Tips for .htaccess

danielpmc · Nov 4, 2016

Hello Everybody,

This .htaccess tutorial is for anybody that has access to a cPanel. With an .htaccess file you can secure your site from a lot of negative traffic from Bots, Scanners, Scrapers, Hackers and otherwise nefarious actions against your site. By using the examples shown below you can prevent an incredible amount of your bandwidth from being wasted by negative traffic. It certainly is NOT the definitive all in one solution. There are two ways you can setup a .htaccess to monitor your traffic, Whitelist or Blacklist. You decide which is the appropriate method for your individual needs. Anything you see here is something i personally use and have tested myself on my domainS. Hope this helps you out.

When a person has a VPS or Dedicated server they use a firewall and .htaccess for the security of their domains. But what about Shared Hosting? This is where the .htaccess file comes into play. Think of it as your own firewall for your site. Without .htaccess, you leave yourself open to really bad people/bots hacking or hijacking your site. With .htaccess, you place a digital deadbolt on your site and can keep out hackers and bad bots. Think of your website as your house. You lock your door to keep out the criminals. It is the same way online, you have to protect your site to keep the criminals or unwanted bots from causing damage to your site.

Your domain (your website) .htaccess file is found or created by you AFTER clicking on the public_html directory (folder) in your cPanel File Manager. If .htaccess does not show once you click on public_html it may not exist or is hidden.

Solution:
1a In the upper right corner inside your cPanel File Manager look for Settings. Click it and checkmark the box Show Hidden Files, now your .htaccess file will show.

1b If you still do not see an .htaccess file you need to create one. AFTER clicking on your public_html directory (folder) look in the upper part of page for something like, add OR create OR + file. Click on it and a popup will show. Type .htaccess ,check your spelling, for the name. REMEMBER .htaccess must always start with a dot (period).

First i want to explain a few Golden Rules that are VITAL to setting up your .htaccess and ensuring it works.

ANY/ALL .htaccess file permission/chmod must be set to 644 NOTHING ELSE. DO NOT let anybody tell you different, not even your support at your Host.

1 ANY/ALL .htaccess files MUST start with a dot (period) AND spelled only with lowercase letters.
1a .htaccess (will work)
1b .Htaccess (will not work)
1c .HTACCESS (will not work)
1d htaccess (will not work)
1e Htaccess (will not work)
1f HTACCESS (will not work)

2 Do you see the .*example.* part of any rule shown below? With .htaccess a wildcard IS NOT * by itself. It MUST BE .* (a dot first and then the * symbol)
2a .*example.* (will work)
2b *example* (will not work)

3 SetEnvIfNoCase User-Agent .*example.* good_bot (Notice the spacing and symbols, this is important.)
3a Set Env If No Case UserAgent .*example.* good_bot (Will not work)

4 SetEnvIfNoCase means that whatever you add as the rule (.*example.*) will work regardless of whether letters are CAPITALIZED, MiXed or all lowercase.
4a .*example.* (all lowercase letters will work)
4b .*ExaMple.* (mixed letters will work)
4c .*EXAMPLE.* (all capital letters will work)

Code:

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Whitelist .htaccess below
    DO NOT use on sites with: Payment Gateways, AntiSpam/Website/Forum/Blog/CMS Feeds, Pings, Pingomatic, Trackbacks, APIs, RSS/Atom, Posting By Email
    Basically if your site requires a constant/periodic connection to any other site to function, use the Blacklist .htaccess instead

    Paste and copy all below starting with RewriteEngine
    You may add additional ALLOW rules to a whitelist .htaccess
    Uncomment any rules you need/dont need by adding/removing the hashtag. NEVER UNCOMMENT the #COMMENT LINE
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    RewriteEngine on

    #COMMENT | Please read this comment carefully BEFORE uncommenting Rewritebase
    #COMMENT | if your site domain homepage looks like this http://www.example.com/index.php do not uncomment
    #COMMENT | if your site domain url looks like this http://www.example.com/something/index.php uncomment
    #RewriteBase /add somethings name here/

    Options -Indexes

    IndexIgnore *

    Options +FollowSymLinks

    DirectoryIndex index.php index.html

    #COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
    Header always append X-Frame-Options DENY

    #COMMENT | This will enforce SSL on all pages. You must have a SSL certificate installed first.
    #RewriteCond %{SERVER_PORT} 80
    #RewriteRule ^(.*)$ https://example.com/$1 [R,L]

    #COMMENT | REMOVE PATCH and PUT before uploading/updating/upgrading your site
    RewriteCond %{REQUEST_METHOD} ^(DELETE|HEAD|OPTIONS|PATCH|PROPFIND|PUT|TRACE|TRACK)
    RewriteRule .* - [F]

    #COMMENT | Block most proxies
    #RewriteCond %{HTTP:VIA} !^$ [OR]
    #RewriteCond %{HTTP:FORWARDED} !^$ [OR]
    #RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
    #RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
    #RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
    #RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
    #RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
    #RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
    #RewriteRule ^(.*)$ - [F]

    Order Deny,Allow
    Deny from all

    #COMMENT | Allows only browsers updated within the last couple years
    SetEnvIfNoCase User-Agent .*ozilla/5.* good_bot

    #COMMENT | Allows cPanel and cPanel Autossl
    SetEnvIfNoCase User-Agent .*hec.* good_bot
    SetEnvIfNoCase User-Agent .*omod.* good_bot
    SetEnvIfNoCase User-Agent .*pane.* good_bot
    SetEnvIfNoCase User-Agent .*utoss.* good_bot

    #COMMENT | Allows Softaculous
    SetEnvIfNoCase User-Agent .*oftaculou.* good_bot

    #COMMENT | Allows youtube
    SetEnvIfNoCase User-Agent .*outub.* good_bot
    SetEnvIfNoCase User-Agent .*ou-tub.* good_bot

    #COMMENT | Allows google/adsense/analytics bot
    SetEnvIfNoCase User-Agent .*oogle.* good_bot
    SetEnvIfNoCase User-Agent .*ens.* good_bot
    SetEnvIfNoCase User-Agent .*nalytic.* good_bot

    #COMMENT | Allows bing bot
    SetEnvIfNoCase User-Agent bing good_bot
    SetEnvIfNoCase User-Agent bing.* good_bot
    SetEnvIfNoCase User-Agent .*bing.* good_bot

    #COMMENT | Allows yahoo and slurp bots
    SetEnvIfNoCase User-Agent .*aho.* good_bot
    SetEnvIfNoCase User-Agent slur.* good_bot
    SetEnvIfNoCase User-Agent .*slur.* good_bot

    #COMMENT | Allows facebook bot
    SetEnvIfNoCase User-Agent .*aceboo.* good_bot

    #COMMENT | Allows pinterest bot
    SetEnvIfNoCase User-Agent .*interes.* good_bot

    #COMMENT | Allows linkedin bot
    SetEnvIfNoCase User-Agent .*inkedi.* good_bot
    SetEnvIfNoCase User-Agent .*inked-i.* good_bot

    #COMMENT | Allows myspace bot
    SetEnvIfNoCase User-Agent .*yspac.* good_bot

    #COMMENT | Allows snapchat bot
    SetEnvIfNoCase User-Agent .*nap.* good_bot

    #COMMENT | Allows instragram bot
    SetEnvIfNoCase User-Agent .*nsta.* good_bot

    Allow from env=good_bot


    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Blacklist .htaccess below
    Use on sites with: Payment Gateways, AntiSpam/Website/Forum/Blog/CMS Feeds, Pings, Pingomatic, Trackbacks, APIs, RSS/Atom, Posting By Email
    Basically if your site requires a constant/periodic connection to any other site to function, use a Blacklist .htaccess
    With a Blacklist .htaccess you can deny both IPs and Bots.

    Paste and copy all below starting with RewriteEngine
    You may add additional Deny rules and IPs to a Blacklist .htaccess
    Uncomment any rules you need/dont need by adding/removing the hashtag. NEVER UNCOMMENT the #COMMENT LINE
    Look at your cPanel Visitor and Error logs and add any additional rules as needed.
    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


    RewriteEngine on

    #COMMENT | Please read this comment carefully BEFORE uncommenting Rewritebase
    #COMMENT | if your site domain homepage looks like this http://www.example.com/index.php do not uncomment
    #COMMENT | if your site domain url looks like this http://www.example.com/something/index.php uncomment
    #RewriteBase /add somethings name here/

    Options -Indexes

    IndexIgnore *

    Options +FollowSymLinks

    DirectoryIndex index.php index.html

    #COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
    Header always append X-Frame-Options DENY

    #COMMENT | This will enforce SSL on all pages. You must have a SSL certificate installed first.
    #RewriteCond %{SERVER_PORT} 80
    #RewriteRule ^(.*)$ https://example.com/$1 [R,L]

    #COMMENT | REMOVE PATCH and PUT before uploading/updating/upgrading your site
    RewriteCond %{REQUEST_METHOD} ^(DELETE|HEAD|OPTIONS|PATCH|PROPFIND|PUT|TRACE|TRACK)
    RewriteRule .* - [F]

    #COMMENT | Block most proxies
    #RewriteCond %{HTTP:VIA} !^$ [OR]
    #RewriteCond %{HTTP:FORWARDED} !^$ [OR]
    #RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
    #RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
    #RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
    #RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
    #RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
    #RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
    #RewriteRule ^(.*)$ - [F]

    Order Deny,Allow

    #COMMENT | This blocks visitors with no identification
    #COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
    SetEnvIfNoCase User-Agent ^$ bad_bot

    #COMMENT | This blocks a notorious hacking trick, very dangerous.
    #COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
    SetEnvIfNoCase User-Agent ^Mozilla/5.0$ bad_bot
    SetEnvIfNoCase User-Agent ^-$ bad_bot

    #COMMENT | This blocks a notorious hacking trick, very dangerous.
    #COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
    SetEnvIfNoCase User-Agent ^Mozilla$ bad_bot

    #COMMENT | This blocks very old and dangerous browsers
    SetEnvIfNoCase User-Agent .*ozilla/1.* bad_bot
    SetEnvIfNoCase User-Agent .*ozilla/2.* bad_bot
    SetEnvIfNoCase User-Agent .*ozilla/3.* bad_bot
    SetEnvIfNoCase User-Agent .*ozilla/4.* bad_bot

    #COMMENT | This blocks Baidu
    SetEnvIfNoCase User-Agent .*ai.* bad_bot

    #COMMENT | This blocks Yandex
    SetEnvIfNoCase User-Agent .*ande.* bad_bot

    #COMMENT | This blocks most Scanners
    SetEnvIfNoCase User-Agent .*can.* bad_bot

    #COMMENT | This blocks most cgi hackers. delete if you use cgi
    SetEnvIfNoCase User-Agent cg.* bad_bot
    SetEnvIfNoCase User-Agent .*cg.* bad_bot

    #COMMENT | This blocks hackers looking for config.php
    SetEnvIfNoCase User-Agent conf.* bad_bot
    SetEnvIfNoCase User-Agent .*conf.* bad_bot

    #COMMENT | This blocks hackers some script bots
    SetEnvIfNoCase User-Agent .*crip.* bad_bot

    #COMMENT | This blocks curl code hackers.
    #COMMENT | IMPORTANT delete it if you are using a ecommerce payment gateway with your site
    SetEnvIfNoCase User-Agent cur.* bad_bot
    SetEnvIfNoCase User-Agent .*cur.* bad_bot

    #COMMENT | This blocks .exe code injection attempts
    SetEnvIfNoCase User-Agent ex.* bad_bot
    SetEnvIfNoCase User-Agent .*ex.* bad_bot

    #COMMENT | This blocks some blackhat hackers
    SetEnvIfNoCase User-Agent .*hat.* bad_bot
    SetEnvIfNoCase User-Agent .*hat bad_bot

    #COMMENT | This blocks Indybot a notorious bandwidth hog
    SetEnvIfNoCase User-Agent indybot bad_bot
    SetEnvIfNoCase User-Agent indy.* bad_bot
    SetEnvIfNoCase User-Agent .*indy.* bad_bot

    #COMMENT | This blocks remote javascript code injection attempts
    SetEnvIfNoCase User-Agent jav.* bad_bot
    SetEnvIfNoCase User-Agent .*jav.* bad_bot

    #COMMENT | This blocks hackers and bots looking for your logs
    SetEnvIfNoCase User-Agent log bad_bot
    SetEnvIfNoCase User-Agent log.* bad_bot
    SetEnvIfNoCase User-Agent .*log.* bad_bot
    SetEnvIfNoCase User-Agent .*log bad_bot

    #COMMENT | This blocks Morfeus which attempts to exploit your SOAP file
    #COMMENT | This is extremely dangerous
    SetEnvIfNoCase User-Agent .*orfeu.* bad_bot

    #COMMENT | This blocks remote php file exploits
    SetEnvIfNoCase User-Agent .*php.* bad_bot
    SetEnvIfNoCase User-Agent .*php bad_bot

    #COMMENT | This blocks some portscanners
    SetEnvIfNoCase User-Agent port bad_bot
    SetEnvIfNoCase User-Agent port.* bad_bot
    SetEnvIfNoCase User-Agent .*port.* bad_bot
    SetEnvIfNoCase User-Agent .*port bad_bot

    #COMMENT | This blocks query and hotel.qunar exploits
    SetEnvIfNoCase User-Agent .*qu.* bad_bot
    SetEnvIfNoCase User-Agent qu.* bad_bot

    #COMMENT | This blocks some proxys IMPORTANT delete this if you have visitors from Africa since many connections are made with Africa/Proxy
    SetEnvIfNoCase User-Agent .*rox.* bad_bot

    #COMMENT | This blocks mysql or sql exploits
    SetEnvIfNoCase User-Agent sq.* bad_bot
    SetEnvIfNoCase User-Agent .*sq.* bad_bot

    #COMMENT | This blocks a URL scraper code
    SetEnvIfNoCase User-Agent .*url.* bad_bot

    #COMMENT | This blocks pythonrequests
    SetEnvIfNoCase User-Agent .*yth.* bad_bot

    #COMMENT | This blocks zeus (a dangerous hack code)
    SetEnvIfNoCase User-Agent zeu.* bad_bot
    SetEnvIfNoCase User-Agent .*zeu.* bad_bot

    #COMMENT | This blocks ZmEu (a dangerous hack code)
    SetEnvIfNoCase User-Agent zme.* bad_bot
    SetEnvIfNoCase User-Agent .*zme.* bad_bot

    #COMMENT | This blocks zgrab (a dangerous hack code)
    SetEnvIfNoCase User-Agent zgra.* bad_bot
    SetEnvIfNoCase User-Agent .*zgra.* bad_bot

    #COMMENT | This denys an IP use as many as you like.
    #COMMENT | IMPORTANT keep this at 150 IPs or less or your bandwidth and site loading speed will suffer. Uncomment each deny ip to take effect
    #Deny from xxx.xxx.xxx.xxx
    #Deny from xxx.xxx.xxx.xxx
    Deny from env=bad_bot

cPanelMichael · Nov 7, 2016

Hello @danielpmc,

Thank you for taking the time to submit a post with .htaccess tips for end-users. Feel free to respond to this post if you'd like to make any changes or updates to the rule suggestions in the future.

Thanks!

danielpmc · Nov 8, 2016

Hello Everybody,

The tips and tricks i posted above are intended to be used as building blocks for your own personal .htaccess. Everybody has different needs according to their server and site. Please make a backup before editing .htaccess and run several tests afterward. Never assume that all .htaccess codes will work on every server configuration. I will post more codes as time goes on. If you have a question i will try and offer a solution. Disclaimer: I am not cPanel Staff or Moderator Staff. Any .htaccess codes i post are codes i personally have or currently am using in a live enviroment.

1. If you already have an .htaccess file in your cPanel public_html DO NOT delete it, instead add extra snippets of code as needed.

2. If you do not have an .htaccess file in your cPanel public_html then you may paste and copy either the Whitelist or Blacklist and make adjustments as needed. Go ahead and throw in a couple of code snippets if applicable.

Thanks for stopping by and hope i was able to help you out.

danielpmc · Nov 8, 2016

Request Server Variables
This public_html/.htaccess code is great for those of you that need to set a Cron in cPanel. By using the code you will see exactly what the current server time and other info is. This helps so you do not add a heavy resource cron during a server high load time. But it also helps those of you that have onsite automatic optimization plugins/extensions/auto task/etc, so you also can avoid scheduling crons/tasks during peak server times.

Reference Link:
Code:
http://www.askapache.com/htaccess/time_hour-rewritecond-time/
How to:
Use code in your .htaccess file to find out what your servers current variables are.
Simply uncomment (remove hashtag) whichever line, one at a time, you want to see the value for, and request any file from your site.

Sample:
Code:
example would be your domain name
So http://example.com/index.html would redirect you to http://example.com/index.html?time=2007 if you had uncommented the TIME_YEAR line.
Code:(Place in cPanel/File Manager/public_html/.htaccess)
Code:
#IMPORTANT: Make sure to comment out ,add hashtag, to EACH code line after using TO DISABLE.
#Look in your current public_html .htaccess and see if RewriteEngine On is present, if not uncomment.

#RewriteEngine On

#Please read these comments carefully BEFORE uncommenting Rewritebase
#If your site domain homepage looks similar to http://www.example.com/index.php (do not uncomment)
#If your site domain url looks similar to http://www.example.com/some name here/index.php (uncomment)

#RewriteBase /some name here/

#RewriteCond %{QUERY_STRING} !time [NC]
#RewriteCond %{TIME} ^(.*)
#RewriteCond %{TIME_YEAR} ^(.*)
#RewriteCond %{TIME_MON} ^(.*)
#RewriteCond %{TIME_WDAY} ^(.*)
#RewriteCond %{TIME_DAY} ^(.*)
#RewriteCond %{TIME_HOUR} ^(.*)
#RewriteCond %{TIME_MIN} ^(.*)
#RewriteCond %{TIME_SEC} ^(.*)
#RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}?time=%1 [R,L]
Hope this helps you thanks for stopping by.

danielpmc · Nov 22, 2016

Force SSL (https) with or without WWW
This cPanel public_html/.htaccess code will force all pages (urls) to use SSL (https) encryption and urls.
I personally use these in my .htaccess file.

Prerequsite:
You must have a valid SSL Certificate installed on your domain or subdomain BEFORE using these codes.

How to:
1. These codes are to be placed in your cPanel public_html/.htaccess file.
2. Replace example.com with your domain or subdomain name.

Note:
Do not uncomment (remove hashtag) of any #Comment in code.
Read the #Comment of each code to make a choice.
Code:
#Comment | Uncomment ''RewriteEngine on'' below if it is not in your public_html .htaccess file
#You only need to have this once in the public_html .htaccess as it covers all other Rewrites
#RewriteEngine on

#Comment | Force all URLs to https WITHOUT www
#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ https://example.com/$1 [R,L]

#Comment | Force all URLs to https WITH www
#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Hope this helps you out,
danielpm

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Tips for .htaccess

danielpmc Well-Known Member

cPanelMichael Forums Analyst
Staff Member

danielpmc Well-Known Member

danielpmc Well-Known Member

danielpmc Well-Known Member

MariaDB Optimization Tips

htaccess not working correctly

htaccess redirect assistance

chown .htaccess files in public_html?

cPanel .htaccess entries for autoSSL

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Tips for .htaccess

danielpmc Well-Known Member

cPanelMichael Forums Analyst Staff Member

danielpmc Well-Known Member

danielpmc Well-Known Member

danielpmc Well-Known Member

MariaDB Optimization Tips

htaccess not working correctly

htaccess redirect assistance

chown .htaccess files in public_html?

cPanel .htaccess entries for autoSSL

Share This Page

cPanelMichael Forums Analyst
Staff Member