This documentation page does not apply to our software versions for Joomla! 4.0 and later versions. If you are not using Joomla 3 please consult the documentation index to find and read the correct version of the documentation.
Note | |
---|---|
This feature is only available in the Professional release |
Warning | |
---|---|
This feature is only available on servers running the Apache web server. If your server is using IIS or NginX the button to launch this feature will not be shown. If you are using Lighttpd, Litespeed or any other server software you will see a button to launch this feature but this feature may not have any effect. If unsure please consult with your host about their server's support of .htaccess files. |
One of the most important aspects of managing a web site hosted on an Apache server is being able to fine-tune your .htaccess file. This file is responsible for many web server level tweaks, such as enabling the use of search engine friendly (SEF) URLs, blocking access to system files which should not be accessible from the web, redirecting between pages based on custom criteria and even optimising the performance of your site. On the downside, learning how to tweak all those settings is akin to learning a foreign language. The
tool of Admin Tools is designed to help you create such a file by utilizing a point-and-click interface.Important | |
---|---|
Some prepackaged server bundles, such as Zend Server CE, and
some live hosts do not allow using .htaccess files to override server
settings. If it is a local server, edit your
If you are on a live host, please consult your host about the possibility of them allowing you to use this feature on your site. |
Tip | |
---|---|
If you ever want to revert to a "safe default", just set all of
the options on this page to "Off" and click on "Save and create
.htaccess". This will create a |
The top part of the .htaccess maker page contains the standard toolbar buttons you'd expect:
The .htaccess Maker's toolbar
.htaccess
file. This
should be used when you have not decided on some options yet, or if
you want to preview the generated .htaccess
file before writing it to disk.
.htaccess
file to the disk. If you already had
a .htaccess
file on your site, it will be
renamed to .htaccess.admintools
before the new
file is written to disk.
.htaccess
file will look
like without writing it to disk. This dialog shows the saved
configuration. If you have modified any settings they will not be
reflected in there until you click either of the previous two
buttons.
The
button takes you back to the Control Panel page.Below the toolbar there are five panes with different options, described below. Before you do that, please read and understand the following warning. Support requests which indicate that you have not read it will be replied with a link back to this page.
Some things cannot be added as features to the .htaccess Maker because the interface would become truly unwieldy. However, there are tools which can generate rather compact .htaccess rules which you can add to .htaccess Maker, in the Custom .htaccess rules at the top of the file section. Here we'd like to point you to some of them.
Content security policy (CSP)
It mitigates the risk of cross-site scripting and other content-injection attacks. You can read more about it on the dedicated site for this feature. There is a simple tool which allows you to generate the required .htaccess code for the CSP feature according to your preferences. Keep in mind that when you restrict the scripts' origin you should keep in mind that several extensions (including many templates) will load their scripts off a third party CDN which must be explicitly allowed or your site will no longer work!
Custom error documents
Most hosting control panels allow you to specify custom HTML pages for common server error pages. The most important ones are for errors 403 (Access Forbidden), 404 (Not Found) and 500 (Internal Server Error). It's always a good idea showing a nicely designed page instead of the default, text-only, ugly page of Apache for these error messages!
Basic security
When disabled, your web server might list the files and subdirectories of any directory on your site if there is no index.html file inside it. This can pose a security risk, so you should always enable this option to avoid this from happening.
Many attackers try to exploit vulnerable extensions on your site by tricking them into including malicious code hosted on the attacker's server. Enabling this option will protect your server against this kind of attacks. This works by preventing any URL which references an http:// or https:// URL in the query string. Sometimes these are legitimate requests. For example, some gallery components use them. In this case you are recommended to use the RFIShield (Remote File Inclusion protection) in the Web Application Firewall and turn this .htaccess Maker option OFF.
PHP has a fun and annoying feature known as "Easter Eggs". By passing a special URL parameter, PHP will display a picture instead of the actual page requested. Whereas this is considered fun, it is also widely exploited by attackers to figure out the version of your PHP installation (these images change between different versions of PHP) and launch hacking attacks targeting your specific PHP version. By enabling this option you completely disable access to those Easter Eggs and make it even more difficult for attackers to figure out the details of your server.
Note: You are advised to also set
expose_php
to Off
in
your php.ini
file to prevent accidental
leaks of your PHP version.
These two files are left behind after any Joomla! installation or upgrade and can be directly accessed from the web. They are used by attackers to tell the Joomla! version you are using, so that they can tailor an attack targeting your specific Joomla! version. Enabling this option will "hide" those files when accessed from the web (a 404 Not Found page is returned), tricking attackers into believing that these files do not exist and making it slightly more difficult for them to deduce information about your site. This option also hides the web.config.txt file included in Joomla! 3 and later for use with the IIS server.
Turning on this option will protect you against clickjacking. It does so by preventing your site's pages to be loaded in a, Frame, IFrame or Object tag unless this comes from a page inside your own site. Please note that if your site relies on its pages being accessible through frames / iframes displayed on other sites (NOT on your site displaying content from other sites, that's irrelevant!) then you should not enable this option. If unsure, enable it.
Internet Explorer 9 and later, as well as Google Chrome, will try by default to guess the content type of downloaded documents regardless of what the MIME header sent by the server. Let's say a malicious user to upload an executable file, e.g. a .EXE file or a Chrome Extension, under an innocent file extension as .jpg (image file). When a victim tries downloading this file, IE and Chrome will try to guess the file type, identify it as an executable file and under certain circumstances executing it. This means that your site could be unwittingly used to serve malware. Such an event could result in your site being added to a list of known bad sites by browser makers and cause their browsers to display a warning to users when visiting your site. By enabling this feature you instruct IE and Chrome to respect the file type sent by your server, eliminating this issue. See the relevant MSDN article for more information.
When enabled the browser will be instructed to prevent reflected XSS attacks. Reflected XSS attacks occur when the victim is manipulated into visiting a specially crafted URL which contains Javascript code in it. This URL leads to a vulnerable page which outputs this Javascript code verbatim in the page output ("reflects" the malicious code sent in the URL).
This is a commonly used method used by attackers to compromise web sites, especially when a zero-day XSS vulnerability is discovered in popular Joomla! extensions or Joomla! itself. The attacker will try to trick the administrators of websites into visiting a maliciously crafted link. If the victims are logged in to their site at that time the malicious Javascript will execute, typically giving the attacker privileged information or opening a back door to compromising the site.
Enabling this option in .htaccess Maker will instruct the browser to try preventing this issue. Please note that this only works on compatible browsers (IE8; Chrome; Safari and other WebKit browsers) and only applies to reflected XSS attacks. Stored XSS attacks, where the malicious Javscript is stored in the database, is NOT prevented. You should consider this protection a safety belt. Not wearing a safety belt in the event of an accident pretty much guarantees serious injury or death. Wearing a safety belt minimises the possibility of injury or death but does not always prevent it. This option is your safety belt against the most common type of XSS attacks. You should use it but don't expect it to stop everything thrown your way. Always keep your software up-to-date, especially when a security release is published!
For more information please consult the relevant MSDN article.
Send a custom Content Security Policy HTTP header for SVG files which prevents scripts inside them from executing. Doing so will also disable most SVG animations and remove all interactive features from all SVG files.
This option only needs to be enabled if your site is configured in such a way that it allows untrusted users to upload unsanitized SVG files to your site. By default, Joomla does NOT permit this. You'd have to configure it to do so yourself, using the Media Manager's options page and / or a third party extension.
We do not recommend using this option as it can cause unexpected issues when your content, your template or a third party extension on your site relies on SVG animations or SVG interactivity. This can be anything from custom animation, to fancy graphics-heavy forms, to interactive charts and graphs.
Instead, we recommend using sanitized SVG file uploads. This allows untrusted sources to submit SVG files and have their scripts removed. It also allows trusted sources (Super Users) to use FTP or SFTP to upload SVGs with JavaScript which can function correctly on your site. Our lead developer has already written a plugin for Joomla 3.9 and later which does that and has already submitted a code path to Joomla since June 2020 which is still pending approval from the Joomla Production Leadership. Unfortunately, due to the Terms of Service of the Joomla Extensions Directory we cannot include this code in Admin Tools itself. The reasoning is explained in the plugin's page (see link above).
By default Apache and PHP will output HTTP headers advertising their existence and their version numbers. If you are always using the latest and greatest versions this may not be a problem, but the chances are that your host is using an older version of both software. Giving away the version numbers of the server software in every request makes it trivial for an attacker to obtain information about your site which will help them to launch a tailored attack, targeting known security issues in the versions of Apache and PHP you're using. Enabling this option will mitigate this issue. Please note that this is SECURITY THROUGH OBSCURITY which is NEVER, EVER an adequate means of protection. It's just a speed bump in the way of an attacker, not a roadblock.
You are strongly advised to keep your server software up-to-date. If you're not managing your own server, e.g. you're using a shared host, we very strongly recommend choosing a hosting service which follows this rule. As a simple test, if your server is not currently using one of the PHP versions published in the top right corner of http://php.net (or at most one version earlier, i.e. the third number of the version on your server is one less than the one listed on php.net) the chances are that your server is using outdated, vulnerable server software. Remember that outdated versions of PHP and Apache, even with some security patches backported, CAN NOT be secure. There's a good reason new software versions are published regularly. For example a popular but tragically ancient version of PHP is PHP 5.3.3. It has a MAJOR issue regarding bcrypt encryption, fixed in 5.3.10 and NOT backported by any vendor to an earlier version of PHP. As a result using PHP 5.3.3 makes your site's passwords insecure.
Enabling this feature instructs proxy servers and caches to not convert your content. For example, certain proxy servers (typically found in mobile networks, businesses and ISPs in congested areas) will attempt to scale and aggressively compress images, CSS and Javascript to save bandwidth. This can lead to several issues, from displayed images being a bit off to your site breaking down because the compressed CSS/JS introduced errors preventing the browser from parsing it correctly. With this feature enabled the cache and proxy servers will be instructed to not do that by setting an HTTP header. If they respect the HTTP header (they should, it's a web standard) such issues are prevented.
For more information please consult the formal web standard document RFC 2616, section 14.9.5
When enabled, it will block any site access attempt if the remote program sends one of the user agent strings in the User agents to block, one per line option. This feature is designed to protect your site against common bandwidth-hogging download bots and otherwise legitimate tools which are more usually used for hacking sites than their benign intended functionality.
The user agent strings to block from accessing your site. You don't have to enter the whole UA string, just a part of it. The default setting includes several usual suspects. Separate multiple entries by a single newline character (that is a single press of the ENTER key). Do note that some server with mod_security or mod_evasive installed will throw an "Access forbidden" message if you try to save the configuration settings when this field contains the word "WGet". If you come across this issue it is not a bug with Admin Tools or Joomla!, it is a server-level protection feature kicking in. Just avoid including the word Wget and you should be out of harm's way.
The following is the default list of user agents to block, as of Admin Tools 3. It is very thorough and seems to be reducing the number of attacks enormously. If you are upgrading from an earlier version you might want to try it out. Just copy it and paste it in the User agents to block, one per line are in the .htaccess Maker configuration. Remember to enable the Block access from specific user agents to enable the feature and then click on to generate the .htaccess file which applies this setting on your site.
WebBandit webbandit Acunetix binlar BlackWidow Bolt 0 Bot mailto:[email protected] BOT for JCE casper checkprivacy ChinaClaw clshttp cmsworldmap comodo Custo Default Browser 0 diavol DIIbot DISCo dotbot Download Demon eCatch EirGrabber EmailCollector EmailSiphon EmailWolf Express WebPictures extract ExtractorPro EyeNetIE feedfinder FHscan FlashGet flicky GetRight GetWeb! Go-Ahead-Got-It Go!Zilla grab GrabNet Grafula harvest HMView ia_archiver Image Stripper Image Sucker InterGET Internet Ninja InternetSeer.com jakarta Java JetCar JOC Web Spider kmccrew larbin LeechFTP libwww Mass Downloader Maxthon$ microsoft.url MIDown tool miner Mister PiX NEWT MSFrontPage Navroad NearSite Net Vampire NetAnts NetSpider NetZIP nutch Octopus Offline Explorer Offline Navigator PageGrabber Papa Foto pavuk pcBrowser PeoplePal planetwork psbot purebot pycurl RealDownload ReGet Rippers 0 SeaMonkey$ sitecheck.internetseer.com SiteSnagger skygrid SmartDownload sucker SuperBot SuperHTTP Surfbot tAkeOut Teleport Pro Toata dragostea mea pentru diavola turnit vikspider VoidEYE Web Image Collector Web Sucker WebAuto WebCopier WebFetch WebGo IS WebLeacher WebReaper WebSauger Website eXtractor Website Quester WebStripper WebWhacker WebZIP Wget Widow WWW-Mechanize WWWOFFLE Xaldon WebSpider Zeus zmeu CazoodleBot discobot ecxi GT::WWW heritrix HTTP::Lite HTTrack ia_archiver id-search id-search.org IDBot Indy Library IRLbot ISC Systems iRc Search 2.1 LinksManager.com_bot linkwalker lwp-trivial MFC_Tear_Sample Microsoft URL Control Missigua Locator panscient.com PECL::HTTP PHPCrawl PleaseCrawl SBIder Snoopy Steeler URI::Fetch urllib Web Sucker webalta WebCollage Wells Search II WEP Search zermelo ZyBorg Indy Library libwww-perl Go!Zilla TurnitinBot sqlmap