Htaccess examples (security)

From Joomla! Documentation

Revision as of 16:25, 13 March 2011 by G1smd (talk | contribs) ($1 not required.)

Credit for part of this .htaccess file goes to Ronald van den Heetkamp

For this to work you need mod_rewrite ON: 

 # mod_rewrite in use
 RewriteEngine On

Rewrite rules to block out some common exploits[edit]

 ########## Begin - Rewrite rules to block out some common exploits
 ## If you experience problems on your site block out the operations listed below
 ## This attempts to block the most common type of exploit `attempts` to Joomla!
 ## Block out any script trying to set a mosConfig value through the URL
 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
 # Block out any script trying to base64_encode data within the URL
 RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
 # Block out any script that includes a <script> tag in URL
 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
 # Block out any script trying to set a PHP GLOBALS variable via URL
 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 # Block out any script trying to modify a _REQUEST variable via URL
 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 # Send all blocked request to homepage with 403 Forbidden error!
 RewriteRule .* index.php [F]
 ########### End - Rewrite rules to block out some common exploits

Block bad user agents[edit]

 ########## Block bad user agents
 ## The following list may include bots that no longer exist or are not a problem
 ## for your site. The list will always be incomplete and it is therefore wise to
 ## follow discussions on one of the many "security" mailing lists or on a forum
 ## such as http://www.webmasterworld.com/search_engine_spiders/
 ## It is also unwise to rely on this list as your ONLY security mechanism.
 RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
 RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
 RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
 RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
 RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
 RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
 RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Zeus
 RewriteRule .* - [F]

Other useful settings[edit]

 ServerSignature Off
 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]

 RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]

 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
 #Block mySQL injects
 RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]

 RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
 RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
 RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]

NOTE: Rewrite conditions need to be followed by a rewrite rule, such as: 

# Return 403 Forbidden header and show the content of the root homepage.
RewriteRule .* index.php [F]


Suggested Master htaccess file[edit]

This can be discussed in this topic

Warning: note the hashed areas. Incorrect settings on some servers may cause 500 page errors 

###############################################################################
## The Master .htaccess
##
## Version 2.4 (proposed) - March 8th, 2011
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## example.com and example\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file. Special thanks to Jon Brown for sharing his
## research and helping me improve this file.
##
## ----------------------------------------------------------------------
## Do you want to customize this .htaccess file with a few clicks?
## Admin Tools Professional by AkeebaBackup.com does this and much more.
##
## Learn more: http://www.akeebabackup.com/software/admin-tools.html
## ----------------------------------------------------------------------
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
## CHANGELOG:
## Version 2.4 (proposed) (March 8th, 2011)
## - Dozens of speed optimisations and many logic and syntax corrections.
## Version 2.3 (November 18th, 2010)
## - Added .ico to the pass-through rules, for favicons to load
## Version 2.2 (October 25th, 2010)
## - Bug in the tmpl=component rule
## Version 2.1 (October 19th, 2010)
## - index.php to root redirection would kill some AJAX requests
## - Referer filtering was screwed up
## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
## - The tp/template/tmpl filter was not thorough and killed some components
## - Optimized Joomla! core SEF section
## - Bot filters and GZip optimization would never run for dynamic content
## - Content expiration optimization got more optimized
## - Added ETag rule
##
###############################################################################

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
# Uncomment following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## End - RewriteBase

########## Begin - File execution order, by Komra.de
DirectoryIndex index.php index.html
########## End - File execution order

########## Begin - No directory listings
## Note: +FollowSymlinks may cause problems and you might have to remove it
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
   # Enable expiration control
   ExpiresActive On

   # Default expiration: 1 hour after request
   ExpiresDefault "now plus 1 hour"

   # CSS and JS expiration: 1 week after request
   ExpiresByType text/css "now plus 1 week"
   ExpiresByType application/javascript "now plus 1 week"
   ExpiresByType application/x-javascript "now plus 1 week"

   # Image files expiration: 1 month after request
   ExpiresByType image/bmp "now plus 1 month"
   ExpiresByType image/gif "now plus 1 month"
   ExpiresByType image/jpeg "now plus 1 month"
   ExpiresByType image/jp2 "now plus 1 month"
   ExpiresByType image/pipeg "now plus 1 month"
   ExpiresByType image/png "now plus 1 month"
   ExpiresByType image/svg+xml "now plus 1 month"
   ExpiresByType image/tiff "now plus 1 month"
   ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
   ExpiresByType image/x-icon "now plus 1 month"
   ExpiresByType image/ico "now plus 1 month"
   ExpiresByType image/icon "now plus 1 month"
   ExpiresByType text/ico "now plus 1 month"
   ExpiresByType application/ico "now plus 1 month"
   ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
   ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
   ExpiresByType application/smil "now plus 1 month"

   # Audio files expiration: 1 month after request
   ExpiresByType audio/basic "now plus 1 month"
   ExpiresByType audio/mid "now plus 1 month"
   ExpiresByType audio/midi "now plus 1 month"
   ExpiresByType audio/mpeg "now plus 1 month"
   ExpiresByType audio/x-aiff "now plus 1 month"
   ExpiresByType audio/x-mpegurl "now plus 1 month"
   ExpiresByType audio/x-pn-realaudio "now plus 1 month"
   ExpiresByType audio/x-wav "now plus 1 month"

   # Movie files expiration: 1 month after request
   ExpiresByType application/x-shockwave-flash "now plus 1 month"
   ExpiresByType x-world/x-vrml "now plus 1 month"
   ExpiresByType video/x-msvideo "now plus 1 month"
   ExpiresByType video/mpeg "now plus 1 month"
   ExpiresByType video/mp4 "now plus 1 month"
   ExpiresByType video/quicktime "now plus 1 month"
   ExpiresByType video/x-la-asf "now plus 1 month"
   ExpiresByType video/x-ms-asf "now plus 1 month"
</IfModule>
########## End - Optimal expiration time

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Google Apps redirection, by Komra.de
RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
########## End - Google Apps redirection

########## Begin - Redirect index.html~htm to / for root and /path/ for folders
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.html?\ HTTP/
RewriteRule ^(([^/]+/)*)index\.html?$ http://www.example.com/$1 [R=301,L]
########## End - Redirect index.html~htm to / for root and /path/ for folders 

########## Begin - Redirect index.php to / for root only
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.example.com/ [R=301,L]
########## End - Redirect index.php to / for root only

########## Begin - Redirect non-www to www
## Note: Change www.example.com to reflect your own domain name
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
#RewriteCond %{HTTP_HOST} !^(example\.com)?$
#RewriteRule (.*) http://example.com/$1 [R=301,L]
########## End - Redirect non-www to www

########## Begin - Redirect olddomain.com to www.example.com
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## whereas www.example.com is the new domain name you want to redirect TO.
## Change those names to reflect your current configuration. Remember, this
## small part of the file is supposed to be placed in olddomain.com!
RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
RewriteRule ^(([^/]+/)*)index\.(php|html?) http://www.example.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
########## End - Redirect olddomain.com to www.example.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
# This line is required for this rule to work properly
RewriteCond %{HTTPS} ^off$ [NC]
# This is a sample redirection for foobar.html. Do note that you have to change
# www.example.com to reflect your own domain. Remember to escape the dots using
# \. in the left hand side of each rule.
RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
# Add mode rules below this line
########## End - Force HTTPS for certain pages

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return a 403 Forbidden
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-z0-9_]=http:// [NC]
RewriteRule .* - [F]
########## End - File injection protection

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 2.0
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
## Allow Phil Taylor's Turbo Gears
RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php - [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php - [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^administrator/components/com_admintools/restore\.php - [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^administrator/components/com_akeeba/restore\.php - [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^components/com_agora/img/members/ - [L]

# Add more rules for allowing full access (except PHP files) on more directories here

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^cache/ - [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^tmp/ - [L]

# Add more full access rules here

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.example\.com with your own domain name, substituting
## the dots with \.  i.e. use www\.example\.com for www.example.com
RewriteRule ^images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?) - [L]
RewriteCond %{HTTP_REFERER} !^http://www\.example\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=component [NC]
RewriteRule .* - [L]
RewriteCond %{QUERY_STRING} (^|&)tp= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)template= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)tmpl= [NC]
RewriteRule .* - [F]

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule .* - [F]

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^administrator/?$ administrator/index.php [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/index[23]\.php$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|html?)$ - [L]
RewriteRule ^administrator/ - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^xmlrpc/index\.php$ - [L]
RewriteRule ^xmlrpc/ - [F]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^includes/js/ - [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^(components|modules|plugins|templates)/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [L]
RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*index\.php - [L]
RewriteRule ^templates/([^.]+)\.php$ - [L]
RewriteRule ^(components|modules|plugins|templates)/ - [F]

## Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]

########## End - Advanced server protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{QUERY_STRING} \bviagra\b [NC,OR]
RewriteCond %{QUERY_STRING} \bambien\b [NC,OR]
RewriteCond %{QUERY_STRING} \bblue\spill\b [NC,OR]
RewriteCond %{QUERY_STRING} \bcialis\b [NC,OR]
RewriteCond %{QUERY_STRING} \bcocaine\b [NC,OR]
RewriteCond %{QUERY_STRING} \bejaculation\b [NC,OR]
RewriteCond %{QUERY_STRING} \berectile\b [NC,OR]
RewriteCond %{QUERY_STRING} \berections\b [NC,OR]
RewriteCond %{QUERY_STRING} \bhoodia\b [NC,OR]
RewriteCond %{QUERY_STRING} \bhuronriveracres\b [NC,OR]
RewriteCond %{QUERY_STRING} \bimpotence\b [NC,OR]
RewriteCond %{QUERY_STRING} \blevitra\b [NC,OR]
RewriteCond %{QUERY_STRING} \blibido\b [NC,OR]
RewriteCond %{QUERY_STRING} \blipitor\b [NC,OR]
RewriteCond %{QUERY_STRING} \bphentermin\b [NC,OR]
RewriteCond %{QUERY_STRING} \bprosac\b [NC,OR]
RewriteCond %{QUERY_STRING} \bsandyauer\b [NC,OR]
RewriteCond %{QUERY_STRING} \btramadol\b [NC,OR]
RewriteCond %{QUERY_STRING} \btroyhamby\b [NC,OR]
RewriteCond %{QUERY_STRING} \bultram\b [NC,OR]
RewriteCond %{QUERY_STRING} \bunicauca\b [NC,OR]
RewriteCond %{QUERY_STRING} \bvalium\b [NC,OR]
RewriteCond %{QUERY_STRING} \bviagra\b [NC,OR]
RewriteCond %{QUERY_STRING} \bvicodin\b [NC,OR]
RewriteCond %{QUERY_STRING} \bxanax\b [NC,OR]
RewriteCond %{QUERY_STRING} \bypxaieo\b [NC]
RewriteRule .* - [F]
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json))$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

External links[edit]

.htaccess tag archive @ perishablepress.com

proposed "master htaccess" (updated by Nicholas on November 18th 2010) DO read the intro by Nichols!

Retrieved from "https://docs.joomla.org/index.php?title=Htaccess_examples_(security)&oldid=37980"