Suggested Master .htaccess file

[bkeen2010]

Is there a script that can spider a Joomla site for security issues?
Bkeen2020
WebMaster

[SallyR]

I had two issues when trying this Master .htaccess:
I use Jomsocial Facebook connect and the template blocked importing the facebook avatar. Status and other properties would interface but the avatar would not.

But bigger was the template did not work in IE Browser correctly. It stripped my ja_purity template. It worked fine in firefox and all content displayed fine in firefox, but not ja_purity template in IE browser.

Could this be the reason on the IE Browser? (I saw this in the Master .htaccess)
########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

Any ideas as to what I should uncomment or modify to fix these issues? I would like to use this .htaccess and fortify my website from hackers.

[Webfor]

I've been using another modified version of the .htaccess that was also developed by Nicholas Dionysopoulos of Akeeba for Rochen. I have had nothing but great experiences with everything Nicholas is a part of.

[j00mlalife]

hello webfor, can we have access to the modified .htaccess file ? Kindly share the file for us to try out. Thnks in advance.

[Kim_M]

Doesn't work for my site, which probably is caused by using AceSef and also the facebook connect from jomsocial?

[SallyR]

Doesn't work for my site, which probably is caused by using AceSef and also the facebook connect from jomsocial?

I had the same with my jomsocial using this suggested htaccess. Maybe check in the jomsocial forum.

[NielsH]

Hello,

I'm a new user to Joomla, and I'm trying to implement the required security-settings.

I have updated the .htaccess-file with my domain, and while the site loads/no 500-errors, I am unable to use the administration-backend after updating the .htaccess. Everything seems already expanded and the drop-down menu's are disabled.

After uploading the backup(default)-.htacess file it worked again.

Does anyone know what's causing this?

Thank you,

Niels

Edit: Seems that the mailto function of articles does give an 500 Internal Server Error, and as far as I can see Akeeba Backup doesn't work anymore either:

Code: Select all

WARNING

Akeeba Backup could not determine the permissions of the media/com_akeeba directory.

Please do one of the following:

   1. Activate Joomla!'s FTP mode in Global Configuration
   2. Change the permissions of the media/com_akeeba directory and all of its subdirectories to 0755 and all of its files to 0644 using your FTP client.

Akeeba Backup will most likely not work at all if you do not perform these steps. Do not ask for support if you can see this message. All the information you need is already on this message.

Might say don't ask for support, however the problem lies within that .htaccess file, so I don't see why I should manually change permissions :/

Code: Select all

ERROR

jQuery and/or jQuery UI have not been loaded. This usually means that you have to change the permissions of media/com_akeeba and all of its contents to a least 0644. Alternatively, click on "Parameters" and set the source for both of them to "Google AJAX API".

If you do not do that, the component will not work.

[vBob]

we (moderators) cant really alter the originsla post to make amendments as this would cause the chain of posts to become unreadable.
you could always use the wiki eg http://docs.joomla.org/Htaccess_examples_%28security%29 that could do evolving htaccess files

I took a look at the file you suggested, how recent is the file? Patiently awaiting your answer

[leolam]

I had the same with my jomsocial using this suggested htaccess. Maybe check in the jomsocial forum.

Facebook connect is an issue on Facebook as explained by Mark in the JomSocial Forum. Caused by Facebook and not .htaccess or JomSocial

Leo

[leolam]

Regarding some findings related to:

Code: Select all

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

This code has some serious impact on a dedi or vps server we have tested.

For general information on server load read some pretty east to read stuff: http://whreviews.com/server-load.htm This explains some basics.

Here is what we found out with an implementation of this .htaccess part of the 'suggested htaccess masterfile':

Environment of testing server
* Centos CENTOS 5.5 i686 standard
* MySql 5.1.51
* PHP 5.2.14
* Apache 2.2.17
* suPHP/Suhosin
* Quad Core/4Mb/2 x 500Mb SATA (14 cpu's)

To be able to run this compression the server needs to be compiled with mod_deflate (The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network which speeds up your site loading)

On one of our servers we have some 85 Joomla sites with a total of 200GB disk and 40 Gb mysql (take or leave). Here are some facts of the server load results after we compiled that server with mod_deflate and inserted the above mentioned piece of code into the .htaccess (Again this works only if mod_deflate is compiled on the server) of no more than 15 (!) sites. These sites all work with templates of the major template clubs ....

Before compiling with the compression module (mod_deflate) we had a Load average on said server of appr.0.78 which is very sweet....After we used the compression we had an enormous hike in resource usage and we got a load average of over 6.5 of which 80% of CPU-resources were taken by GZIP (mod_deflate). It visible deducted the speed of the server and loading times of sites in general. As soon as we removed the .htaccess directives the load-balance went down below 1.0

This is not a scientific evaluation just a practical experience.

Our conclusion: Yes to mod_deflate (and the .htaccess-directive mentioned) with a VPS or Dedi with a couple of not that heavy on the sql-queries sites which will improve performance and definitely NO to the directive on a shared hosting account since it will freak out the resources

Leo

extras remark: The above mentioned part of your .htaccess will not work if on shared server. Most hosting companies do not compile with mod_deflate enabled in which case you cannot even utilize it!

[digitwebdesign]

hmmm, shame the forum diverted into a row.....

have we got a slimmed down version that would be good for security but not to complicated lol....

basic but good enough?

cheers

[kurchania]

hi guys,
my first attack to server.i just enable the log file to trace the url, attacker hit to crack the server.
mandville suggest me so i put my code here so that we can prevent this exploits:-

# block "../.". in query string...
RewriteCond %{QUERY_STRING} .*[.][.]/[.][.].* [OR]=
# block "http://." in query string...
RewriteCond %{QUERY_STRING} .*http://.* [NC,OR]
# block SQL INJECTION 'select'
RewriteCond %{QUERY_STRING} .*SELECT.* [NC,OR]

# block SQL INJECTION 'delete'
RewriteCond %{QUERY_STRING} .*DELETE.* [NC,OR]

# block SQL INJECTION 'jos_users'
RewriteCond %{QUERY_STRING} .*jos_users.* [NC,OR]

replace jos_users by your database prefix .

Regards
Abhijeet

[C0nw0nk]

Perhaps this will help you all

Code: Select all

If you wish to completely stop XSS attacks with some risk of breaking functionality,
use the following filter to block all html and javascript related attacks.

SecFilter "<(.|\n)+>"

Modsecurity also works well in providing quick & dirty SQL injection protection.
    
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

[moonbootman]

You made so much changes in the different code-snippets, so it is very hard for me to differ, what is absolutely needed and what is just code for special sites.
Now my question:
Is it possible to create another master .htaccess, what I can paste?

Would be great, since my site was attacked...............
best regards

[mandville]

The original post is worth looking at. Also if you where hacked them follow the security checklist

[moonbootman]

thx a lot

[ilox]

I have tried to follow this thread and come up with a master htaccess file I can use for my sites. All I have achieved is a serious case of confusion

Is the first master htaccess file - as shown in the initial post - the one we should be using? Has it been kept up to date with all the too-ing and fro-ing that has been going on?

If not up to date, can somebody please post an updated htaccess file that is able to keep the latest nasties at bay as well as not killing our servers?

[the magus]

it is wonderful post..

I have a question regarding site url in .htacess

If my joomla is installed in public_html/joomla, should i change the .htaccess urls to: http://www.domain.com/joomla



or keep it as it is: http://www.domain.com

[enzo24]

I found some extra info on knocking out bad crawlers & bandwidth hogs at the following address :

http://www.buzolich.com/home/2002/inter ... -the-devil

I've tried it out in my .htaccess but couldn't get the rules to work... -->error 500..

I wonder where I went wrong.

Guess I'll have to play around a little with the .htaccess file..

Thanks for all the great info here !

Bye
Enzo

[mandville]

what does that section of your htaccess look like?

[leolam]

Last and improved version of this proposed "master htaccess" (updated by Nicholas on November 18th 2010) http://snipt.net/nikosdion/the-master-htaccess. DO read the intro by Nichols!

Leo

Code: Select all

###############################################################################
## The Master .htaccess
##
## Version 2.2 - November 18th, 2010
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## domain.com and domain\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file. Special thanks to Jon Brown for sharing his
## research and helping me improve this file.
##
## ----------------------------------------------------------------------
## Do you want to customize this .htaccess file with a few clicks?
## Admin Tools Professional by AkeebaBackup.com does this and much more.
##
## Learn more: http://www.akeebabackup.com/software/admin-tools.html
## ----------------------------------------------------------------------
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
## CHANGELOG:
## Version 2.3 (November 18th, 2010)
## - Added .ico to the pass-through rules, for favicons to load
## Version 2.2 (October 25th, 2010)
## - Bug in the tmpl=component rule
## Version 2.1 (October 19th, 2010)
## - index.php to root redirection would kill some AJAX requests
## - Referer filtering was screwed up
## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
## - The tp/template/tmpl filter was not thorough and killed some components
## - Optimized Joomla! core SEF section
## - Bot filters and GZip optimization would never run for dynamic content
## - Content expiration optimization got more optimized
## - Added ETag rule
##
###############################################################################

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## End - RewriteBase

########## Begin - File exection order, by Komra.de
DirectoryIndex index.php index.html
########## End - File exection order

########## Begin - No directory listings
## Note: +FollowSymlinks may cause problems and you might have to remove it
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
	# Enable expiration control
	ExpiresActive On

	# Default expiration: 1 hour after request
	ExpiresDefault "now plus 1 hour"
	
	# CSS and JS expiration: 1 week after request
	ExpiresByType text/css "now plus 1 week"
	ExpiresByType application/javascript "now plus 1 week"
	ExpiresByType application/x-javascript "now plus 1 week"
	
	# Image files expiration: 1 year after request
	ExpiresByType image/bmp "now plus 1 year"
	ExpiresByType image/gif "now plus 1 year"
	ExpiresByType image/jpeg "now plus 1 year"
	ExpiresByType image/jp2 "now plus 1 year"
	ExpiresByType image/pipeg "now plus 1 year"
	ExpiresByType image/png "now plus 1 year"
	ExpiresByType image/svg+xml "now plus 1 year"
	ExpiresByType image/tiff "now plus 1 year"
	ExpiresByType image/vnd.microsoft.icon "now plus 1 year"
	ExpiresByType image/x-icon "now plus 1 year"
	ExpiresByType image/ico "now plus 1 year"
	ExpiresByType image/icon "now plus 1 year"
	ExpiresByType text/ico "now plus 1 year"
	ExpiresByType application/ico "now plus 1 year"
	ExpiresByType image/vnd.wap.wbmp "now plus 1 year"
	ExpiresByType application/vnd.wap.wbxml "now plus 1 year"
	ExpiresByType application/smil "now plus 1 year"
	
	# Audio files expiration: 1 year after request
	ExpiresByType audio/basic "now plus 1 year"
	ExpiresByType audio/mid "now plus 1 year"
	ExpiresByType audio/midi "now plus 1 year"
	ExpiresByType audio/mpeg "now plus 1 year"
	ExpiresByType audio/x-aiff "now plus 1 year"
	ExpiresByType audio/x-mpegurl "now plus 1 year"
	ExpiresByType audio/x-pn-realaudio "now plus 1 year"
	ExpiresByType audio/x-wav "now plus 1 year"
	
	# Movie files expiration: 1 year after request
	ExpiresByType application/x-shockwave-flash "now plus 1 year"
	ExpiresByType x-world/x-vrml "now plus 1 year"
	ExpiresByType video/x-msvideo "now plus 1 year"
	ExpiresByType video/mpeg "now plus 1 year"
	ExpiresByType video/mp4 "now plus 1 year"
	ExpiresByType video/quicktime "now plus 1 year"
	ExpiresByType video/x-la-asf "now plus 1 year"
	ExpiresByType video/x-ms-asf "now plus 1 year"
</IfModule>
########## End - Optimal expiration time

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Google Apps redirection, by Komra.de
Redirect 301 /mail http://mail.google.com/a/domain.com
########## End - Google Apps redirection

########## Begin - Redirect index.php to /
## Note: Change domain.com to reflect your own domain
RewriteCond %{THE_REQUEST} ^.*/index\.php$
RewriteRule ^index\.php$ http://www.domain.com/ [R,L]
########## End - Redirect index.php to /

########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^(.*)$ http://%1/$1 [R,L]
########## End - Redirect non-www to www

########## Begin - Redirect olddomain.com to www.domain.com
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## whereas www.domain.com is the new domain name you want to redirect TO.
## Change those names to reflect your current configuration. Remember, this
## file is supposed to be placed in www.domain.com!
RewriteCond %{HTTP_HOST} ^olddomain.com [NC] 
RewriteRule ^(.*)$ http://www.domain.com/$1 [L,R]
########## End - Redirect olddomain.com to www.domain.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
# This line is required for this rule to work properly
RewriteCond %{HTTPS} ^off$ [NC]
# This is a sample redirection for foobar.html. Do note that you have to change
# www.domain.com to reflect your own domain. Remember to escape the dots using
# \. in the left hand side of each rule.
RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [L,R]
# Add mode rules below this line
########## End - Force HTTPS for certain pages

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script trying to base64_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_decode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return a 403 Forbidden
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [F,L]
########## End - File injection protection

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 2.0
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^(components/com_uddeim/captcha15\.php)$ $1 [L]
## Allow Phil Taylor's Turbo Gears
RewriteRule ^(plugins/system/GoogleGears/gears-manifest\.php) $1 [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^(plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php) $1 [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^(administrator/components/com_admintools/restore\.php) $1 [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^(administrator/components/com_akeeba/restore\.php) $1 [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteRule ^(components/com_agora/img/members/.*) $1 [L]

# Add more rules for allowing full access (except PHP files) on more directories here

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^(cache/.*)$ $1 [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^(tmp/.*)$ $1 [L]

# Add more full access rules here

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.domain\.com with your own domain name, substituting the dots with
## \., i.e.: www\.example\.com for www.example.com
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^http://www\.domain\.com [NC]
RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?)$ - [F,L]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficientyl and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=component [NC]
RewriteRule ^(.*)$ $1 [L]
RewriteCond %{QUERY_STRING} (^|&)tp= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)template= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)tmpl= [NC]
RewriteRule ^(.*)$ - [F,L]

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} =PHP[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12} [NC]
RewriteRule ^(.*)$ - [F,L]

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
RewriteRule ^(administrator[/]?)$ administrator/index.php [L]
RewriteRule ^(administrator/index.htm[l]?)$ $1 [L]
RewriteRule ^(administrator/index.php)$ $1 [L]
RewriteRule ^(administrator/index[2,3].php)$ $1 [L]
RewriteRule ^(administrator/(components|modules|templates|images|plugins)/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
RewriteRule ^administrator/(.*)$ - [F,L]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^(xmlrpc/index\.php)$ $1 [L]
RewriteRule ^xmlrpc/(.*)$ - [F,L]

## Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes/js/.*)$ $1 [L]
RewriteRule ^(cache|includes|language|libraries|logs|tmp)/.*$ - [F,L]

## Allow limited access for certain Joomla! system directories with client-accessible content
RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
RewriteRule ^((components|modules|plugins|templates)/.*index\.php(.*))$ $1 [L]
RewriteRule ^(templates/.*\.php)$ $1 [L]
RewriteRule ^(components|modules|plugins|templates)/.*$ - [F,L]

## Disallow access to htaccess.txt and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F,L]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*all.*select.* [NC]
RewriteRule ^(.*)$ - [F,L]

########## End - Advanced server protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bambien\b [NC,OR]
RewriteCond %{query_string} \bblue\spill\b [NC,OR]
RewriteCond %{query_string} \bcialis\b [NC,OR]
RewriteCond %{query_string} \bcocaine\b [NC,OR]
RewriteCond %{query_string} \bejaculation\b [NC,OR]
RewriteCond %{query_string} \berectile\b [NC,OR]
RewriteCond %{query_string} \berections\b [NC,OR]
RewriteCond %{query_string} \bhoodia\b [NC,OR]
RewriteCond %{query_string} \bhuronriveracres\b [NC,OR]
RewriteCond %{query_string} \bimpotence\b [NC,OR]
RewriteCond %{query_string} \blevitra\b [NC,OR]
RewriteCond %{query_string} \blibido\b [NC,OR]
RewriteCond %{query_string} \blipitor\b [NC,OR]
RewriteCond %{query_string} \bphentermin\b [NC,OR]
RewriteCond %{query_string} \bprosac\b [NC,OR]
RewriteCond %{query_string} \bsandyauer\b [NC,OR]
RewriteCond %{query_string} \btramadol\b [NC,OR]
RewriteCond %{query_string} \btroyhamby\b [NC,OR]
RewriteCond %{query_string} \bultram\b [NC,OR]
RewriteCond %{query_string} \bunicauca\b [NC,OR]
RewriteCond %{query_string} \bvalium\b [NC,OR]
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bvicodin\b [NC,OR]
RewriteCond %{query_string} \bxanax\b [NC,OR]
RewriteCond %{query_string} \bypxaieo\b [NC]
RewriteRule ^(.*)$ - [F,L]
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|\.ini|\.zip|\.json|/[^.]*)$  [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php [L]
#
########## End - Joomla! core SEF Section

[e-kinst]

Hi everybody!

1. It seems there is a bug in the suggested file v.2.2 or 2.3 (different parts of file state different versions) from 18-Nov-2010. There is:

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.domain\.com with your own domain name, substituting the dots with
## \., i.e.: www\.example\.com for http://www.example.com
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^http://www\.domain\.com [NC]
RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?)$ - [F,L]

This is not work for me at least. I think it should be dot before asterisk in the first rule - it works OK for me:

Code: Select all

RewriteRule ^(images/stories/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]

2. It's not a bug but convinience I suppose - what about

Code: Select all

RewriteCond %{HTTP_REFERER} !^http://[www\.]?domain\.com [NC]

or even

Code: Select all

RewriteCond %{HTTP_REFERER} !^http://([a-zA-Z0-9_]+\.)?domain\.com [NC]

instead of

Code: Select all

RewriteCond %{HTTP_REFERER} !^http://www\.domain\.com [NC]

?

3. Is it OK to use NC flag for

RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]

Sometimes there are image files with uppercase extensions - when use FTP to upload it.

4. I'm not sure that css, js and html-files should be here. May images folder be a right place for its? My Joomla! experience too little to make a decision.

5. Is there any reason to use dot (any character) instead of \. (dot exactly) in the SEF section?

Code: Select all

RewriteCond %{REQUEST_URI} !^/index.php

6. Very strange thing. Everything seems OK on my site but there are such message in my server error log:

Code: Select all

mod_rewrite: maximum number of internal redirects reached. Assuming configuration error. Use 'RewriteOptions MaxRedirects' to increase the limit if neccessary.

I detected that the problem is in this string

RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]

Moreover, GIF extension in this string - removing 'gif' makes everything fine for me - except that no GIF picture is displayed .
I changed it to this (dash instead of $1):

RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|ico|htm[l]?))$ - [L]

and there are no rewrite errors now.
Does this changes have any side effects that I don't see yet?

Thanks for any comments.

[gokujames]

Hi this is my site http://www.deeptechtons.net and below is my htaccess file. The ht access file is a modification of the default master htaccess file on the docs joomla if you notice under the firebug, the css and all media have been server with 403 forbidden i am sure it is due to some misconfiguration. please advice about this
CODE

Code: Select all

##
# @version $Id: htaccess.txt 14401 2010-01-26 14:10:00Z louis $
# @package Joomla
# @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

###############################################################################
## The Master .htaccess
##
## Version 2.2 - November 18th, 2010
##
## ----------
## This file is designed to be the template .htaccess file to put on your new
## sites, increasing your site's security and performance. It is not meant to
## be just dropped in your site, though. You should go through all of its
## sections and modify it to match your site. Most notably, all instances of
## domain.com and domain\.com should be replaced with your real domain name.
##
## Some sections are too picky and may cause problems with legitimate requests.
## You are ultimately responsible for disabling them or writing exception rules
## for your requests. Most notably, the advanced server protection section will
## cause issues with several minifiers, eXtplorer, VirtueMart and other exten-
## sions which use non-standard scripts as their entry points. You must add
## exceptions for them manually.
##
## Some sections - depending on your server configuration - may cause your site
## to throw 500 Internal Server Error. The only way to figure out which one is
## causing it is trial and error.
##
## Big thank you's to Brian Teeman, Ken Crowder, Radek Suski and Fotis
## Evangelou for sharing their .htaccess rules with the world and inspiring
## the creation of this file. Special thanks to Jon Brown for sharing his
## research and helping me improve this file.
##
## ----------------------------------------------------------------------
## Do you want to customize this .htaccess file with a few clicks?
## Admin Tools Professional by AkeebaBackup.com does this and much more.
##
## Learn more: http://www.akeebabackup.com/software/admin-tools.html
## ----------------------------------------------------------------------
##
## Have fun, stay safe.
##
## Nicholas K. Dionysopoulos
## Lead Developer, AkeebaBackup.com
##
## CHANGELOG:
## Version 2.3 (November 18th, 2010)
## - Added .ico to the pass-through rules, for favicons to load
## Version 2.2 (October 25th, 2010)
## - Bug in the tmpl=component rule
## Version 2.1 (October 19th, 2010)
## - index.php to root redirection would kill some AJAX requests
## - Referer filtering was screwed up
## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
## - The tp/template/tmpl filter was not thorough and killed some components
## - Optimized Joomla! core SEF section
## - Bot filters and GZip optimization would never run for dynamic content
## - Content expiration optimization got more optimized
## - Added ETag rule
##
###############################################################################

########## Begin - RewriteEngine enabled
RewriteEngine On
########## End - RewriteEngine enabled

########## Begin - RewriteBase
#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /
########## End - RewriteBase

########## Begin - File exection order, by Komra.de
DirectoryIndex index.php index.html
########## End - File exection order

########## Begin - No directory listings
## Note: +FollowSymlinks may cause problems and you might have to remove it
IndexIgnore *
Options +FollowSymLinks All -Indexes
########## End - No directory listings

########## Begin - ETag Optimization
## This rule will create an ETag for files based only on the modification
## timestamp and their size. This works wonders if you are using rsync'ed
## servers, where the inode number of identical files differs.
## Note: It may cause problems on your server and you may need to remove it
FileETag MTime Size
########## End - ETag Optimization

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
<IfModule mod_expires.c>
	# Enable expiration control
	ExpiresActive On

	# Default expiration: 1 hour after request
	ExpiresDefault "now plus 1 hour"
	
	# CSS and JS expiration: 1 week after request
	ExpiresByType text/css "now plus 1 week"
	ExpiresByType application/javascript "now plus 1 week"
	ExpiresByType application/x-javascript "now plus 1 week"
	
	# Image files expiration: 1 year after request
	ExpiresByType image/bmp "now plus 1 year"
	ExpiresByType image/gif "now plus 1 year"
	ExpiresByType image/jpeg "now plus 1 year"
	ExpiresByType image/jp2 "now plus 1 year"
	ExpiresByType image/pipeg "now plus 1 year"
	ExpiresByType image/png "now plus 1 year"
	ExpiresByType image/svg+xml "now plus 1 year"
	ExpiresByType image/tiff "now plus 1 year"
	ExpiresByType image/vnd.microsoft.icon "now plus 1 year"
	ExpiresByType image/x-icon "now plus 1 year"
	ExpiresByType image/ico "now plus 1 year"
	ExpiresByType image/icon "now plus 1 year"
	ExpiresByType text/ico "now plus 1 year"
	ExpiresByType application/ico "now plus 1 year"
	ExpiresByType image/vnd.wap.wbmp "now plus 1 year"
	ExpiresByType application/vnd.wap.wbxml "now plus 1 year"
	ExpiresByType application/smil "now plus 1 year"
	
	# Audio files expiration: 1 year after request
	ExpiresByType audio/basic "now plus 1 year"
	ExpiresByType audio/mid "now plus 1 year"
	ExpiresByType audio/midi "now plus 1 year"
	ExpiresByType audio/mpeg "now plus 1 year"
	ExpiresByType audio/x-aiff "now plus 1 year"
	ExpiresByType audio/x-mpegurl "now plus 1 year"
	ExpiresByType audio/x-pn-realaudio "now plus 1 year"
	ExpiresByType audio/x-wav "now plus 1 year"
	
	# Movie files expiration: 1 year after request
	ExpiresByType application/x-shockwave-flash "now plus 1 year"
	ExpiresByType x-world/x-vrml "now plus 1 year"
	ExpiresByType video/x-msvideo "now plus 1 year"
	ExpiresByType video/mpeg "now plus 1 year"
	ExpiresByType video/mp4 "now plus 1 year"
	ExpiresByType video/quicktime "now plus 1 year"
	ExpiresByType video/x-la-asf "now plus 1 year"
	ExpiresByType video/x-ms-asf "now plus 1 year"
</IfModule>
########## End - Optimal expiration time

########## Begin - Common hacking tools and bandwidth hoggers block
## By SigSiu.net and @nikosdion.
## WARNING: This will also block old versions of JoomlaPack Remote
## and will disallow running CRON jobs using wget.
# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout
########## End - Common hacking tools and bandwidth higgers block

########## Begin - Automatic compression of resources
# Compress text, html, javascript, css, xml, kudos to Komra.de
# May kill access to your site for old versions of Internet Explorer
# AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
########## End - Automatic compression of resources

########## Begin - Google Apps redirection, by Komra.de
Redirect 301 /mail http://mail.google.com/a/deeptechtons.net
########## End - Google Apps redirection

########## Begin - Redirect index.php to /
## Note: Change domain.com to reflect your own domain
RewriteCond %{THE_REQUEST} ^.*/index\.php$
RewriteRule ^index\.php$ http://labs.Deeptechtons.net/ [R,L]
########## End - Redirect index.php to /

########## Begin - Redirect non-www to www
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R,L]
########## End - Redirect non-www to www

########## Begin - Redirect www to non-www
## WARNING: Comment out the non-www to www rule if you choose to use this
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^(.*)$ http://%1/$1 [R,L]
########## End - Redirect non-www to www

########## Begin - Redirect olddomain.com to www.domain.com
## Note: olddomain.com is your old domain name, you want to redirect FROM,
## whereas www.domain.com is the new domain name you want to redirect TO.
## Change those names to reflect your current configuration. Remember, this
## file is supposed to be placed in www.domain.com!
RewriteCond %{HTTP_HOST} ^donate.deeptechtons.net [NC] 
RewriteRule ^(.*)$ http://labs.deeptechtons.net/$1 [L,R]
########## End - Redirect olddomain.com to www.domain.com

########## Begin - Force HTTPS for certain pages
# Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
# This line is required for this rule to work properly
#RewriteCond %{HTTPS} ^off$ [NC]
# This is a sample redirection for foobar.html. Do note that you have to change
# www.domain.com to reflect your own domain. Remember to escape the dots using
# \. in the left hand side of each rule.
#RewriteRule ^foobar\.html$ https://www.domain.com/foobar.html [L,R]
# Add mode rules below this line
########## End - Force HTTPS for certain pages

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# If the request contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script trying to base64_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_decode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return a 403 Forbidden
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - File injection protection, by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [F,L]
########## End - File injection protection

########## Begin - Advanced server protection rules exceptions ####
##
## These are sample exceptions to the Advanced Server Protection 2.0
## rule set further down this file.
##
## Allow UddeIM CAPTCHA
RewriteRule ^(components/com_uddeim/captcha15\.php)$ $1 [L]
## Allow Phil Taylor's Turbo Gears
RewriteRule ^(plugins/system/GoogleGears/gears-manifest\.php) $1 [L]
## Allow JoomlaWorks AllVideos
RewriteRule ^(plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php) $1 [L]
## Allow Admin Tools Joomla! updater to run
RewriteRule ^(administrator/components/com_admintools/restore\.php) $1 [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^(administrator/components/com_akeeba/restore\.php) $1 [L]

# Add more rules to single PHP files here

## Allow Agora attachments, but not PHP files in that directory!
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteRule ^(components/com_agora/img/members/.*) $1 [L]

# Add more rules for allowing full access (except PHP files) on more directories here

## Uncomment to allow full access to the cache directory (strongly not recommended!)
#RewriteRule ^(cache/.*)$ $1 [L]
## Uncomment to allow full access to the tmp directory (strongly not recommended!)
#RewriteRule ^(tmp/.*)$ $1 [L]

# Add more full access rules here

########## End - Advanced server protection rules exceptions ####

########## Begin - Advanced server protection
# Advanced server protection, version 2.0 - August 2010
# by Nicholas K. Dionysopoulos

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.domain\.com with your own domain name, substituting the dots with
## \., i.e.: www\.example\.com for www.example.com
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^http://\.labs.deeptechtons\.net [NC]
RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?)$ - [F,L]

## Disallow visual fingerprinting of Joomla! sites (module position dump)
## Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficientyl and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=component [NC]
RewriteRule ^(.*)$ $1 [L]
RewriteCond %{QUERY_STRING} (^|&)tp= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)template= [NC,OR]
RewriteCond %{QUERY_STRING} (^|&)tmpl= [NC]
RewriteRule ^(.*)$ - [F,L]

## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
## your PHP version). See http://www.0php.com/php_easter_egg.php and
## http://osvdb.org/12184 for more information
RewriteCond %{QUERY_STRING} =PHP[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12} [NC]
RewriteRule ^(.*)$ - [F,L]

## Back-end protection
## This also blocks fingerprinting attacks browsing for XML and INI files
##RewriteRule ^(administrator[/]?)$ administrator/index.php [L]
##RewriteRule ^(administrator/index.htm[l]?)$ $1 [L]
##RewriteRule ^(administrator/index.php)$ $1 [L]
##RewriteRule ^(administrator/index[2,3].php)$ $1 [L]
##RewriteRule ^(administrator/(components|modules|templates|images|plugins)/.*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|htm[l]?))$ $1 [L]
##RewriteRule ^administrator/(.*)$ - [F,L]

## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ directory
RewriteRule ^(xmlrpc/index\.php)$ $1 [L]
RewriteRule ^xmlrpc/(.*)$ - [F,L]

## Disallow front-end access for certain Joomla! system directories
## RewriteRule ^(includes/js/.*)$ $1 [L]
## RewriteRule ^(cache|includes|language|libraries|logs|tmp)/.*$ - [F,L]

## Allow limited access for certain Joomla! system directories with client-accessible content
## RewriteRule ^((components|modules|plugins|templates)/.*\.(jp[g,2,eg]?|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
## RewriteRule ^((components|modules|plugins|templates)/.*index\.php(.*))$ $1 [L]
## RewriteRule ^(templates/.*\.php)$ $1 [L]
## RewriteRule ^(components|modules|plugins|templates)/.*$ - [F,L]

## Disallow access to htaccess.txt and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist)$ - [F,L]

## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*all.*select.* [NC]
RewriteRule ^(.*)$ - [F,L]

########## End - Advanced server protection

########## Begin - Basic antispam Filter, by SigSiu.net
## I removed some common words, tweak to your liking
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bambien\b [NC,OR]
RewriteCond %{query_string} \bblue\spill\b [NC,OR]
RewriteCond %{query_string} \bcialis\b [NC,OR]
RewriteCond %{query_string} \bcocaine\b [NC,OR]
RewriteCond %{query_string} \bejaculation\b [NC,OR]
RewriteCond %{query_string} \berectile\b [NC,OR]
RewriteCond %{query_string} \berections\b [NC,OR]
RewriteCond %{query_string} \bhoodia\b [NC,OR]
RewriteCond %{query_string} \bhuronriveracres\b [NC,OR]
RewriteCond %{query_string} \bimpotence\b [NC,OR]
RewriteCond %{query_string} \blevitra\b [NC,OR]
RewriteCond %{query_string} \blibido\b [NC,OR]
RewriteCond %{query_string} \blipitor\b [NC,OR]
RewriteCond %{query_string} \bphentermin\b [NC,OR]
RewriteCond %{query_string} \bprosac\b [NC,OR]
RewriteCond %{query_string} \bsandyauer\b [NC,OR]
RewriteCond %{query_string} \btramadol\b [NC,OR]
RewriteCond %{query_string} \btroyhamby\b [NC,OR]
RewriteCond %{query_string} \bultram\b [NC,OR]
RewriteCond %{query_string} \bunicauca\b [NC,OR]
RewriteCond %{query_string} \bvalium\b [NC,OR]
RewriteCond %{query_string} \bviagra\b [NC,OR]
RewriteCond %{query_string} \bvicodin\b [NC,OR]
RewriteCond %{query_string} \bxanax\b [NC,OR]
RewriteCond %{query_string} \bypxaieo\b [NC]
RewriteRule ^(.*)$ - [F,L]
########## End - Basic antispam Filter, by SigSiu.net

########## Begin - Optimal default expiration time
## Note: this might cause problems and you might have to comment it out by
## placing a hash in front of this section's lines
## <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)(\.gz)?$">
## Header set Expires "Thu, 15 Apr 2012 20:00:00 GMT"
## Header unset ETag
## FileETag None
## </FilesMatch>
########## End - Optimal expiration time

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|\.ini|\.zip|\.json|/[^.]*)$  [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php [L]
#
########## End - Joomla! core SEF Section

[gokujames]

i will just bump this up as , configuration is simple. But the effects is massive, no styles site un usable

[leolam]

no styles site un usable

means what? Master works well on all our sites and on our client sites? What exactly did you add or change

Leo

[kurchania]

hi gokujames,
before bumping anyone of us can you first ask this thing to your hosting provider?

Regards
Abhijeet

[gokujames]

no styles site un usable

means what? Master works well on all our sites and on our client sites? What exactly did you add or change
Leo

Thanks for the reply Leo, the below piece of code was blocking access to the style sheets, js and media elements. I had commented it to make my site work

Code: Select all

## Referrer filtering for common media files. Replace with your own domain.
## This blocks most common fingerprinting attacks ;)
## Note: Change www\.domain\.com with your own domain name, substituting the dots with
## \., i.e.: www\.example\.com for www.example.com
RewriteRule ^(images/stories/*\.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?))$ $1 [L]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^http://\.labs.deeptechtons\.net [NC]
RewriteRule \.(jpe[g,2]?|jpg|png|gif|bmp|css|js|swf|ico|htm[l]?)$ - [F,L]

BTW i am using Joomla 1.5.2 Stable the

Code: Select all

?tp=1

to view the module positions throws a 403 forbidden error is it due to the .htaccess file?

[gokujames]

hi gokujames,
before bumping anyone of us can you first ask this thing to your hosting provider?
Regards
Abhijeet

Thanks Abhijeet, yes all features in the htaccess files are supported by Hosting provider and my hosting provider does not know anything abut the htaccess file codes [bunch of goons i suppose]
but i manage to solve the problem by trial and error basis

[ilox]

BTW i am using Joomla 1.5.2 Stable ...

Please confirm the version you are using. Is it 1.5.2 Stable or is it 1.5.22 stable?

[sog2012]

Seriously..is this really necessary for the average person and average small business? Why would hackers target just your site unless you are a big player?

And should I rename the htaccess.txt file in my root directory to htaccess ? At current my Joomla website doesn't have an htaccess file at all, only that file called htaccess.txt. What should I do?