While it is true, there are dozens (thousands) of htaccess guides. Most of them are not universal and vary between apache versions and if you're running Lite Speed or not.
These have been universally tested on both apache and Lite Speed and should work for everyone (provided you've not done an extremely and highly custom setup).
At the very top of your htaccess add this (yet below the allow and deny part)
Recommended
PHP:
#The top of your .htaccess file
ServerSignature Off
ServerTokens Prod
RewriteEngine On
IndexIgnore *
This helps prevent people fron finding out the php version and apache version you're using. This also helps support any "loose" rewite scripts you may have ( if you don't want that, simply remove or comment out
RewriteEngine On ). Finally, this also prevents people from browsing your file structor.
Recommended - IMPORTANT - Strongly advised (I'd call this a requirement)
PHP:
######################################################################
# Protect your .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
This should be somewhere at the top or very bottom (I add mine at the buttom). This prevents people from viewing your htaccess directly.
Optional (though I suggest it)
PHP:
# Forward non www to www
RewriteCond %{HTTP_HOST} !^www.sociallyuncensored.eu [NC]
RewriteCond %{HTTP_HOST} !^([^.]+).sociallyuncensored.eu [NC]
RewriteRule (.*) http://www.sociallyuncensored.eu/$1 [R=301,L]
This will automatically make it so everyone is using www, even if they typed your domain name without it. This helps with compatibility and can also help log-in issues (cookies issues). Remember to change the domain name to
YOUR domain name. This should be the
FIRST rewrite rule above everything else.
Optional
PHP:
#Hot link protection
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sociallyuncensored.eu [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?sociallyuncensored.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?duckduckgo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?xenforo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?netdna-cdn.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?maxcdn.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?cloudflare.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg|css|js|pdf|zip)$ http://www.sociallyuncensored.eu/hotlink.jpg [NC,R,L]
This helps limit and prevents bandwidth thieves ...ie... Hot linking.
YOUR domain name should be the
FIRST in the list. If you have another domain name for static content it should be the
SECOND domain in the list. Everything else you see are the domain names you wish to add as a "safe life" (white list). For example, XenForo.com if you have a signature pic and host it on your server.
This should either be the 2nd rewrite if you use the above www re-write
or the 1st re-write if you do not. It's important this sticks close to the top.
Optional
PHP:
# No proxies
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]
This will keep (most) proxies from even reaching your site. There are some pros and cons to this. Use your own judgement.
Recommended
PHP:
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
#Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
# Note: The final RewriteCond must NOT use the [OR] flag.
# Return 403 Forbidden error.
RewriteRule .* index.php [F]
This adds a little extra wall between a secure server and those script kiddies who'd like to hack your site.
The above should be added in both
.htaccess within your XenForo's
root directory (add as last line of re-write that is already there) and also added to
.htaccess found in
/library/ This MUST always be the last re-write.
Feedback welcomed
Was this helpful?