Hello Everybody,
This .htaccess tutorial is for anybody that has access to a cPanel. With an .htaccess file you can secure your site from a lot of negative traffic from Bots, Scanners, Scrapers, Hackers and otherwise nefarious actions against your site. By using the examples shown below you can prevent an incredible amount of your bandwidth from being wasted by negative traffic. It certainly is NOT the definitive all in one solution. There are two ways you can setup a .htaccess to monitor your traffic, Whitelist or Blacklist. You decide which is the appropriate method for your individual needs. Anything you see here is something i personally use and have tested myself on my domainS. Hope this helps you out.
When a person has a VPS or Dedicated server they use a firewall and .htaccess for the security of their domains. But what about Shared Hosting? This is where the .htaccess file comes into play. Think of it as your own firewall for your site. Without .htaccess, you leave yourself open to really bad people/bots hacking or hijacking your site. With .htaccess, you place a digital deadbolt on your site and can keep out hackers and bad bots. Think of your website as your house. You lock your door to keep out the criminals. It is the same way online, you have to protect your site to keep the criminals or unwanted bots from causing damage to your site.
Your domain (your website) .htaccess file is found or created by you AFTER clicking on the public_html directory (folder) in your cPanel File Manager. If .htaccess does not show once you click on public_html it may not exist or is hidden.
Solution:
1a In the upper right corner inside your cPanel File Manager look for Settings. Click it and checkmark the box Show Hidden Files, now your .htaccess file will show.
1b If you still do not see an .htaccess file you need to create one. AFTER clicking on your public_html directory (folder) look in the upper part of page for something like, add OR create OR + file. Click on it and a popup will show. Type .htaccess ,check your spelling, for the name. REMEMBER .htaccess must always start with a dot (period).
First i want to explain a few Golden Rules that are VITAL to setting up your .htaccess and ensuring it works.
ANY/ALL .htaccess file permission/chmod must be set to 644 NOTHING ELSE. DO NOT let anybody tell you different, not even your support at your Host.
1 ANY/ALL .htaccess files MUST start with a dot (period) AND spelled only with lowercase letters.
1a .htaccess (will work)
1b .Htaccess (will not work)
1c .HTACCESS (will not work)
1d htaccess (will not work)
1e Htaccess (will not work)
1f HTACCESS (will not work)
2 Do you see the .*example.* part of any rule shown below? With .htaccess a wildcard IS NOT * by itself. It MUST BE .* (a dot first and then the * symbol)
2a .*example.* (will work)
2b *example* (will not work)
3 SetEnvIfNoCase User-Agent .*example.* good_bot (Notice the spacing and symbols, this is important.)
3a Set Env If No Case UserAgent .*example.* good_bot (Will not work)
4 SetEnvIfNoCase means that whatever you add as the rule (.*example.*) will work regardless of whether letters are CAPITALIZED, MiXed or all lowercase.
4a .*example.* (all lowercase letters will work)
4b .*ExaMple.* (mixed letters will work)
4c .*EXAMPLE.* (all capital letters will work)
This .htaccess tutorial is for anybody that has access to a cPanel. With an .htaccess file you can secure your site from a lot of negative traffic from Bots, Scanners, Scrapers, Hackers and otherwise nefarious actions against your site. By using the examples shown below you can prevent an incredible amount of your bandwidth from being wasted by negative traffic. It certainly is NOT the definitive all in one solution. There are two ways you can setup a .htaccess to monitor your traffic, Whitelist or Blacklist. You decide which is the appropriate method for your individual needs. Anything you see here is something i personally use and have tested myself on my domainS. Hope this helps you out.
When a person has a VPS or Dedicated server they use a firewall and .htaccess for the security of their domains. But what about Shared Hosting? This is where the .htaccess file comes into play. Think of it as your own firewall for your site. Without .htaccess, you leave yourself open to really bad people/bots hacking or hijacking your site. With .htaccess, you place a digital deadbolt on your site and can keep out hackers and bad bots. Think of your website as your house. You lock your door to keep out the criminals. It is the same way online, you have to protect your site to keep the criminals or unwanted bots from causing damage to your site.
Your domain (your website) .htaccess file is found or created by you AFTER clicking on the public_html directory (folder) in your cPanel File Manager. If .htaccess does not show once you click on public_html it may not exist or is hidden.
Solution:
1a In the upper right corner inside your cPanel File Manager look for Settings. Click it and checkmark the box Show Hidden Files, now your .htaccess file will show.
1b If you still do not see an .htaccess file you need to create one. AFTER clicking on your public_html directory (folder) look in the upper part of page for something like, add OR create OR + file. Click on it and a popup will show. Type .htaccess ,check your spelling, for the name. REMEMBER .htaccess must always start with a dot (period).
First i want to explain a few Golden Rules that are VITAL to setting up your .htaccess and ensuring it works.
ANY/ALL .htaccess file permission/chmod must be set to 644 NOTHING ELSE. DO NOT let anybody tell you different, not even your support at your Host.
1 ANY/ALL .htaccess files MUST start with a dot (period) AND spelled only with lowercase letters.
1a .htaccess (will work)
1b .Htaccess (will not work)
1c .HTACCESS (will not work)
1d htaccess (will not work)
1e Htaccess (will not work)
1f HTACCESS (will not work)
2 Do you see the .*example.* part of any rule shown below? With .htaccess a wildcard IS NOT * by itself. It MUST BE .* (a dot first and then the * symbol)
2a .*example.* (will work)
2b *example* (will not work)
3 SetEnvIfNoCase User-Agent .*example.* good_bot (Notice the spacing and symbols, this is important.)
3a Set Env If No Case UserAgent .*example.* good_bot (Will not work)
4 SetEnvIfNoCase means that whatever you add as the rule (.*example.*) will work regardless of whether letters are CAPITALIZED, MiXed or all lowercase.
4a .*example.* (all lowercase letters will work)
4b .*ExaMple.* (mixed letters will work)
4c .*EXAMPLE.* (all capital letters will work)
Code:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Whitelist .htaccess below
DO NOT use on sites with: Payment Gateways, AntiSpam/Website/Forum/Blog/CMS Feeds, Pings, Pingomatic, Trackbacks, APIs, RSS/Atom, Posting By Email
Basically if your site requires a constant/periodic connection to any other site to function, use the Blacklist .htaccess instead
Paste and copy all below starting with RewriteEngine
You may add additional ALLOW rules to a whitelist .htaccess
Uncomment any rules you need/dont need by adding/removing the hashtag. NEVER UNCOMMENT the #COMMENT LINE
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
RewriteEngine on
#COMMENT | Please read this comment carefully BEFORE uncommenting Rewritebase
#COMMENT | if your site domain homepage looks like this http://www.example.com/index.php do not uncomment
#COMMENT | if your site domain url looks like this http://www.example.com/something/index.php uncomment
#RewriteBase /add somethings name here/
Options -Indexes
IndexIgnore *
Options +FollowSymLinks
DirectoryIndex index.php index.html
#COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
Header always append X-Frame-Options DENY
#COMMENT | This will enforce SSL on all pages. You must have a SSL certificate installed first.
#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ https://example.com/$1 [R,L]
#COMMENT | REMOVE PATCH and PUT before uploading/updating/upgrading your site
RewriteCond %{REQUEST_METHOD} ^(DELETE|HEAD|OPTIONS|PATCH|PROPFIND|PUT|TRACE|TRACK)
RewriteRule .* - [F]
#COMMENT | Block most proxies
#RewriteCond %{HTTP:VIA} !^$ [OR]
#RewriteCond %{HTTP:FORWARDED} !^$ [OR]
#RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
#RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
#RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
#RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
#RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
#RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
#RewriteRule ^(.*)$ - [F]
Order Deny,Allow
Deny from all
#COMMENT | Allows only browsers updated within the last couple years
SetEnvIfNoCase User-Agent .*ozilla/5.* good_bot
#COMMENT | Allows cPanel and cPanel Autossl
SetEnvIfNoCase User-Agent .*hec.* good_bot
SetEnvIfNoCase User-Agent .*omod.* good_bot
SetEnvIfNoCase User-Agent .*pane.* good_bot
SetEnvIfNoCase User-Agent .*utoss.* good_bot
#COMMENT | Allows Softaculous
SetEnvIfNoCase User-Agent .*oftaculou.* good_bot
#COMMENT | Allows youtube
SetEnvIfNoCase User-Agent .*outub.* good_bot
SetEnvIfNoCase User-Agent .*ou-tub.* good_bot
#COMMENT | Allows google/adsense/analytics bot
SetEnvIfNoCase User-Agent .*oogle.* good_bot
SetEnvIfNoCase User-Agent .*ens.* good_bot
SetEnvIfNoCase User-Agent .*nalytic.* good_bot
#COMMENT | Allows bing bot
SetEnvIfNoCase User-Agent bing good_bot
SetEnvIfNoCase User-Agent bing.* good_bot
SetEnvIfNoCase User-Agent .*bing.* good_bot
#COMMENT | Allows yahoo and slurp bots
SetEnvIfNoCase User-Agent .*aho.* good_bot
SetEnvIfNoCase User-Agent slur.* good_bot
SetEnvIfNoCase User-Agent .*slur.* good_bot
#COMMENT | Allows facebook bot
SetEnvIfNoCase User-Agent .*aceboo.* good_bot
#COMMENT | Allows pinterest bot
SetEnvIfNoCase User-Agent .*interes.* good_bot
#COMMENT | Allows linkedin bot
SetEnvIfNoCase User-Agent .*inkedi.* good_bot
SetEnvIfNoCase User-Agent .*inked-i.* good_bot
#COMMENT | Allows myspace bot
SetEnvIfNoCase User-Agent .*yspac.* good_bot
#COMMENT | Allows snapchat bot
SetEnvIfNoCase User-Agent .*nap.* good_bot
#COMMENT | Allows instragram bot
SetEnvIfNoCase User-Agent .*nsta.* good_bot
Allow from env=good_bot
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Blacklist .htaccess below
Use on sites with: Payment Gateways, AntiSpam/Website/Forum/Blog/CMS Feeds, Pings, Pingomatic, Trackbacks, APIs, RSS/Atom, Posting By Email
Basically if your site requires a constant/periodic connection to any other site to function, use a Blacklist .htaccess
With a Blacklist .htaccess you can deny both IPs and Bots.
Paste and copy all below starting with RewriteEngine
You may add additional Deny rules and IPs to a Blacklist .htaccess
Uncomment any rules you need/dont need by adding/removing the hashtag. NEVER UNCOMMENT the #COMMENT LINE
Look at your cPanel Visitor and Error logs and add any additional rules as needed.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
RewriteEngine on
#COMMENT | Please read this comment carefully BEFORE uncommenting Rewritebase
#COMMENT | if your site domain homepage looks like this http://www.example.com/index.php do not uncomment
#COMMENT | if your site domain url looks like this http://www.example.com/something/index.php uncomment
#RewriteBase /add somethings name here/
Options -Indexes
IndexIgnore *
Options +FollowSymLinks
DirectoryIndex index.php index.html
#COMMENT | This denys other sites from IFraming your site. It prevents clickjacking.
Header always append X-Frame-Options DENY
#COMMENT | This will enforce SSL on all pages. You must have a SSL certificate installed first.
#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ https://example.com/$1 [R,L]
#COMMENT | REMOVE PATCH and PUT before uploading/updating/upgrading your site
RewriteCond %{REQUEST_METHOD} ^(DELETE|HEAD|OPTIONS|PATCH|PROPFIND|PUT|TRACE|TRACK)
RewriteRule .* - [F]
#COMMENT | Block most proxies
#RewriteCond %{HTTP:VIA} !^$ [OR]
#RewriteCond %{HTTP:FORWARDED} !^$ [OR]
#RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
#RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
#RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
#RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
#RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
#RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
#RewriteRule ^(.*)$ - [F]
Order Deny,Allow
#COMMENT | This blocks visitors with no identification
#COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
SetEnvIfNoCase User-Agent ^$ bad_bot
#COMMENT | This blocks a notorious hacking trick, very dangerous.
#COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
SetEnvIfNoCase User-Agent ^Mozilla/5.0$ bad_bot
SetEnvIfNoCase User-Agent ^-$ bad_bot
#COMMENT | This blocks a notorious hacking trick, very dangerous.
#COMMENT | Trust me you want this, as only a human hacker uses this particular rule versus a bot
SetEnvIfNoCase User-Agent ^Mozilla$ bad_bot
#COMMENT | This blocks very old and dangerous browsers
SetEnvIfNoCase User-Agent .*ozilla/1.* bad_bot
SetEnvIfNoCase User-Agent .*ozilla/2.* bad_bot
SetEnvIfNoCase User-Agent .*ozilla/3.* bad_bot
SetEnvIfNoCase User-Agent .*ozilla/4.* bad_bot
#COMMENT | This blocks Baidu
SetEnvIfNoCase User-Agent .*ai.* bad_bot
#COMMENT | This blocks Yandex
SetEnvIfNoCase User-Agent .*ande.* bad_bot
#COMMENT | This blocks most Scanners
SetEnvIfNoCase User-Agent .*can.* bad_bot
#COMMENT | This blocks most cgi hackers. delete if you use cgi
SetEnvIfNoCase User-Agent cg.* bad_bot
SetEnvIfNoCase User-Agent .*cg.* bad_bot
#COMMENT | This blocks hackers looking for config.php
SetEnvIfNoCase User-Agent conf.* bad_bot
SetEnvIfNoCase User-Agent .*conf.* bad_bot
#COMMENT | This blocks hackers some script bots
SetEnvIfNoCase User-Agent .*crip.* bad_bot
#COMMENT | This blocks curl code hackers.
#COMMENT | IMPORTANT delete it if you are using a ecommerce payment gateway with your site
SetEnvIfNoCase User-Agent cur.* bad_bot
SetEnvIfNoCase User-Agent .*cur.* bad_bot
#COMMENT | This blocks .exe code injection attempts
SetEnvIfNoCase User-Agent ex.* bad_bot
SetEnvIfNoCase User-Agent .*ex.* bad_bot
#COMMENT | This blocks some blackhat hackers
SetEnvIfNoCase User-Agent .*hat.* bad_bot
SetEnvIfNoCase User-Agent .*hat bad_bot
#COMMENT | This blocks Indybot a notorious bandwidth hog
SetEnvIfNoCase User-Agent indybot bad_bot
SetEnvIfNoCase User-Agent indy.* bad_bot
SetEnvIfNoCase User-Agent .*indy.* bad_bot
#COMMENT | This blocks remote javascript code injection attempts
SetEnvIfNoCase User-Agent jav.* bad_bot
SetEnvIfNoCase User-Agent .*jav.* bad_bot
#COMMENT | This blocks hackers and bots looking for your logs
SetEnvIfNoCase User-Agent log bad_bot
SetEnvIfNoCase User-Agent log.* bad_bot
SetEnvIfNoCase User-Agent .*log.* bad_bot
SetEnvIfNoCase User-Agent .*log bad_bot
#COMMENT | This blocks Morfeus which attempts to exploit your SOAP file
#COMMENT | This is extremely dangerous
SetEnvIfNoCase User-Agent .*orfeu.* bad_bot
#COMMENT | This blocks remote php file exploits
SetEnvIfNoCase User-Agent .*php.* bad_bot
SetEnvIfNoCase User-Agent .*php bad_bot
#COMMENT | This blocks some portscanners
SetEnvIfNoCase User-Agent port bad_bot
SetEnvIfNoCase User-Agent port.* bad_bot
SetEnvIfNoCase User-Agent .*port.* bad_bot
SetEnvIfNoCase User-Agent .*port bad_bot
#COMMENT | This blocks query and hotel.qunar exploits
SetEnvIfNoCase User-Agent .*qu.* bad_bot
SetEnvIfNoCase User-Agent qu.* bad_bot
#COMMENT | This blocks some proxys IMPORTANT delete this if you have visitors from Africa since many connections are made with Africa/Proxy
SetEnvIfNoCase User-Agent .*rox.* bad_bot
#COMMENT | This blocks mysql or sql exploits
SetEnvIfNoCase User-Agent sq.* bad_bot
SetEnvIfNoCase User-Agent .*sq.* bad_bot
#COMMENT | This blocks a URL scraper code
SetEnvIfNoCase User-Agent .*url.* bad_bot
#COMMENT | This blocks pythonrequests
SetEnvIfNoCase User-Agent .*yth.* bad_bot
#COMMENT | This blocks zeus (a dangerous hack code)
SetEnvIfNoCase User-Agent zeu.* bad_bot
SetEnvIfNoCase User-Agent .*zeu.* bad_bot
#COMMENT | This blocks ZmEu (a dangerous hack code)
SetEnvIfNoCase User-Agent zme.* bad_bot
SetEnvIfNoCase User-Agent .*zme.* bad_bot
#COMMENT | This blocks zgrab (a dangerous hack code)
SetEnvIfNoCase User-Agent zgra.* bad_bot
SetEnvIfNoCase User-Agent .*zgra.* bad_bot
#COMMENT | This denys an IP use as many as you like.
#COMMENT | IMPORTANT keep this at 150 IPs or less or your bandwidth and site loading speed will suffer. Uncomment each deny ip to take effect
#Deny from xxx.xxx.xxx.xxx
#Deny from xxx.xxx.xxx.xxx
Deny from env=bad_bot
Last edited by a moderator:
