Htaccess examples (security)

From Joomla! Documentation

Revision as of 06:49, 6 March 2011 by G1smd (talk | contribs) (Leading ^.* pattern matches whole string to very end, then forces thousands of back off and retry "trial match" attempts. Edit. RegEx now parsed once left to right looking for first character match.)

Credit for part of this .htaccess file goes to Ronald van den Heetkamp

For this to work you need mod_rewrite ON: 

 #  mod_rewrite in use
 RewriteEngine On

Rewrite rules to block out some common exploits[edit]

 ########## Begin - Rewrite rules to block out some common exploits
 ## If you experience problems on your site block out the operations listed below
 ## This attempts to block the most common type of exploit `attempts` to Joomla!
 ## Block out any script trying to set a mosConfig value through the URL
 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
 # Block out any script trying to base64_encode data within the URL
 RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
 # Block out any script that includes a <script> tag in URL
 RewriteCond %{QUERY_STRING} (\<|%3C)([^s]*s)+cript.*(\>|%3E) [NC,OR]
 # Block out any script trying to set a PHP GLOBALS variable via URL
 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 # Block out any script trying to modify a _REQUEST variable via URL
 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 # Send all blocked request to homepage with 403 Forbidden error!
 RewriteRule .* index.php [F]
 ########### End - Rewrite rules to block out some common exploits

Block bad user agents[edit]

 ########## Block bad user agents
 RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
 RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
 RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
 RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
 RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
 RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
 RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Zeus
 RewriteRule .* - [F]

Other useful settings[edit]

 ServerSignature Off
 RewriteCond %{REQUEST_METHOD}  ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 RewriteCond %{THE_REQUEST}     (\\r|\\n|%0A|%0D) [NC,OR]

 RewriteCond %{HTTP_REFERER}    (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_COOKIE}     (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]

 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
 #Block mySQL injects
 RewriteCond %{QUERY_STRING}    (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

 RewriteCond %{QUERY_STRING}    (localhost|loopback|127\.0\.0\.1).* [NC,OR]
 RewriteCond %{QUERY_STRING}    \.[A-Za-z0-9] [NC,OR]
 RewriteCond %{QUERY_STRING}    (<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]

NOTE: Rewrite conditions need to be followed by a rewrite rule, such as: 

# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule .* index.php [F]


Suggested Master htaccess file[edit]

This can be discussed in this topic

Warning: note the hashed areas. Incorrect settings on some servers may cause 500 page errors 

###############################################################################
## The Master .htaccess
##
## Version 2.2 - November 18th, 2010
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## domain.com and domain\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file. Special thanks to Jon Brown for sharing his
## research and helping me improve this file.
##
## ----------------------------------------------------------------------
## Do you want to customize this .htaccess file with a few clicks?
## Admin Tools Professional by AkeebaBackup.com does this and much more.
##
## Learn more: http://www.akeebabackup.com/software/admin-tools.html
## ----------------------------------------------------------------------
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
## CHANGELOG:
## Version 2.3 (November 18th, 2010)
## - Added .ico to the pass-through rules, for favicons to load
## Version 2.2 (October 25th, 2010)
## - Bug in the tmpl=component rule
## Version 2.1 (October 19th, 2010)
## - index.php to root redirection would kill some AJAX requests
## - Referer filtering was screwed up
## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
## - The tp/template/tmpl filter was not thorough and killed some components
## - Optimized Joomla! core SEF section
## - Bot filters and GZip optimization would never run for dynamic content
## - Content expiration optimization got more optimized
## - Added ETag rule
##
###############################################################################

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## End - RewriteBase

########## Begin - File execution order, by Komra.de
DirectoryIndex index.php index.html
########## End - File execution order

########## Begin - No directory listings
## Note: +FollowSymlinks may cause problems and you might have to remove it
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
   # Enable expiration control
   ExpiresActive On

   # Default expiration: 1 hour after request
   ExpiresDefault "now plus 1 hour"
   
   # CSS and JS expiration: 1 week after request
   ExpiresByType text/css "now plus 1 week"
   ExpiresByType application/javascript "now plus 1 week"
   ExpiresByType application/x-javascript "now plus 1 week"
   
   # Image files expiration: 1 year after request
   ExpiresByType image/bmp "now plus 1 year"
   ExpiresByType image/gif "now plus 1 year"
   ExpiresByType image/jpeg "now plus 1 year"
   ExpiresByType image/jp2 "now plus 1 year"
   ExpiresByType image/pipeg "now plus 1 year"
   ExpiresByType image/png "now plus 1 year"
   ExpiresByType image/svg+xml "now plus 1 year"
   ExpiresByType image/tiff "now plus 1 year"
   ExpiresByType image/vnd.microsoft.icon "now plus 1 year"
   ExpiresByType image/x-icon "now plus 1 year"
   ExpiresByType image/ico "now plus 1 year"
   ExpiresByType image/icon "now plus 1 year"
   ExpiresByType text/ico "now plus 1 year"
   ExpiresByType application/ico "now plus 1 year"
   ExpiresByType image/vnd.wap.wbmp "now plus 1 year"
   ExpiresByType application/vnd.wap.wbxml "now plus 1 year"
   ExpiresByType application/smil "now plus 1 year"
   
   # Audio files expiration: 1 year after request
   ExpiresByType audio/basic "now plus 1 year"
   ExpiresByType audio/mid "now plus 1 year"
   ExpiresByType audio/midi "now plus 1 year"
   ExpiresByType audio/mpeg "now plus 1 year"
   ExpiresByType audio/x-aiff "now plus 1 year"
   ExpiresByType audio/x-mpegurl "now plus 1 year"
   ExpiresByType audio/x-pn-realaudio "now plus 1 year"
   ExpiresByType audio/x-wav "now plus 1 year"
   
   # Movie files expiration: 1 year after request
   ExpiresByType application/x-shockwave-flash "now plus 1 year"
   ExpiresByType x-world/x-vrml "now plus 1 year"
   ExpiresByType video/x-msvideo "now plus 1 year"
   ExpiresByType video/mpeg "now plus 1 year"
   ExpiresByType video/mp4 "now plus 1 year"
   ExpiresByType video/quicktime "now plus 1 year"
   ExpiresByType video/x-la-asf "now plus 1 year"
   ExpiresByType video/x-ms-asf "now plus 1 year"
</IfModule>
########## End - Optimal expiration time

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Google Apps redirection, by Komra.de
RewriteRule ^mail http://mail.google.com/a/domain.com [R=301,L]
########## End - Google Apps redirection

########## Begin - Redirect index.php to /
## Note: Change domain.com to reflect your own domain
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index\.php\ HTTP/
RewriteRule ^(([^/]+/)*)index\.php$ http://www.domain.com/$1 [R=301,L]
########## End - Redirect index.php to /

########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
#RewriteCond %{HTTP_HOST} !^(example\.com)?$
#RewriteRule (.*) http://example.com/$1 [R=301,L]
########## End - Redirect non-www to www

########## Begin - Redirect olddomain.com to www.domain.com
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## whereas www.domain.com is the new domain name you want to redirect TO.
## Change those names to reflect your current configuration. Remember, this
## small part of the file is supposed to be placed in olddomain.com!
RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
RewriteRule ^(([^/]+/)*)index\.(php|html?) http://www.domain.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
RewriteRule (.*) http://www.domain.com/$1 [R=301,L]
########## End - Redirect olddomain.com to www.domain.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
# This line is required for this rule to work properly
RewriteCond %{HTTPS} ^off$ [NC]
# This is a sample redirection for foobar.html. Do note that you have to change
# www.domain.com to reflect your own domain. Remember to escape the dots using
# \. in the left hand side of each rule.
RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [R=301,L]
# Add mode rules below this line
########## End - Force HTTPS for certain pages

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C)([^s]*s)+cript.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return a 403 Forbidden
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http://
RewriteRule .* - [F]
########## End - File injection protection

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 2.0
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^(components/com_uddeim/captcha15\.php)$ $1 [L]
## Allow Phil Taylor's Turbo Gears
RewriteRule ^(plugins/system/GoogleGears/gears-manifest\.php) $1 [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^(plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php) $1 [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^(administrator/components/com_admintools/restore\.php) $1 [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^(administrator/components/com_akeeba/restore\.php) $1 [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(components/com_agora/img/members/.*) $1 [L]

# Add more rules for allowing full access (except PHP files) on more directories here

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^(cache/.*)$ $1 [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^(tmp/.*)$ $1 [L]

# Add more full access rules here

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.domain\.com with your own domain name, substituting the dots with
## \., i.e.: www\.example\.com for www.example.com
RewriteRule ^(images/stories/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?))$ $2 [L]
RewriteCond %{HTTP_REFERER} !^http://www\.domain\.com [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|html?)$ - [F]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=component [NC]
RewriteRule (.*) $1 [L]
RewriteCond %{QUERY_STRING} (^|&)tp= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)template= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)tmpl= [NC]
RewriteRule .* - [F]

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} =PHP[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12} [NC]
RewriteRule .* - [F]

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^(administrator[/]?)$ administrator/index.php [L]
RewriteRule ^(administrator/index.html?)$ $1 [L]
RewriteRule ^(administrator/index.php)$ $1 [L]
RewriteRule ^(administrator/index[23].php)$ $1 [L]
RewriteRule ^(administrator/(components|modules|templates|images|plugins)/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^administrator/.* - [F]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^(xmlrpc/index\.php)$ $1 [L]
RewriteRule ^xmlrpc/.* - [F]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes/js/.*)$ $1 [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/.*$ - [F]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^((components|modules|plugins|templates)/([^.]+)\.(jpe[g2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
RewriteRule ^((components|modules|plugins|templates)/([^/]+/)*index\.php(.*))$ $2 [L]
RewriteRule ^(templates/([^.]+)\.php)$ $1 [L]
RewriteRule ^(components|modules|plugins|templates)/.* - [F]

## Disallow access to htaccess.txt and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect.* [NC]
RewriteRule .* - [F]

########## End - Advanced server protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{QUERY_STRING} \bviagra\b [NC,OR]
RewriteCond %{QUERY_STRING} \bambien\b [NC,OR]
RewriteCond %{QUERY_STRING} \bblue\spill\b [NC,OR]
RewriteCond %{QUERY_STRING} \bcialis\b [NC,OR]
RewriteCond %{QUERY_STRING} \bcocaine\b [NC,OR]
RewriteCond %{QUERY_STRING} \bejaculation\b [NC,OR]
RewriteCond %{QUERY_STRING} \berectile\b [NC,OR]
RewriteCond %{QUERY_STRING} \berections\b [NC,OR]
RewriteCond %{QUERY_STRING} \bhoodia\b [NC,OR]
RewriteCond %{QUERY_STRING} \bhuronriveracres\b [NC,OR]
RewriteCond %{QUERY_STRING} \bimpotence\b [NC,OR]
RewriteCond %{QUERY_STRING} \blevitra\b [NC,OR]
RewriteCond %{QUERY_STRING} \blibido\b [NC,OR]
RewriteCond %{QUERY_STRING} \blipitor\b [NC,OR]
RewriteCond %{QUERY_STRING} \bphentermin\b [NC,OR]
RewriteCond %{QUERY_STRING} \bprosac\b [NC,OR]
RewriteCond %{QUERY_STRING} \bsandyauer\b [NC,OR]
RewriteCond %{QUERY_STRING} \btramadol\b [NC,OR]
RewriteCond %{QUERY_STRING} \btroyhamby\b [NC,OR]
RewriteCond %{QUERY_STRING} \bultram\b [NC,OR]
RewriteCond %{QUERY_STRING} \bunicauca\b [NC,OR]
RewriteCond %{QUERY_STRING} \bvalium\b [NC,OR]
RewriteCond %{QUERY_STRING} \bviagra\b [NC,OR]
RewriteCond %{QUERY_STRING} \bvicodin\b [NC,OR]
RewriteCond %{QUERY_STRING} \bxanax\b [NC,OR]
RewriteCond %{QUERY_STRING} \bypxaieo\b [NC]
RewriteRule .* - [F]
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip|json))$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

External links[edit]

.htaccess tag archive @ perishablepress.com

proposed "master htaccess" (updated by Nicholas on November 18th 2010) DO read the intro by Nichols!

Retrieved from "https://docs.joomla.org/index.php?title=Htaccess_examples_(security)&oldid=37843"