The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tips for .htaccess

Discussion in 'Security' started by danielpmc, Nov 4, 2016.

Tags:
  1. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    59
    Likes Received:
    27
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Root Administrator
    Hello Everybody,

    This .htaccess tutorial is for anybody that has access to a cPanel. With an .htaccess file you can secure your site from a lot of negative traffic from Bots, Scanners, Scrapers, Hackers and otherwise nefarious actions against your site. By using the examples shown below you can prevent an incredible amount of your bandwidth from being wasted by negative traffic. It certainly is NOT the definitive all in one solution. There are two ways you can setup a .htaccess to monitor your traffic, Whitelist or Blacklist. You decide which is the appropriate method for your individual needs. Anything you see here is something i personally use and have tested myself on my domainS. Hope this helps you out.

    When a person has a VPS or Dedicated server they use a firewall and .htaccess for the security of their domains. But what about Shared Hosting? This is where the .htaccess file comes into play. Think of it as your own firewall for your site. Without .htaccess, you leave yourself open to really bad people/bots hacking or hijacking your site. With .htaccess, you place a digital deadbolt on your site and can keep out hackers and bad bots. Think of your website as your house. You lock your door to keep out the criminals. It is the same way online, you have to protect your site to keep the criminals or unwanted bots from causing damage to your site.

    Your domain (your website) .htaccess file is found or created by you AFTER clicking on the public_html directory (folder) in your cPanel File Manager. If .htaccess does not show once you click on public_html it may not exist or is hidden.

    Solution:
    1a In the upper right corner inside your cPanel File Manager look for Settings. Click it and checkmark the box Show Hidden Files, now your .htaccess file will show.

    1b If you still do not see an .htaccess file you need to create one. AFTER clicking on your public_html directory (folder) look in the upper part of page for something like, add OR create OR + file. Click on it and a popup will show. Type .htaccess ,check your spelling, for the name. REMEMBER .htaccess must always start with a dot (period).

    First i want to explain a few Golden Rules that are VITAL to setting up your .htaccess and ensuring it works.

    ANY/ALL .htaccess file permission/chmod must be set to 644 NOTHING ELSE. DO NOT let anybody tell you different, not even your support at your Host.

    1 ANY/ALL .htaccess files MUST start with a dot (period) AND spelled only with lowercase letters.
    1a .htaccess (will work)
    1b .Htaccess (will not work)
    1c .HTACCESS (will not work)
    1d htaccess (will not work)
    1e Htaccess (will not work)
    1f HTACCESS (will not work)

    2 Do you see the .*example.* part of any rule shown below? With .htaccess a wildcard IS NOT * by itself. It MUST BE .* (a dot first and then the * symbol)
    2a .*example.* (will work)
    2b *example* (will not work)

    3 SetEnvIfNoCase User-Agent .*example.* good_bot (Notice the spacing and symbols, this is important.)
    3a Set Env If No Case UserAgent .*example.* good_bot (Will not work)

    4 SetEnvIfNoCase means that whatever you add as the rule (.*example.*) will work regardless of whether letters are CAPITALIZED, MiXed or all lowercase.
    4a .*example.* (all lowercase letters will work)
    4b .*ExaMple.* (mixed letters will work)
    4c .*EXAMPLE.* (all capital letters will work)

    Code:
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Whitelist .htaccess below
        DO NOT use on sites with: Payment Gateways, AntiSpam/Website/Forum/Blog/CMS Feeds, Pings, Pingomatic, Trackbacks, APIs, RSS/Atom, Posting By Email
        Basically if your site requires a constant/periodic connection to any other site to function, use the Blacklist .htaccess instead
    
        Paste and copy all below starting with RewriteEngine
        You may add additional ALLOW rules to a whitelist .htaccess
        Uncomment any rules you need/dont need by adding/removing the hashtag. NEVER UNCOMMENT the #COMMENT LINE
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
        RewriteEngine on
    
        #COMMENT | Please read this comment carefully BEFORE uncommenting Rewritebase
        #COMMENT | if your site domain homepage looks like this http://www.example.com/index.php do not uncomment
        #COMMENT | if your site domain url looks like this http://www.example.com/something/index.php uncomment
        #RewriteBase /add somethings name here/
    
        Options -Indexes
    
        IndexIgnore *
    
        Options +FollowSymLinks
    
        DirectoryIndex index.php index.html
    
        #COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
        Header always append X-Frame-Options DENY
    
        #COMMENT | This will enforce SSL on all pages. You must have a SSL certificate installed first.
        #RewriteCond %{SERVER_PORT} 80
        #RewriteRule ^(.*)$ https://example.com/$1 [R,L]
    
        #COMMENT | REMOVE PATCH and PUT before uploading/updating/upgrading your site
        RewriteCond %{REQUEST_METHOD} ^(DELETE|HEAD|OPTIONS|PATCH|PROPFIND|PUT|TRACE|TRACK)
        RewriteRule .* - [F]
    
        #COMMENT | Block most proxies
        #RewriteCond %{HTTP:VIA} !^$ [OR]
        #RewriteCond %{HTTP:FORWARDED} !^$ [OR]
        #RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
        #RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
        #RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
        #RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
        #RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
        #RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
        #RewriteRule ^(.*)$ - [F]
    
        Order Deny,Allow
        Deny from all
    
        #COMMENT | Allows only browsers updated within the last couple years
        SetEnvIfNoCase User-Agent .*ozilla/5.* good_bot
    
        #COMMENT | Allows cPanel and cPanel Autossl
        SetEnvIfNoCase User-Agent .*hec.* good_bot
        SetEnvIfNoCase User-Agent .*omod.* good_bot
        SetEnvIfNoCase User-Agent .*pane.* good_bot
        SetEnvIfNoCase User-Agent .*utoss.* good_bot
    
        #COMMENT | Allows Softaculous
        SetEnvIfNoCase User-Agent .*oftaculou.* good_bot
    
        #COMMENT | Allows youtube
        SetEnvIfNoCase User-Agent .*outub.* good_bot
        SetEnvIfNoCase User-Agent .*ou-tub.* good_bot
    
        #COMMENT | Allows google/adsense/analytics bot
        SetEnvIfNoCase User-Agent .*oogle.* good_bot
        SetEnvIfNoCase User-Agent .*ens.* good_bot
        SetEnvIfNoCase User-Agent .*nalytic.* good_bot
    
        #COMMENT | Allows bing bot
        SetEnvIfNoCase User-Agent bing good_bot
        SetEnvIfNoCase User-Agent bing.* good_bot
        SetEnvIfNoCase User-Agent .*bing.* good_bot
    
        #COMMENT | Allows yahoo and slurp bots
        SetEnvIfNoCase User-Agent .*aho.* good_bot
        SetEnvIfNoCase User-Agent slur.* good_bot
        SetEnvIfNoCase User-Agent .*slur.* good_bot
    
        #COMMENT | Allows facebook bot
        SetEnvIfNoCase User-Agent .*aceboo.* good_bot
    
        #COMMENT | Allows pinterest bot
        SetEnvIfNoCase User-Agent .*interes.* good_bot
    
        #COMMENT | Allows linkedin bot
        SetEnvIfNoCase User-Agent .*inkedi.* good_bot
        SetEnvIfNoCase User-Agent .*inked-i.* good_bot
    
        #COMMENT | Allows myspace bot
        SetEnvIfNoCase User-Agent .*yspac.* good_bot
    
        #COMMENT | Allows snapchat bot
        SetEnvIfNoCase User-Agent .*nap.* good_bot
    
        #COMMENT | Allows instragram bot
        SetEnvIfNoCase User-Agent .*nsta.* good_bot
    
        Allow from env=good_bot
    
    
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Blacklist .htaccess below
        Use on sites with: Payment Gateways, AntiSpam/Website/Forum/Blog/CMS Feeds, Pings, Pingomatic, Trackbacks, APIs, RSS/Atom, Posting By Email
        Basically if your site requires a constant/periodic connection to any other site to function, use a Blacklist .htaccess
        With a Blacklist .htaccess you can deny both IPs and Bots.
    
        Paste and copy all below starting with RewriteEngine
        You may add additional Deny rules and IPs to a Blacklist .htaccess
        Uncomment any rules you need/dont need by adding/removing the hashtag. NEVER UNCOMMENT the #COMMENT LINE
        Look at your cPanel Visitor and Error logs and add any additional rules as needed.
        xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    
    
        RewriteEngine on
    
        #COMMENT | Please read this comment carefully BEFORE uncommenting Rewritebase
        #COMMENT | if your site domain homepage looks like this http://www.example.com/index.php do not uncomment
        #COMMENT | if your site domain url looks like this http://www.example.com/something/index.php uncomment
        #RewriteBase /add somethings name here/
    
        Options -Indexes
    
        IndexIgnore *
    
        Options +FollowSymLinks
    
        DirectoryIndex index.php index.html
    
        #COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
        Header always append X-Frame-Options DENY
    
        #COMMENT | This will enforce SSL on all pages. You must have a SSL certificate installed first.
        #RewriteCond %{SERVER_PORT} 80
        #RewriteRule ^(.*)$ https://example.com/$1 [R,L]
    
        #COMMENT | REMOVE PATCH and PUT before uploading/updating/upgrading your site
        RewriteCond %{REQUEST_METHOD} ^(DELETE|HEAD|OPTIONS|PATCH|PROPFIND|PUT|TRACE|TRACK)
        RewriteRule .* - [F]
    
        #COMMENT | Block most proxies
        #RewriteCond %{HTTP:VIA} !^$ [OR]
        #RewriteCond %{HTTP:FORWARDED} !^$ [OR]
        #RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
        #RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
        #RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
        #RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
        #RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
        #RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
        #RewriteRule ^(.*)$ - [F]
    
        Order Deny,Allow
    
        #COMMENT | This blocks visitors with no identification
        #COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
        SetEnvIfNoCase User-Agent ^$ bad_bot
    
        #COMMENT | This blocks a notorious hacking trick, very dangerous.
        #COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
        SetEnvIfNoCase User-Agent ^Mozilla/5.0$ bad_bot
        SetEnvIfNoCase User-Agent ^-$ bad_bot
    
        #COMMENT | This blocks a notorious hacking trick, very dangerous.
        #COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
        SetEnvIfNoCase User-Agent ^Mozilla$ bad_bot
    
        #COMMENT | This blocks very old and dangerous browsers
        SetEnvIfNoCase User-Agent .*ozilla/1.* bad_bot
        SetEnvIfNoCase User-Agent .*ozilla/2.* bad_bot
        SetEnvIfNoCase User-Agent .*ozilla/3.* bad_bot
        SetEnvIfNoCase User-Agent .*ozilla/4.* bad_bot
    
        #COMMENT | This blocks Baidu
        SetEnvIfNoCase User-Agent .*ai.* bad_bot
    
        #COMMENT | This blocks Yandex
        SetEnvIfNoCase User-Agent .*ande.* bad_bot
    
        #COMMENT | This blocks most Scanners
        SetEnvIfNoCase User-Agent .*can.* bad_bot
    
        #COMMENT | This blocks most cgi hackers. delete if you use cgi
        SetEnvIfNoCase User-Agent cg.* bad_bot
        SetEnvIfNoCase User-Agent .*cg.* bad_bot
    
        #COMMENT | This blocks hackers looking for config.php
        SetEnvIfNoCase User-Agent conf.* bad_bot
        SetEnvIfNoCase User-Agent .*conf.* bad_bot
    
        #COMMENT | This blocks hackers some script bots
        SetEnvIfNoCase User-Agent .*crip.* bad_bot
    
        #COMMENT | This blocks curl code hackers.
        #COMMENT | IMPORTANT delete it if you are using a ecommerce payment gateway with your site
        SetEnvIfNoCase User-Agent cur.* bad_bot
        SetEnvIfNoCase User-Agent .*cur.* bad_bot
    
        #COMMENT | This blocks .exe code injection attempts
        SetEnvIfNoCase User-Agent ex.* bad_bot
        SetEnvIfNoCase User-Agent .*ex.* bad_bot
    
        #COMMENT | This blocks some blackhat hackers
        SetEnvIfNoCase User-Agent .*hat.* bad_bot
        SetEnvIfNoCase User-Agent .*hat bad_bot
    
        #COMMENT | This blocks Indybot a notorious bandwidth hog
        SetEnvIfNoCase User-Agent indybot bad_bot
        SetEnvIfNoCase User-Agent indy.* bad_bot
        SetEnvIfNoCase User-Agent .*indy.* bad_bot
    
        #COMMENT | This blocks remote javascript code injection attempts
        SetEnvIfNoCase User-Agent jav.* bad_bot
        SetEnvIfNoCase User-Agent .*jav.* bad_bot
    
        #COMMENT | This blocks hackers and bots looking for your logs
        SetEnvIfNoCase User-Agent log bad_bot
        SetEnvIfNoCase User-Agent log.* bad_bot
        SetEnvIfNoCase User-Agent .*log.* bad_bot
        SetEnvIfNoCase User-Agent .*log bad_bot
    
        #COMMENT | This blocks Morfeus which attempts to exploit your SOAP file
        #COMMENT | This is extremely dangerous
        SetEnvIfNoCase User-Agent .*orfeu.* bad_bot
    
        #COMMENT | This blocks remote php file exploits
        SetEnvIfNoCase User-Agent .*php.* bad_bot
        SetEnvIfNoCase User-Agent .*php bad_bot
    
        #COMMENT | This blocks some portscanners
        SetEnvIfNoCase User-Agent port bad_bot
        SetEnvIfNoCase User-Agent port.* bad_bot
        SetEnvIfNoCase User-Agent .*port.* bad_bot
        SetEnvIfNoCase User-Agent .*port bad_bot
    
        #COMMENT | This blocks query and hotel.qunar exploits
        SetEnvIfNoCase User-Agent .*qu.* bad_bot
        SetEnvIfNoCase User-Agent qu.* bad_bot
    
        #COMMENT | This blocks some proxys IMPORTANT delete this if you have visitors from Africa since many connections are made with Africa/Proxy
        SetEnvIfNoCase User-Agent .*rox.* bad_bot
    
        #COMMENT | This blocks mysql or sql exploits
        SetEnvIfNoCase User-Agent sq.* bad_bot
        SetEnvIfNoCase User-Agent .*sq.* bad_bot
    
        #COMMENT | This blocks a URL scraper code
        SetEnvIfNoCase User-Agent .*url.* bad_bot
    
        #COMMENT | This blocks pythonrequests
        SetEnvIfNoCase User-Agent .*yth.* bad_bot
    
        #COMMENT | This blocks zeus (a dangerous hack code)
        SetEnvIfNoCase User-Agent zeu.* bad_bot
        SetEnvIfNoCase User-Agent .*zeu.* bad_bot
    
        #COMMENT | This blocks ZmEu (a dangerous hack code)
        SetEnvIfNoCase User-Agent zme.* bad_bot
        SetEnvIfNoCase User-Agent .*zme.* bad_bot
    
        #COMMENT | This blocks zgrab (a dangerous hack code)
        SetEnvIfNoCase User-Agent zgra.* bad_bot
        SetEnvIfNoCase User-Agent .*zgra.* bad_bot
    
        #COMMENT | This denys an IP use as many as you like.
        #COMMENT | IMPORTANT keep this at 150 IPs or less or your bandwidth and site loading speed will suffer. Uncomment each deny ip to take effect
        #Deny from xxx.xxx.xxx.xxx
        #Deny from xxx.xxx.xxx.xxx
        Deny from env=bad_bot
         
    
     
    #1 danielpmc, Nov 4, 2016
    Last edited by a moderator: Nov 4, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,185
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @danielpmc,

    Thank you for taking the time to submit a post with .htaccess tips for end-users. Feel free to respond to this post if you'd like to make any changes or updates to the rule suggestions in the future.

    Thanks!
     
  3. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    59
    Likes Received:
    27
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Root Administrator
    Hello Everybody,

    The tips and tricks i posted above are intended to be used as building blocks for your own personal .htaccess. Everybody has different needs according to their server and site. Please make a backup before editing .htaccess and run several tests afterward. Never assume that all .htaccess codes will work on every server configuration. I will post more codes as time goes on. If you have a question i will try and offer a solution. Disclaimer: I am not cPanel Staff or Moderator Staff. Any .htaccess codes i post are codes i personally have or currently am using in a live enviroment.

    1. If you already have an .htaccess file in your cPanel public_html DO NOT delete it, instead add extra snippets of code as needed.

    2. If you do not have an .htaccess file in your cPanel public_html then you may paste and copy either the Whitelist or Blacklist and make adjustments as needed. Go ahead and throw in a couple of code snippets if applicable.

    Thanks for stopping by and hope i was able to help you out.
     
  4. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    59
    Likes Received:
    27
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Root Administrator
    Request Server Variables
    This public_html/.htaccess code is great for those of you that need to set a Cron in cPanel. By using the code you will see exactly what the current server time and other info is. This helps so you do not add a heavy resource cron during a server high load time. But it also helps those of you that have onsite automatic optimization plugins/extensions/auto task/etc, so you also can avoid scheduling crons/tasks during peak server times.

    Reference Link:
    Code:
    http://www.askapache.com/htaccess/time_hour-rewritecond-time/
    How to:
    Use code in your .htaccess file to find out what your servers current variables are.
    Simply uncomment (remove hashtag) whichever line, one at a time, you want to see the value for, and request any file from your site.

    Sample:
    Code:
    example would be your domain name
    So http://example.com/index.html would redirect you to http://example.com/index.html?time=2007 if you had uncommented the TIME_YEAR line.
    Code:(Place in cPanel/File Manager/public_html/.htaccess)
    Code:
    #IMPORTANT: Make sure to comment out ,add hashtag, to EACH code line after using TO DISABLE.
    #Look in your current public_html .htaccess and see if RewriteEngine On is present, if not uncomment.
    
    #RewriteEngine On
    
    #Please read these comments carefully BEFORE uncommenting Rewritebase
    #If your site domain homepage looks similar to http://www.example.com/index.php (do not uncomment)
    #If your site domain url looks similar to http://www.example.com/some name here/index.php (uncomment)
    
    #RewriteBase /some name here/
    
    #RewriteCond %{QUERY_STRING} !time [NC]
    #RewriteCond %{TIME} ^(.*)
    #RewriteCond %{TIME_YEAR} ^(.*)
    #RewriteCond %{TIME_MON} ^(.*)
    #RewriteCond %{TIME_WDAY} ^(.*)
    #RewriteCond %{TIME_DAY} ^(.*)
    #RewriteCond %{TIME_HOUR} ^(.*)
    #RewriteCond %{TIME_MIN} ^(.*)
    #RewriteCond %{TIME_SEC} ^(.*)
    #RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI}?time=%1 [R,L]
    Hope this helps you thanks for stopping by.
     
  5. danielpmc

    danielpmc Well-Known Member

    Joined:
    Nov 3, 2016
    Messages:
    59
    Likes Received:
    27
    Trophy Points:
    18
    Location:
    Gainesville, Florida
    cPanel Access Level:
    Root Administrator
    Force SSL (https) with or without WWW
    This cPanel public_html/.htaccess code will force all pages (urls) to use SSL (https) encryption and urls.
    I personally use these in my .htaccess file.

    Prerequsite:

    You must have a valid SSL Certificate installed on your domain or subdomain BEFORE using these codes.

    How to:
    1. These codes are to be placed in your cPanel public_html/.htaccess file.
    2. Replace example.com with your domain or subdomain name.

    Note:
    Do not uncomment (remove hashtag) of any #Comment in code.
    Read the #Comment of each code to make a choice.

    Code:
    #Comment | Uncomment ''RewriteEngine on'' below if it is not in your public_html .htaccess file
    #You only need to have this once in the public_html .htaccess as it covers all other Rewrites
    #RewriteEngine on
    
    #Comment | Force all URLs to https WITHOUT www
    #RewriteCond %{SERVER_PORT} 80
    #RewriteRule ^(.*)$ https://example.com/$1 [R,L]
    
    #Comment | Force all URLs to https WITH www
    #RewriteCond %{SERVER_PORT} 80
    #RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
    Hope this helps you out,
    danielpm
     
    cPanelMichael likes this.
Loading...

Share This Page