The Ultimate .htaccess file - ultimate security for your joomla site
-
-
- Christos DiCos
- Sr. Rocketeer
- Posts: 120
- Thanks: 2
-
I must have seen at least 4,000 threads about the .htaccess file over at joomla.org on their forum.
So I created this thread, this thread isn't for any questions, it so we can compile code to create the ultimate most secure .htacces file for a joomla site.
So if you have any code or suggestions just post them or pm me and I will add them to the ulitmate .htaccess file so everyone can download and use it on their site.
=============================================================================#
MAIN SETTINGS AND OPTIONS
=============================================================================#
Options: ALL,FollowSymLinks,Includes,IncludesNOEXEC,SymLinksIfOwnerMatch
##########
## MAIN DEFAULTS ###
Options +ExecCGI -Indexes
DirectoryIndex index.html index.htm index.php
DefaultLanguage en-US
AddDefaultCharset UTF-8
ServerSignature Off
## ENVIRONMENT VARIABLES ###
SetEnv PHPRC /webroot/includes
SetEnv TZ America/Indianapolis
SetEnv SERVER_ADMIN This email address is being protected from spambots. You need JavaScript enabled to view it.
## MIME TYPES ###
AddType video/x-flv .flv
AddType application/x-shockwave-flash .swf
AddType image/x-icon .ico
## FORCE FILE TO DOWNLOAD INSTEAD OF APPEAR IN BROWSER ###
-> www.htaccesselite.com/htaccess/addtype-a...dler-action-vf6.html
AddType application/octet-stream .mov .mp3 .zip
## ERRORDOCUMENTS ###
-> askapache.com/htaccess/apache-status-cod...s-errordocument.html
======== 1xx
ErrorDocument 100 /error-100/
ErrorDocument 101 /error-101/
ErrorDocument 102 /error-102/
======== 2xx
ErrorDocument 200 /error-200/
ErrorDocument 201 /error-201/
ErrorDocument 202 /error-202/
ErrorDocument 203 /error-203/
ErrorDocument 204 /error-204/
ErrorDocument 205 /error-205/
ErrorDocument 206 /error-206/
ErrorDocument 207 /error-207/
======== 4xx
ErrorDocument 400 /error-400/
ErrorDocument 401 /error-401/
ErrorDocument 402 /error-402/
ErrorDocument 403 /error-403/
ErrorDocument 404 /error-404/
ErrorDocument 405 /error-405/
ErrorDocument 406 /error-406/
ErrorDocument 407 /error-407/
ErrorDocument 408 /error-408/
ErrorDocument 409 /error-409/
ErrorDocument 410 /error-410/
ErrorDocument 411 /error-411/
ErrorDocument 412 /error-412/
ErrorDocument 413 /error-413/
ErrorDocument 414 /error-414/
ErrorDocument 415 /error-415/
ErrorDocument 416 /error-416/
ErrorDocument 417 /error-417/
ErrorDocument 418 /error-418/
ErrorDocument 419 /error-419/
ErrorDocument 420 /error-420/
ErrorDocument 421 /error-421/
ErrorDocument 422 /error-422/
ErrorDocument 423 /error-423/
ErrorDocument 424 /error-424/
ErrorDocument 425 /error-425/
ErrorDocument 426 /error-426/
======== 5xx
ErrorDocument 500 /error-500/
ErrorDocument 501 /error-501/
ErrorDocument 502 /error-502/
ErrorDocument 503 /error-503/
ErrorDocument 504 /error-504/
ErrorDocument 505 /error-505/
ErrorDocument 506 /error-506/
ErrorDocument 507 /error-507/
ErrorDocument 508 /error-508/
ErrorDocument 509 /error-509/
ErrorDocument 510 /error-510/
AddLanguage aa .aa # Afar
AddLanguage ab .ab # Abkhazian
AddLanguage af .af # Afrikaans
AddLanguage am .am # Amharic
AddLanguage ar .ar # Arabic
AddLanguage as .as # Assamese
AddLanguage ay .ay # Aymara
AddLanguage az .az # Azerbaijani
AddLanguage ba .ba # Bashkir
AddLanguage be .be # Byelorussian
AddLanguage bg .bg # Bulgarian
AddLanguage bh .bh # Bihari
AddLanguage bi .bi # Bislama
AddLanguage bn .bn # Bengali; Bangla
AddLanguage bo .bo # Tibetan
AddLanguage br .br # Breton
AddLanguage ca .ca # Catalan
AddLanguage co .co # Corsican
AddLanguage cs .cs # Czech
AddLanguage cy .cy # Welsh
AddLanguage da .da # Danish
AddLanguage de .de # German
AddLanguage dz .dz # Bhutani
AddLanguage el .el # Greek
AddLanguage en .en # English
AddLanguage eo .eo # Esperanto
AddLanguage es .es # Spanish
AddLanguage et .et # Estonian
AddLanguage eu .eu # Basque
AddLanguage fa .fa # Persian
AddLanguage fi .fi # Finnish
AddLanguage fj .fj # Fiji
AddLanguage fo .fo # Faeroese
AddLanguage fr .fr # French
AddLanguage fy .fy # Frisian
AddLanguage ga .ga # Irish
AddLanguage gd .gd # Scots Gaelic
AddLanguage gl .gl # Galician
AddLanguage gn .gn # Guamni
AddLanguage gu .gu # Gujarati
AddLanguage ha .ha # Hausa
AddLanguage he .he # Hebrew
AddLanguage hi .hi # Hindi
AddLanguage hr .hr # Croatian
AddLanguage hu .hu # Hungarian
AddLanguage hy .hy # Armenian
AddLanguage ia .ia # Interlingua
AddLanguage id .id # Indonesian
AddLanguage ie .ie # lnteriingue
AddLanguage ik .ik # Knupiak
AddLanguage is .is # Icelandic
AddLanguage it .it # Italian
AddLanguage iu .iu # Inuktitut (Eskimo)
AddLanguage ja .ja # Japanese
AddLanguage jw .jw # Javanese
AddLanguage ka .ka # Georgian
AddLanguage kk .kk # Kazakh
AddLanguage kl .kl # Greaenlandic
AddLanguage km .km # Cambodian
AddLanguage kn .kn # Kannada
AddLanguage ko .ko # Korean
AddLanguage ks .ks # Kashmiri
AddLanguage ku .ku # Kurdish
AddLanguage ky .ky # Kirghiz
AddLanguage la .la # Latin
AddLanguage ln .ln # Lingala
AddLanguage lo .lo # Laothian
AddLanguage lt .lt # Lithuainnian
AddLanguage lv .lv # Latvian, Lettish
AddLanguage mg .mg # Malagasy
AddLanguage mi .mi # Maori
AddLanguage mk .mk # Macedonian
AddLanguage ml .ml # Malayalam
AddLanguage mn .mn # Mongolian
AddLanguage mo .mo # Moldavian
AddLanguage mr .mr # Marathi
AddLanguage ms .ms # Malay
AddLanguage mt .mt # Maltese
AddLanguage my .my # Burmese
AddLanguage na .na # Nauru
AddLanguage ne .ne # Nepali
AddLanguage nl .nl # Dutch
AddLanguage no .no # Norwegian
AddLanguage oc .oc # Occitan
AddLanguage om .om # (Afan) Oromo
AddLanguage or .or # Oriya
AddLanguage pa .pa # Punjabi
AddLanguage pl .po # Polish (use .po instead .pl to avoid problems with perl files)
AddLanguage ps .ps # Pashto, Pushto
AddLanguage pt .pt # Portuguese
AddLanguage qu .qu # Ouechua
AddLanguage rm .rm # Rhaeto-Romance
AddLanguage rn .rn # Kirundi
AddLanguage ro .ro # Romanian
AddLanguage ru .ru # Russian
AddLanguage rw .rw # Kinya, Rwanda
AddLanguage sa .sa # Sanskrit
AddLanguage sd .sd # Sindhi
AddLanguage sg .sg # Sangro
AddLanguage sh .sh # Serbo-Croatian
AddLanguage si .si # Singhalese
AddLanguage sk .sk # Slovak
AddLanguage sl .sl # Slovenian
AddLanguage sm .sm # Samoan
AddLanguage sn .sn # Shona
AddLanguage so .so # Somali
AddLanguage sq .sq # Albanian
AddLanguage sr .sr # Serbian
AddLanguage ss .ss # Siswati
AddLanguage st .st # Sesotho
AddLanguage su .su # Sundanese
AddLanguage sv .sv # Swedish
AddLanguage sw .sw # Swahili
AddLanguage ta .ta # Tamil
AddLanguage te .te # Tegulu
AddLanguage tg .tg # Tajik
AddLanguage th .th # Thai
AddLanguage ti .ti # Tigrinya
AddLanguage tk .tk # Turkmen
AddLanguage tl .tl # Tagalog
AddLanguage tn .tn # Setswana
AddLanguage to .to # Tonga
AddLanguage tr .tr # Turkish
AddLanguage ts .ts # Tsonga
AddLanguage tt .tt # Tatar
AddLanguage tw .tw # Twi
AddLanguage ug .ug # Uigur
AddLanguage uk .uk # Ukrainian
AddLanguage ur .ur # Urdu
AddLanguage uz .uz # Uzbek
AddLanguage vi .vi # Vietnamese
AddLanguage vo .vo # Volapuek
AddLanguage wo .wo # Wolof
AddLanguage xh .xh # Xhosa
AddLanguage yi .yi # Yiddish
AddLanguage yo .yo # Yoruba
AddLanguage za .za # Zhuang
AddLanguage zh .zh # Chinese
AddLanguage zu .zu # Zulu
=============================================================================#
SCRIPTING, ACTION, ADDHANDLER
=============================================================================#
Handlers be builtin, included in a module, or added with Action directive
default-handler: default, handles static content (core)
send-as-is: Send file with HTTP headers (mod_asis)
cgi-script: treat file as CGI script (mod_cgi)
imap-file: Parse as an imagemap rule file (mod_imap)
server-info: Get server config info (mod_info)
server-status: Get server status report (mod_status)
type-map: type map file for content negotiation (mod_negotiation)
fastcgi-script: treat file as fastcgi script (mod_fastcgi)
##########
-> www.askapache.com/php/custom-phpini-tips-and-tricks.html
## PARSE AS CGI ###
AddHandler cgi-script .cgi .pl .spl
## RUN PHP AS APACHE MODULE ###
AddHandler application/x-httpd-php .php .htm
## RUN PHP AS CGI ###
AddHandler php-cgi .php .htm
## CGI PHP WRAPPER FOR CUSTOM PHP.INI ###
AddHandler phpini-cgi .php .htm
Action phpini-cgi /cgi-bin/php5-custom-ini.cgi
## FAST-CGI SETUP WITH PHP-CGI WRAPPER FOR CUSTOM PHP.INI ###
AddHandler fastcgi-script .fcgi
AddHandler php-cgi .php .htm
Action php-cgi /cgi-bin/php5-wrapper.fcgi
## CUSTOM PHP CGI BINARY SETUP ###
AddHandler php-cgi .php .htm
Action php-cgi /cgi-bin/php.cgi
## PROCESS SPECIFIC FILETYPES WITH CGI-SCRIPT ###
Action image/gif /cgi-bin/img-create.cgi
## CREATE CUSTOM HANDLER FOR SPECIFIC FILE EXTENSIONS ###
AddHandler custom-processor .ssp
Action custom-processor /cgi-bin/myprocessor.cgi
=============================================================================#
HEADERS, CACHING AND OPTIMIZATION
=============================================================================#
-> www.htaccesselite.com/htaccess/cache-con...tp-headers-vt65.html
300 5 M
2700 45 M
3600 1 H
54000 15 H
86400 1 D
518400 6 D
604800 1 W
1814400 3 W
2419200 1 M
26611200 11 M
29030400 1 Y (never expire)
##########
### HEADER CACHING ####
-> www.askapache.com/htaccess/speed-up-site...taccess-caching.html
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
<FilesMatch "\.(js|css|pdf|swf)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
<FilesMatch "\.(html|htm|txt)$">
Header set Cache-Control "max-age=600"
</FilesMatch>
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>
## ALTERNATE EXPIRES CACHING ###
-> htaccesselite.com/d/use-htaccess-to-speed-up-your-site-discussion-vt67.html
ExpiresActive On
ExpiresDefault A604800
ExpiresByType image/x-icon A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType text/css A2592000
ExpiresByType text/html A300
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
ExpiresActive Off
</FilesMatch>
## META HTTP-EQUIV REPLACEMENTS ###
<FilesMatch "\.(html|htm|php)$">
Header set imagetoolbar "no"
</FilesMatch>
=============================================================================#
REWRITES AND REDIRECTS
=============================================================================#
REQUEST METHODS: GET,POST,PUT,DELETE,CONNECT,OPTIONS,PATCH,PROPFIND,
PROPPATCH,MKCOL,COPY,MOVE,LOCK,UNLOCK
##########
## REWRITE DEFAULTS ###
RewriteEngine On
RewriteBase /
## REQUIRE SUBDOMAIN ###
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^subdomain\.domain\.tld$ [NC]
RewriteRule ^/(.*)$ subdomain.domain.tld/$1 [L,R=301]
## SEO REWRITES ###
RewriteRule ^(.*)/ve/(.*)$ $1/voluntary-employee/$2 [L,R=301]
RewriteRule ^(.*)/hsa/(.*)$ $1/health-saving-account/$2 [L,R=301]
## WORDPRESS ###
RewriteCond %{REQUEST_FILENAME} !-f # Existing File
RewriteCond %{REQUEST_FILENAME} !-d # Existing Directory
RewriteRule . /index.php [L]
## ALTERNATIVE ANTI-HOTLINKING ###
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?domain.tld/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F]
## REDIRECT HOTLINKERS ###
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(subdomain\.)?domain.tld/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ google.com [R]
## DENY REQUEST BASED ON REQUEST METHOD ###
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
RewriteRule ^.*$ - [F]
## REDIRECT UPLOADS ###
RewriteCond %{REQUEST_METHOD} ^(PUT|POST)$ [NC]
RewriteRule ^(.*)$ /cgi-bin/form-upload-processor.cgi?p=$1 [L,QSA]
## REQUIRE SSL EVEN WHEN MOD_SSL IS NOT LOADED ###
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
### ALTERNATATIVE TO USING ERRORDOCUMENT ###
-> www.htaccesselite.com/d/htaccess-errordo...t-examples-vt11.html
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ /error.php [L]
## SEO REDIRECTS ###
Redirect 301 /2006/oldfile.html subdomain.domain.tld/newfile.html
RedirectMatch 301 /o/(.*)$ subdomain.domain.tld/s/dl/$1
=============================================================================#
AUTHENTICATION AND SECURITY
=============================================================================#
www.htaccesselite.com/htaccess/basic-aut...on-example-vt17.html
Require (user|group|valid-user) (username|groupname)
##########
## BASIC PASSWORD PROTECTION ###
AuthType basic
AuthName "prompt"
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user
## ALLOW FROM IP OR VALID PASSWORD ###
Require valid-user
Allow from 192.168.1.23
Satisfy Any
## PROTECT FILES ###
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
## PREVENT HOTLINKING ###
SetEnvIfNoCase Referer "^http://subdomain.domain.tld/" good
SetEnvIfNoCase Referer "^$" good
<FilesMatch "\.(png|jpg|jpeg|gif|bmp|swf|flv)$">
Order Deny,Allow
Deny from all
Allow from env=good
ErrorDocument 403 www.google.com/intl/en_ALL/images/logo.gif
ErrorDocument 403 /images/you_bad_hotlinker.gif
</FilesMatch>
## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK ###
LimitRequestBody 10240000 #bytes, 0-2147483647(2GB)
=============================================================================#
SSL SECURITY
=============================================================================#
-> www.askapache.com/htaccess/ssl-example-usage-in-htaccess.html
##########
## MOST SECURE WAY TO REQUIRE SSL ###
-> www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "domain.tld"
ErrorDocument 403 domain.tld
=============================================================================#
SITE UNDER CONSTRUCTION
=============================================================================#
Heres some awesome htaccess to use when you are developing a site
##########
## COMBINED DEVELOPER HTACCESS CODE-USE THIS ###
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|js|css|pdf|swf|html|htm|txt)$">
Header set Cache-Control "max-age=5"
</FilesMatch>
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user # password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed
## DONT HAVE TO EMPTY CACHE OR RELOAD TO SEE CHANGES ###
ExpiresDefault A5 #If using mod_expires
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico|js|css|pdf|swf|html|htm|txt)$">
Header set Cache-Control "max-age=5"
</FilesMatch>
## ALLOW ACCESS WITH PASSWORD OR NO PASSWORD FOR SPECIFIC IP/HOSTS ###
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user # password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed - Rocket Theme Rokker
Joomla! Roks
I Rokk
U Rokk
-
-
-
- Christos DiCos
- Sr. Rocketeer
- Posts: 120
- Thanks: 2
Re: The Ultimate .htaccess file - ultimate security for your joomla site
Posted 16 years 2 weeks ago-
No, this is just a basic .htaccess file.
When people pm or post more fixes or security tips or blocks to exploits.
I will add them to the file and eventually the .htaccess file will be the ultimate for joomla! and yes it would then make your site more secure from exploits or hacks. - Rocket Theme Rokker
Joomla! Roks
I Rokk
U Rokk
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: The Ultimate .htaccess file - ultimate security for your joomla site
Posted 16 years 2 weeks ago-
That .htaccess file will destroy a site on upload. You should mention that it is an example file from which people should copy out the FEW lines they need, replacing variables such as domain name with their own.
A novice user might have uploaded it and crashed his/her site
.htaccess files are evil. Use as few directives in your .htaccess file as you need. - Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- Christos DiCos
- Sr. Rocketeer
- Posts: 120
- Thanks: 2
Re: The Ultimate .htaccess file - ultimate security for your joomla site
Posted 16 years 2 weeks ago-
I didn't know that.
I thought .htaccess and php.ini were good and they protect your sites from hacks and exploits.
Could you show us what your .htaccess or php.ini file looks like?
Thanks - Rocket Theme Rokker
Joomla! Roks
I Rokk
U Rokk
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: The Ultimate .htaccess file - ultimate security for your joomla site
Posted 16 years 2 weeks ago-
A well configured server will not need much tweaking. As you can see in my htaccess file, it is just the default that comes with Joomla, save for the 2nd and 3rd lines, which basically redirect mydomain.com to
www.mydomain.com
(Visitors will always end up on
www.mydomain.com
regardless of whether or not they type in www)
The second block is for SEF and the last block is the basic security directives that comes default with JoomlaRewriteEngine On RewriteCond %{HTTP_HOST} !^www.mydomain.com$ [NC] RewriteRule (.*) http://www.mydomain.com/$1 [R=301,L] RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*) index.php RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
I have my own server so all the measures suggested by the Joomla security experts are implemented server wide, and not on a site by site basis with htaccess.
In my first experience with Joomla back in 06, I was on a shared server and promptly had four websites hacked. It was a server security issue as along with my four, over 40 other Joomla sites on the same server were were compromised, all within a span of two days. I dropped the host like a hot potato and got my own VPS, which gets between 10 and 400 probes a day from script kiddies but has stood strong for over a year.
Moral of the story... shared hosting sucks. - Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- MariO
- Hero Rocketeer
- Posts: 340
- Thanks: 0
Re: The Ultimate .htaccess file - ultimate security for your joomla site
Posted 15 years 11 months ago-
Hi GollumX
I have the following in my .htaccess file
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.gozoviews.com$ [NC]
RewriteRule (.*) www.gozoviews.com/$1 [R=301,L]
but site is not directing to www.gozoviews.com if i type gozoviews.com and am facing some problems if site is not accessed in www.gozoviews.com
any help is very much appriciated
Thanks
Mario
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
Re: The Ultimate .htaccess file - ultimate security for your joomla site
Posted 15 years 11 months ago-
i visited the site via gozonews.com and it redirected to
www.gozonews.com
.... no problems at all
- Say no to Internet Explorer 6.
twitter.com/mark_up
-
Time to create page: 0.052 seconds