When a default setting is added to fix an issue which would affect a significant number of sites that default is forcibly added to your configuration during the update. We have done that, for example, to add Joomla's copy of restore.php which is used by Joomla Update. However, a new .htaccess file is NOT created because a. there is no way to tell if you are using the .htaccess Maker; b. if you have customized the .htaccess file (e.g. you changed the PHP version from your hosting control panel) and c. if you have modified the settings since you last created a .htaccess file, meaning that generating a new file could break your site. Therefore applying the .htaccess changes automatically would have a high chance of breaking your site and that's why we don't do it. As a result these defaults do not need to be documented.
The same happens with defaults which would prevent your site from being hacked, e.g. the WAF Exceptions we added to catch two zero day attacks on old versions of Joomla. As soon as you update these are added to your configuration and enabled. Nothing for you to do. As a result these defaults do not need to be documented.
There are other defaults, for example which features are enabled by default in the setup wizard, which is the default state of various WAF options etc. These defaults only make sense on new sites. As a result these defaults do not need to be documented.
Now, regarding the default list of blocked user agents. This IS NOT meant to be a definitive list! If it was, we wouldn't give you the option to modify it. The default value is there to serve as an example. You MUST customize it. If you don't understand what you're doing there you will block search engines, payment processors, certain classes of proxied users and other traffic you might be actually be interested in. DO NOT USE THE DEFAULT VALUES IN THAT LIST. The only "safe default" is an empty list. So, nothing to document here either.
Finally, anything else which is a default exclusion i.e. extensions does not need to be documented by its very nature. If you have a site which works fine then by definition you DO NOT need to add more file extension exclusions. The additionally excluded extensions would therefore benefit only new sites, making their configuration a bit easier for you. Existing sites would NOT benefit from modifying the excluded extensions, therefore there is nothing to document.
So, we are left with nothing to document. Anything which would make sense to be documented is applied automatically. Anything which is not documented only makes sense on new sites. Default values, especially in security software, are a starting point. They are NOT the single source of truth.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
