{"id":12,"date":"2007-10-02T14:58:45","date_gmt":"2007-10-02T07:58:45","guid":{"rendered":"http:\/\/blog.whplus.com\/2007\/09\/28\/how-do-i-protect-joomla-site-using-htaccess-and-mod_rewrite.html"},"modified":"2008-03-10T09:52:04","modified_gmt":"2008-03-10T02:52:04","slug":"how-do-i-protect-joomla-site-using-htaccess-and-mod_rewrite","status":"publish","type":"post","link":"https:\/\/www.whplus.com\/blog\/2007\/10\/02\/how-do-i-protect-joomla-site-using-htaccess-and-mod_rewrite.html","title":{"rendered":"How do I protect joomla site using .htaccess and mod_rewrite?"},"content":{"rendered":"<p align=\"justify\"> <strong>Introduction<\/strong><br \/>\nSomeone has created a set of mod_rewrite conditions (below) that you can tag onto the end of your .htaccess file. These conditions will block a good number of common exploit attempts while interferring as little as possible with legitimate usage.<\/p>\n<p>Each server configuration is unique. If you are forwarded to your home page and receive a 403 Forbidden error, you will know these settings worked incorrectly on your site. If a particular rule breaks some feature of your site, just comment it out by placing a # in front of the offending rule.<\/p>\n<p><strong>Note: <\/strong>As of Joomla! version 1.0.11, these settings are included in the file, <em>htaccess.txt<\/em> (no dot in filename) which is automatically added to your site during the Joomla! install.<\/p>\n<p><strong>Directions<\/strong><br \/>\n1. Append the following code to the <em>.htaccess<\/em> file in the same directory as your Joomla! <em>index.php<\/em> file (often your <em>public_html<\/em> directory).<br \/>\n2. Test your site.<br \/>\n3. If the site produces errors, comment out all of these lines, and uncomment and test one line at a time until you find the problem directive(s).<br \/>\n4. Try to tweak these directives to work on your server, or leave them commented out.<\/p>\n<p>########## Begin &#8211; Rewrite rules to block out some common exploits<br \/>\n#<br \/>\n# Block out any script trying to set a mosConfig value through the URL<br \/>\nRewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\\%3D) [OR]<br \/>\n# Block out any script trying to base64_encode crap to send via URL<br \/>\nRewriteCond %{QUERY_STRING} base64_encode.*\\(.*\\) [OR]<br \/>\n# Block out any script that includes a  tag in URL<br \/>\nRewriteCond %{QUERY_STRING} (\\&lt;|%3C).*script.*(\\&gt;|%3E) [NC,OR]<br \/>\n# Block out any script trying to set a PHP GLOBALS variable via URL<br \/>\nRewriteCond %{QUERY_STRING} GLOBALS(=|\\[|\\%[0-9A-Z]{0,2}) [OR]<br \/>\n# Block out any script trying to modify a _REQUEST variable via URL<br \/>\nRewriteCond %{QUERY_STRING} _REQUEST(=|\\[|\\%[0-9A-Z]{0,2})<br \/>\n# Send all blocked request to homepage with 403 Forbidden error!<br \/>\nRewriteRule ^(.*)$ index.php [F,L]<br \/>\n#<br \/>\n########## End &#8211; Rewrite rules to block out some common exploits<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Someone has created a set of mod_rewrite conditions (below) that you can tag onto the end of your .htaccess file. These conditions will block a good number of common exploit attempts while interferring as little as possible with legitimate usage. Each server configuration is unique. If you are forwarded to your home page and\u2026 <span class=\"read-more\"><a href=\"https:\/\/www.whplus.com\/blog\/2007\/10\/02\/how-do-i-protect-joomla-site-using-htaccess-and-mod_rewrite.html\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-12","post","type-post","status-publish","format-standard","hentry","category-tutorial"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/12","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/comments?post=12"}],"version-history":[{"count":0,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/posts\/12\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/media?parent=12"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/categories?post=12"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whplus.com\/blog\/wp-json\/wp\/v2\/tags?post=12"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}