AddHandler php72-cgi .php
php_value memory_limit 256M
php_value max_input_vars 10000
php_value max_execution_time 300
php_value max_input_time 300
#############################################################################
### ###
### HTACCESS from www.joomla-security.de ###
### ###
### Version: 3.3 Standard (2019-02-18) ###
### ###
#############################################################################
### This file is free software: you can redistribute it and/or modify ###
### it under the terms of the GNU General Public License as published by ###
### the Free Software Foundation, either version 3 of the License, or ###
### any later version. ###
### ###
### This file is distributed in the hope that it will be useful, ###
### but WITHOUT ANY WARRANTY; without even the implied warranty of ###
### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ###
### GNU General Public License for more details. ###
### ###
### You should have received a copy of the GNU General Public License ###
### along with this file. If not, see . ###
#############################################################################
#############################################################################
### ###
### !!!ATTENTION!!! ###
### Change www.example.com with your own domain name. ###
### ###
### It is supported only Joomla Core, 3rd party extensions. ###
### ###
#############################################################################
#############################################################################
### ###
### FUNCTION ###
### 1. DEFAULT FUNCTIONS ###
### 2. FILTERS ###
### 3. BLOCK BAD USER AGENTS ###
### 4. SEO ###
### 5. SPAM FILTER ###
### 6. JOOMLA DEFAULT FUNCTIONS ###
### ###
#############################################################################
#################################################
##### 1. DEFAULT FUNCTIONS #####
#################################################
RewriteEngine On
ServerSignature Off
Options All -Indexes
IndexIgnore *
DirectoryIndex index.php index.html
########## Begin - RewriteBase
## Uncomment following line if your webserver's URL
## is not directly related to physical file paths.
## Update Your Joomla! Directory (just / for root)
# RewriteBase /
########## End - RewriteBase
########## Begin - Deny access to some files
RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [R=404,L]
########## End - Deny access to some files
########## Begin - Disallow front-end access for certain Joomla! system directories
RewriteRule ^(includes|language|libraries|logs|tmp)/ - [F]
########## End - Disallow front-end access for certain Joomla! system directories
#################################################
##### 2. FILTERS #####
#################################################
########## FILTER REQUEST METHODS AND OTHER STUFF
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
########## Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
########## QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|'|"|\?|\*|%%|&%%|&"|").* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [NC]
RewriteRule ^(.*)$ - [R=404,L]
########## CHARACTER STRINGS
### BASIC CHARACTERS
RedirectMatch 404 \:
RedirectMatch 404 \@
RedirectMatch 404 \[
RedirectMatch 404 \]
RedirectMatch 404 \^
RedirectMatch 404 \`
RedirectMatch 404 \{
RedirectMatch 404 \}
RedirectMatch 404 \~
RedirectMatch 404 \"
RedirectMatch 404 \$
RedirectMatch 404 \<
RedirectMatch 404 \>
RedirectMatch 404 \|
RedirectMatch 404 \.\.
RedirectMatch 404 \/\/
RedirectMatch 404 \%0
RedirectMatch 404 \%22
RedirectMatch 404 \%27
RedirectMatch 404 \%28
RedirectMatch 404 \%29
RedirectMatch 404 \%3C
RedirectMatch 404 \%3E
RedirectMatch 404 \%3F
RedirectMatch 404 \%5B
RedirectMatch 404 \%5C
RedirectMatch 404 \%5D
RedirectMatch 404 \%7B
RedirectMatch 404 \%7C
RedirectMatch 404 \%7D
### COMMON PATTERNS
RedirectMatch 404 \_vpi
RedirectMatch 404 \.inc
RedirectMatch 404 xAou6
RedirectMatch 404 db\_name
RedirectMatch 404 select\(
RedirectMatch 404 convert\(
RedirectMatch 404 \/query\/
RedirectMatch 404 ImpEvData
RedirectMatch 404 \.XMLHTTP
RedirectMatch 404 proxydeny
RedirectMatch 404 function\.
RedirectMatch 404 remoteFile
RedirectMatch 404 servername
RedirectMatch 404 \&rptmode\=
RedirectMatch 404 sys\_cpanel
RedirectMatch 404 db\_connect
RedirectMatch 404 doeditconfig
RedirectMatch 404 check\_proxy
RedirectMatch 404 system\_user
RedirectMatch 404 \/\(null\)\/
RedirectMatch 404 clientrequest
RedirectMatch 404 option\_value
RedirectMatch 404 ref\.outcontrol
### SPECIFIC EXPLOITS
RedirectMatch 404 errors\.
RedirectMatch 404 include\.
RedirectMatch 404 display\.
RedirectMatch 404 password\.
RedirectMatch 404 maincore\.
RedirectMatch 404 authorize\.
RedirectMatch 404 macromates\.
RedirectMatch 404 head\_auth\.
RedirectMatch 404 submit\_links\.
RedirectMatch 404 change\_action\.
RedirectMatch 404 com\_facileforms\/
RedirectMatch 404 admin\_db\_utilities\.
RedirectMatch 404 admin\.webring\.docs\.
RedirectMatch 404 Table\/Latest\/index\.
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
## Deny access to extension xml files (uncomment out to activate)
#
#Order allow,deny
#Deny from all
#Satisfy all
#
## End of deny access to extension xml files
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a