Standard Hosting

R57 ($6.00) per month
  • 300 MB disk space
  • 30 GB bandwidth
  • 30 emails
  • PHP & MySQL
  • Free scripts
Read More Sign Up

Joomla Hosting

R75 ($8.00) per month
  • 500 MB disk space
  • 50 GB bandwidth
  • 50 emails
  • PHP & MySQL
  • Joomla! Installed
Read More Sign Up

Business Hosting

R114 ($12.00) per month
  • 1000 MB disk space
  • 100 GB bandwidth
  • 100 emails
  • PHP & MySQL
  • 1 Add-on Domain
Read More Sign Up
Joomla HTACCESS file
Written by administrator   
Thursday, 13 September 2007

One of the ways to protect your Joomla! site from attacks is by using the latest .htaccess file supplied with the Joomla! installation from Joomla v 1.0.12 onwards.

This .htaccess file contains a section at the end that protects you agains most of the major attacks that are normally launched against a Joomla! site.

 

But let us take a step back. What exactly is the .htaccess file, and how and where is it used.

The .htaccess file is used on Apache servers to control a lot of configuration settings - often on a directory by directory basis.

The file actually does not have a name as such, it just has an extension - .htaccess (notice the '.' in front of the htaccess?)

With Joomla! sites, in particular, the .htaccess file is used when you switch on the Search Engine Friendly URLs in Joomla itself, or make use of a third party add-on to provide for Search Engine, and human friendly, URLs. It is used in combination with the mod-rewrite module in Apache, to rewrite 'unfriendly' links such as:

 http://www.internet-web-hosting.co.za/joomla-security//index.php?option=com_content&task=section&id=1&Itemid=2

with 'friendly links', such as http://www.internet-web-hosting.co.za/joomla-security/

Since Joomla! v1.0.12 the .htaccess file also contained this part: 

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
## Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
########### End - Rewrite rules to block out some common exploits

This part of the .htaccess file will prevent a number of the common exploits.

Please note the following points:

1. If you are not using either the Joomla SEO Search Engine Friendly URLS (to be found in the Global Configuration), or a third party SEF product, the changes are good that you have not activated the .htacess file and you will not benefit from its protection. It is our recommendation that you rename the htacess.txt file that comes with your Joomla 1.0.12 installation to .htaccess, regardless of whether you are using the SEF urls.

2. If you upgraded your Joomla! installation from a previous version then you might not have upgraded your .htaccess file and you might still be missing this part from your file. We recommend that you replace your .htaccess file with the latest version (uncommenting all the right portions so that your site does not break!). It is a good idea to make a backup of your .htaccess file before you do this.

 

 
SitemapHosting