FAQ: How to protect a site using .htaccess and mod_rewrite

This is the archive off all FAQ related threads.
User avatar
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway

FAQ: How to protect a site using .htaccess and mod_rewrite

Post by rliskey » Sat Oct 07, 2006 2:56 am

RobS created a set of mod_rewrite conditions (below) that you can tag onto the end of your .htaccess file. These conditions will block a good number of common exploit attempts while interferring as little as possible with legitimate usage.

Each server configuration is unique. If you are forwarded to your home page and receive a 403 Forbidden error, you will know these settings worked incorrectly on your site. If a particular rule breaks some feature of your site, just comment it out by placing a # in front of the offending rule.

Note: As of Joomla! version 1.0.11, these settings are included in the file, htaccess.txt (no dot in filename) which is automatically added to your site during the Joomla! install.

1. Append the following code to the .htaccess file in the same directory as your Joomla! index.php file (often your public_html directory).
2. Test your site.
3. If the site produces errors, comment out all of these lines, and uncomment and test one line at a time until you find the problem directive(s).
4. Try to tweak these directives to work on your server, or leave them commented out.

Code: Select all

########## Begin - Rewrite rules to block out some common exploits
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########## End - Rewrite rules to block out some common exploits
More Information
  • Help finding or creating your .htaccess file is here.
  • Good background information on Apache mod rewrite is on Wikipedia.
    Discuss this FAQ here.
Back to Security FAQ Table of Contents

Keywords: security, htaccess, .htaccess, rewrite, mod rewrite, modrewrite
Last edited by rliskey on Mon Feb 26, 2007 8:08 am, edited 1 time in total.


Return to “FAQ Archive”