's just me :)
Moreover, if that hacker has full and unfettered access to that user account which owns the file they can, of course, override the 0400 permissions. It just requires two steps: step one, change permissions to 0644 (since the user owns the file they can change the permissions); step two, write to the file.
Whatever you read on the Internet, exercise critical thinking. Think about what are the effects of the suggestion you read. Think about what kind of possible attack would that effect mitigate. Think about the unintended consequences of the suggestion. For example, changing the permissions of .htaccess doesn't protect against any class of attack since it requires an attacker with write access to arbitrary files. Meanwhile, you'll have to use FTP or your site's control panel whenever you want to make a change to the site. This opens you to a whole different class of man in the middle attacks and also increases the risk that a wrong copy-paste will bring your site down. Weight the pros and cons and decide for yourself which risk is more acceptable, the one of action or the one of inaction. It's your decision, I can only help you to make it an informed one :)
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
