Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Joomla! Web Security

You're reading from   Joomla! Web Security Secure your Joomla! website from common security threats with this easy-to-use guide

Arrow left icon
Product type Paperback
Published in Oct 2008
Publisher
ISBN-13 9781847194886
Length 264 pages
Edition Edition
Tools
Arrow right icon
Toc

.htaccess


.htaccess is a wonderful and powerful tool on which we'll spend a lot of time later, but for now, make sure you include the following code in yours. If you are not familiar with .htaccess or if you have a default setup of Joomla! you will see in the root directory a file called htaccess.txt. This file provides you the power to modify several things on the basis of a per directory file, notably the directives. Here is the portion you should be running. This has been included since Joomla! 1.0.11 in the base htaccess.txt file. Check yours to ensure that you are running this highly valuable security measure.

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
#IF the URI contains a "http:" or "ftp:" or "https"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} ftp\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

You will need to append the previous code segment to the end of your .htaccess file. If you haven't done so, please change the name from htaccess.txt to .htaccess.

This .htaccess patch from the Joomla.org core team has proven its worth against a slew of attacks that are common. As you can read through, the RewriteCond is being used to filter common attacks that could prove harmful to your site. The last line in the file:

RewriteRule ^(.*)$ index.php [F,L]

directs the system to forward all requests to damage your site to a : 403 Forbidden page.

Another interesting command you could add to your .htaccess file is a set of commands to stop a specific robot, in our case "EvilRobot", from digging into the sensitive areas of your site.

RewriteCond %{HTTP_USER_AGENT} ^EvilRobot.*
RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.[8-9]$
RewriteRule ^/kljiwlslci/secret/data/.+ - [F]

Note

To learn more about the RewriteCond and the RewriteRule, visit the following links available from apache.org:

http://httpd.apache.org/docs/2.2/rewrite/

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image