- Joomla! Web Security
- Tom Canavan
- 461字
- 2021-07-02 11:37:51
.htaccess
.htaccess is a wonderful and powerful tool on which we'll spend a lot of time later, but for now, make sure you include the following code in yours. If you are not familiar with .htaccess or if you have a default setup of Joomla! you will see in the root directory a file called htaccess.txt. This file provides you the power to modify several things on the basis of a per directory file, notably the directives. Here is the portion you should be running. This has been included since Joomla! 1.0.11 in the base htaccess.txt file. Check yours to ensure that you are running this highly valuable security measure.
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
#IF the URI contains a "http:" or "ftp:" or "https"
RewriteCond %{QUERY_STRING} http\: [OR]
RewriteCond %{QUERY_STRING} ftp\: [OR]
RewriteCond %{QUERY_STRING} https\: [OR]
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
You will need to append the previous code segment to the end of your .htaccess file. If you haven't done so, please change the name from htaccess.txt to .htaccess.
This .htaccess patch from the Joomla.org core team has proven its worth against a slew of attacks that are common. As you can read through, the RewriteCond is being used to filter common attacks that could prove harmful to your site. The last line in the file:
RewriteRule ^(.*)$ index.php [F,L]
directs the system to forward all requests to damage your site to a : 403 Forbidden page.
Another interesting command you could add to your .htaccess file is a set of commands to stop a specific robot, in our case "EvilRobot", from digging into the sensitive areas of your site.
RewriteCond %{HTTP_USER_AGENT} ^EvilRobot.*
RewriteCond %{REMOTE_ADDR} ^123\.45\.67\.[8-9]$
RewriteRule ^/kljiwlslci/secret/data/.+ - [F]
Note
To learn more about the RewriteCond and the RewriteRule, visit the following links available from apache.org:
http://httpd.apache.org/docs/2.2/rewrite/
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
- Photoshop CC 2018實用教程
- 邊做邊學:Photoshop圖像制作案例教程(Photoshop CC 2019·微課版)
- Photoshop CC摳圖+修圖+調色+合成+特效標準培訓教程(全視頻微課版)
- 中文版CorelDRAW X8基礎培訓教程(全彩版)
- 攝影輕松入門:Photoshop后期處理
- 二維計算機繪圖教程:二維CAD工程師取證全程指導
- 中文版After Effects CC 2018 動漫、影視特效后期合成秘技
- Photoshop CC完全自學教程:從入門到實踐(全新版)
- Learning the Yahoo! User Interface library
- After Effects印象 影視高級特效光影篇
- 魔法詞典:AI繪畫關鍵詞圖鑒(Midjourney版)
- WordPress MU 2.8: Beginner's Guide
- MooTools 1.2 Beginner's Guide
- Flash with Drupal
- 跟著視頻學Excel數據處理:函數篇