htaccess file – your first line of defence

An important first line of defence for you website is the handling of HTTP Requests by the web server. A number of common attacks such as Cross-Site Scripting, Local File Inclusion and SQL Injection all start with transmission of hostile commands via the HTTP Request. The challenge is separating legitimate requests from the hostile or malicious ones.

For a website hosted on an Apache server, there is a powerful mechanism available to help – the Apache htaccess file. Use of an appropriately configured htaccess file on a server with mod_rewrite can provide a robust defence against many HTTP Request attacks. This posting examines the types of rules that can be implemented and their role in protecting your website.

So what is an .htaccess file?

An .htaccess file is a plain text file containing a list of configuration directives (rules). These rules are processed by the Apache webserver. A site can have more than one htaccess file, on more complex sites this allows for distributed configuration instructions, i.e. specific instructions may be applied at individual directory level. The htaccess file will be read on every HTTP Request submitted to the webserver, this is very helpful as changes to this file can therefore take immediate effect.

Will my hosting provider let me use an htaccess file?

If your website is hosted on an Apache server your hosting company should allow the use of htaccess files. These files provide a number of important mechanisms to support websites.

If your host does not allow the use of htaccess files, if you plan to run a Joomla website – change your hosting provider to one that does.

What types of rules can the file contain?

The common security related processing directives (rules) the file may contain include:

  • Authorisation or authentication – username/password control at directory level;
  • Blocking – use of allow/deny rules to block users by IP address or domain;
  • Customised error responses – defining the response to a server side error, e.g. page not found (404);
  • Directory listing – rules on what to do if a directory rather than a page is requested (and there is no index.html in the directory);
  • URL Rewriting – evaluating and processing the submitted HTTP Request, can be used for a number of purposes including search engine optimisation (SEO), redirection of moved content, and security processing of the Request.

How can I protect my Joomla! website?

The standard Joomla! installation includes an .htaccess file. It is in the root directory of the site and following installation will be named htaccess.txt rather than .htaccess so that it is not automatically activated. Before using the file you need to check whether your host allows the use of htaccess files and has enabled the Apache mod_rewrite module. Instructions on how to perform this check can be found here. If mod_rewrite is enabled on your server then you can use the pre-configured file simply by renaming it from htaccess.txt to .htaccess.

From a site protection perspective what does this file do?

For HTTP Requests that meet the security processing directives, the htaccess file will block the requests and redirect them to your site’s homepage with a 403 (Forbidden) error. The preconfigured directives are designed to block out any script trying to:

  • set a mosConfig value through the URL – mosConfig variables are global variables in Joomla! 1.0, they are not used in Joomla! 1.5 core code although a number of extensions that originated under Joomla! 1.0 still use them;
  • submit base64_encode data via the URL – this technique is used by hackers to inject or conceal code which they hope to execute on your server;
  • includes a tag in URL – used for example to try to inject Javascript into a page
  • set a PHP GLOBALS variable via URL – attempts to set or change a Global variable – for a properly configured server, the PHP directive register_globals should be turned off, if it is not turned off, this directive prevents access to GLOBALS variables via the URL;
  • modify a _REQUEST variable via URL – attempts to set or change a Request variable, these are variables associated with the HTTP Request. This directive prevents access to REQUEST variables via the URL;

Can this protection be improved on?

Yes, the Joomla! documentation website includes a page on htaccess examples. Under the heading “Other useful settings” there are a number of additional directives which may be used to enhance your site’s security. The Joomla! website does not currently explain these directives, but we have analysed them and posted an article explaining the enhanced htaccess directives.

Conclusion

If you want to significantly improve the security of your website, a properly configured .htaccess file provides a powerful mechanism to prevent many common exploits using HTTP Requests. At a minimum it is worth implementing the pre-configured version available as part of the core Joomla installation. But you should consider using an enhanced htaccess file to increase  the protection to further reduce the risks.

Posted in Internet Technology, Joomla! website security | Tagged , , ,

An Overview of a Web Server

In our previous post we looked at how an Internet connection works, the content the user wanted to view was stored on a web server. If you are building or running your own website it helps if you understand the basic components of a typical web server. This is particularly important if you want to understand the security advice offered on many websites about securing your own website. Continue reading

Posted in Internet Technology

An Overview of Internet Connections

To understand the factors and risks which affect the security of your website, it is helpful to have a basic understanding of how the Internet works. This post sets the scene, introducing some of the basic concepts which we will explore in more detail in later posts. Continue reading

Posted in Internet Technology | Tagged

Introduction to Internet security

A Google search on internet security reveals that there are about 192 million search results. A similar search for Joomla security reveals about 11.8 million results. Whilst there are plenty of checklists, security tips and advice, it is often difficult for newcomers to website design and hosting to understand the relevance of the available advice.

Starting tomorrow we will be publishing a series of articles with the aim of explaining the issues associated with operating a Joomla! website and the rationale for the published advice.

Posted in Joomla! website security | Tagged , ,

Site security – creating and using strong passwords

No matter how good the technical security of your Joomla! website is, often the weakest link is the choice and use of passwords. One of the root causes of problems with passwords is that users forget them. So in an effort to remember them, users choose simple things like their pet’s name, or their child’s first name and birthday, etc. In fact anything that will give them a hint to remember what their password is. And of course if they have a lot of accounts, they will often reuse the passwords they have chosen. Unfortunately this makes it much easier for a would be hacker to attack their accounts – some simple social engineering or the use of list-based password attacks will often compromise systems. Continue reading

Posted in Joomla! website security | Tagged , , ,

Update on the hacked Joomla! website

In a previous post we looked at a business website which had been hacked. Before making the post we had contacted the site owner and advised them that their site had been compromised. The response we received was:

We know about it, it is due to old version of Joomla it is not our component problem, we plane to set up latest Joomla CMS, ok, we have fixed this problem, what you think about our component? Continue reading

Posted in Joomla! website security | Tagged , , ,

Securing Directories and Files on a Joomla! website

In our first post we referred to the Joomla Administrator’s Security Checklist and in subsequent posts we have described some simple steps you can take to improve the configuration of your. Tom Canavan, the author of the Joomla! Web Security, wrote an interesting blog article about this issue. Continue reading

Posted in Joomla! website security | Tagged , , , ,

So why does your Joomla! website security matter?

Because failing to take steps to protect your website can allow hackers to damage, deface or take down your website.

The screen-shot below is from a live website run by a commercial organisation selling Joomla! extensions and PHP scripts. The site has been anonymised and the site owner informed about the problem. Continue reading

Posted in Joomla! website security | Tagged , , ,

Next Steps to Securing your Joomla! website

In the last post we explained some simple steps that you can take to improve your Joomla! website’s security. These steps addressed simple changes to you site’s core configuration to reduce the risk from some known exploits. Another area which should be addressed is the potential weakness created by the known fixed address for your website’s administrator interface. Continue reading

Posted in Joomla! website security | Tagged , , , ,

First Steps to Securing your Joomla! website

In yesterday’s post we highlighted a number of steps you can take to improve the security of your Joomla!™ website. In this post we are going to address two steps you should take when building a new Joomla website. If you have not taken these steps when you built your Joomla website and it is already live, don’t worry we will explain how to retrospectively address the issues. Both the actions we recommend below are featured on the Joomla! Administrator’s Security Checklist. Continue reading

Posted in Joomla! website security | Tagged , , ,