AddHandler php72-cgi .php

php_value memory_limit 256M
php_value max_input_vars 10000
php_value max_execution_time 300
php_value max_input_time 300

#############################################################################
###                                                                       ###
### HTACCESS from www.joomla-security.de                                  ###
###                                                                       ###
### Version: 3.3 Standard (2019-02-18)   					              ###
###                                                                       ###
#############################################################################
### This file is free software: you can redistribute it and/or modify     ###
### it under the terms of the GNU General Public License as published by  ###
### the Free Software Foundation, either version 3 of the License, or     ###
### any later version.                                                    ###
###                                                                       ###
### This file is distributed in the hope that it will be useful,          ###
### but WITHOUT ANY WARRANTY; without even the implied warranty of        ###
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the          ###
### GNU General Public License for more details.                          ###
###                                                                       ###
### You should have received a copy of the GNU General Public License     ###
### along with this file. If not, see <http://www.gnu.org/licenses/>.     ###
#############################################################################

#############################################################################
###                                                                       ###
### !!!ATTENTION!!!                                  					  ###
### Change www.example.com with your own domain name.                     ###
###                                                                       ###
### It is supported only Joomla Core, 3rd party extensions.               ###
###                                                                       ###
#############################################################################

#############################################################################
###                                                                       ###
### FUNCTION		                                  					  ###
### 1. DEFAULT FUNCTIONS												  ###
### 2. FILTERS										                      ###
### 3. BLOCK BAD USER AGENTS											  ###
### 4. SEO																  ###
### 5. SPAM FILTER														  ###
### 6. JOOMLA DEFAULT FUNCTIONS								              ###
###                                                                       ###
#############################################################################	


#################################################
##### 1. DEFAULT FUNCTIONS				    #####
#################################################

RewriteEngine On
ServerSignature Off
Options All -Indexes
IndexIgnore *
DirectoryIndex index.php index.html


########## Begin - RewriteBase
## Uncomment following line if your webserver's URL
## is not directly related to physical file paths.
## Update Your Joomla! Directory (just / for root)
# RewriteBase /
########## End - RewriteBase

########## Begin - Deny access to some files
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [R=404,L]
########## End - Deny access to some files

########## Begin - Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes|language|libraries|logs|tmp)/ - [F]
########## End - Disallow front-end access for certain Joomla! system directories

#################################################
##### 2. FILTERS						    #####
#################################################

########## FILTER REQUEST METHODS AND OTHER STUFF
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]

########## Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]

########## QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|'|"|\?|\*|%%|&%%|&"|").* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [NC]
RewriteRule ^(.*)$ - [R=404,L]

########## CHARACTER STRINGS
<IfModule mod_alias.c>
	### BASIC CHARACTERS
	RedirectMatch 404 \:
	RedirectMatch 404 \@
	RedirectMatch 404 \[
	RedirectMatch 404 \]
	RedirectMatch 404 \^
	RedirectMatch 404 \`
	RedirectMatch 404 \{
	RedirectMatch 404 \}
	RedirectMatch 404 \~
	RedirectMatch 404 \"
	RedirectMatch 404 \$
	RedirectMatch 404 \<
	RedirectMatch 404 \>
	RedirectMatch 404 \|
	RedirectMatch 404 \.\.
	RedirectMatch 404 \/\/
	RedirectMatch 404 \%0
	RedirectMatch 404 \%22
	RedirectMatch 404 \%27
	RedirectMatch 404 \%28
	RedirectMatch 404 \%29
	RedirectMatch 404 \%3C
	RedirectMatch 404 \%3E
	RedirectMatch 404 \%3F
	RedirectMatch 404 \%5B
	RedirectMatch 404 \%5C
	RedirectMatch 404 \%5D
	RedirectMatch 404 \%7B
	RedirectMatch 404 \%7C
	RedirectMatch 404 \%7D

	### COMMON PATTERNS
	RedirectMatch 404 \_vpi
	RedirectMatch 404 \.inc
	RedirectMatch 404 xAou6
	RedirectMatch 404 db\_name
	RedirectMatch 404 select\(
	RedirectMatch 404 convert\(
	RedirectMatch 404 \/query\/
	RedirectMatch 404 ImpEvData
	RedirectMatch 404 \.XMLHTTP
	RedirectMatch 404 proxydeny
	RedirectMatch 404 function\.
	RedirectMatch 404 remoteFile
	RedirectMatch 404 servername
	RedirectMatch 404 \&rptmode\=
	RedirectMatch 404 sys\_cpanel
	RedirectMatch 404 db\_connect
	RedirectMatch 404 doeditconfig
	RedirectMatch 404 check\_proxy
	RedirectMatch 404 system\_user
	RedirectMatch 404 \/\(null\)\/
	RedirectMatch 404 clientrequest
	RedirectMatch 404 option\_value
	RedirectMatch 404 ref\.outcontrol

	### SPECIFIC EXPLOITS
	RedirectMatch 404 errors\.
	RedirectMatch 404 include\.
	RedirectMatch 404 display\.
	RedirectMatch 404 password\.
	RedirectMatch 404 maincore\.
	RedirectMatch 404 authorize\.
	RedirectMatch 404 macromates\.
	RedirectMatch 404 head\_auth\.
	RedirectMatch 404 submit\_links\.
	RedirectMatch 404 change\_action\.
	RedirectMatch 404 com\_facileforms\/
	RedirectMatch 404 admin\_db\_utilities\.
	RedirectMatch 404 admin\.webring\.docs\.
	RedirectMatch 404 Table\/Latest\/index\.
</IfModule>

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
## Deny access to extension xml files (uncomment out to activate)
#<Files ~ "\.xml$">
#Order allow,deny
#Deny from all
#Satisfy all
#</Files>
## End of deny access to extension xml files

# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - ETag Optimization
FileETag MTime Size
########## End - ETag Optimization 

########## Begin - Disallow PHP Easter Eggs by Nicholas K. Dionysopoulos
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## End - Disallow PHP Easter Eggs

########## Begin - File injection protection by SigSiu.net
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=https:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## End - File injection protection

########## Begin - Rewrite rules to block out some common exploits
# If the request query string contains /proc/self/environ (by SigSiu.net)
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode or base64_decode data within the URL
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR]
## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
# RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
########## End - Rewrite rules to block out some common exploits

########## Begin - SQLi first line of defense, thanks to Radek Suski (SigSiu.net)
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC]
RewriteRule .* - [F]
########## End - SQLi first line of defense, thanks to Radek Suski (SigSiu.net)

########## Begin - Akeeba
## Allow Admin Tools Joomla! updater to run
RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
## Allow Akeeba Backup Professional's integrated restoration script to run
RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
## Allow Akeeba Kickstart
RewriteRule ^kickstart\.php$ - [L]
########## End - Akeeba

########## Begin - Allow Joomla Update
RewriteRule ^administrator/components/com_joomlaupdate/joomlaupdate\.php$ - [L]
RewriteRule ^administrator\/components\/com_joomlaupdate\/restore\.php$ - [L]
########## End - Allow Joomla Update




########## Begin - Disallow visual fingerprinting
## Disallow visual fingerprinting of Joomla! sites (module position dump)Initial idea by Brian Teeman and Ken Crowder, see:
## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
## Improved by @nikosdion to work more efficiently and handle template
## and tmpl query parameters
RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
RewriteRule .* - [L]
RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
RewriteRule .* - [F]
########## End - Disallow visual fingerprinting

#################################################
##### 3. BLOCK BAD USER AGENTS			    #####
#################################################

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (clshttp|archiver|loader|email|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (curl|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteRule ^(.*)$ - [R=404,L]

#################################################
##### 4. SEO								#####
#################################################

########## Begin - Redirect index.php to /
## Note: Change example.com to reflect your own domain name
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
## If the above line throws a 500 error, change [R=301,L] to [R,L]
########## End - Redirect index.php to /

########## Begin - Redirect from "non-www" to "www"
#RewriteCond %{HTTP_HOST} ^([0-9a-z-]+)\.de$ [NC]
#RewriteRule ^(.*)$ http://www.%1.de/$1 [R=301,L]
########## End - Redirect from "non-www" to "www"



#################################################
##### 5. SPAM Filter					    #####
#################################################

########## Begin - Basic antispam Filter, by SigSiu.net
RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]
RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b [NC]
RewriteRule .* - [F]
########## End - Basic antispam Filter, by SigSiu.net

## SITE REFERRER BANNING
RewriteCond %{HTTP_REFERER} semalt.com [NC,OR]
RewriteCond %{HTTP_REFERER} buttons-for-website.com [NC,OR]
RewriteCond %{HTTP_REFERER} seoanalyses.com [NC]
RewriteRule .* - [F]

#################################################
##### 6. JOOMLA DEFAULT FUNCTIONS		    #####
#################################################

<IfModule mod_headers.c>
	Header always set X-Content-Type-Options "nosniff"
</IfModule>

########## Begin - Joomla! core SEF Section
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the request is for something within the component folder,
# or for the site root, or for an extensionless URL, or the
# requested URL ends with one of the listed extensions
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
########## End - Joomla! core SEF Section

########## Begin - Error documents
#
ErrorDocument 401 "404 Not Found!
ErrorDocument 403 "404 Not Found!
ErrorDocument 404 "404 Not Found!
ErrorDocument 500 "Internal Server Error!
#
########## End - Error documents