Last active
January 23, 2024 02:20
-
-
Save ShiponKarmakar/9edb83aacb5e2d5e33e969cb4658c778 to your computer and use it in GitHub Desktop.
Most Useful and Helpful .htaccess Code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#stop directory browsing | |
Options All -Indexes | |
# SSL Https active Force non-www | |
<IfModule mod_rewrite.c> | |
RewriteEngine on | |
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] | |
RewriteRule ^(.*)$ https://%1/$1 [R=301,L] | |
RewriteCond %{HTTPS} !=on | |
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] | |
</IfModule> | |
# SSL Https Active Force www in a Generic Way | |
<IfModule mod_rewrite.c> | |
RewriteEngine on | |
RewriteCond %{HTTP_HOST} !^$ | |
RewriteCond %{HTTP_HOST} !^www\. [NC] | |
RewriteCond %{HTTPS}s ^on(s)| | |
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
</IfModule> | |
# Remove .php, .html, .htm extensions with .htaccess | |
<IfModule mod_rewrite.c> | |
# domain.com/page | |
RewriteEngine On | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteRule ^([^\.]+)$ $1.php [NC,L] | |
# domain.com/page/ | |
RewriteEngine On | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteRule ^([^/]+)/$ $1.php | |
RewriteRule ^([^/]+)/([^/]+)/$ /$1/$2.php | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteCond %{REQUEST_URI} !(\.[a-zA-Z0-9]{1,5}|/)$ | |
RewriteRule (.*)$ /$1/ [R=301,L] | |
</IfModule> | |
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{HTTP_REFERER} !^$ | |
RewriteCond %{REQUEST_FILENAME} -f | |
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC] | |
RewriteCond %{HTTP_REFERER} !^http(s)?://univahost\.com [NC] | |
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L] | |
</IfModule> | |
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END | |
# Text FIle access | |
<files file.txt> | |
order allow,deny | |
deny from all | |
</files> | |
# Block double extensions from being uploaded or accessed, including htshells | |
<FilesMatch ".*\.([^.]+)\.([^.]+)$"> | |
Order Deny,Allow | |
Deny from all | |
</FilesMatch> | |
# secure uploads directory | |
<FilesMatch "\.(jpg|jpeg|jpe|gif|png|tif|tiff)$"> | |
Order Deny,Allow | |
Allow from all | |
</FilesMatch> | |
# Block shell uploaders, htshells, and other baddies | |
RewriteCond %{REQUEST_URI} ((php|my|bypass)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|c100|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR] | |
RewriteCond %{REQUEST_URI} (\.exe|\.php\?act=|\.tar|_vti|afilter=|algeria\.php|chbd|chmod|cmd|command|db_query|download_file|echo|edit_file|eval|evil_root|exploit|find_text|fopen|fsbuff|fwrite|friends_links\.|ftp|gofile|grab|grep|htshell|\ -dump|logname|lynx|mail_file|md5|mkdir|mkfile|mkmode|MSOffice|muieblackcat|mysql|owssvr\.dll|passthru|popen|proc_open|processes|pwd|rmdir|root|safe0ver|search_text|selfremove|setup\.php|shell|ShellAdresi\.TXT|spicon|sql|ssh|system|telnet|trojan|typo3|uname|unzip|w00tw00t|whoami|xampp) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\.exe|\.tar|act=|afilter=|alter|benchmark|chbd|chmod|cmd|command|cast|char|concat|convert|create|db_query|declare|delete|download_file|drop|edit_file|encode|environ|eval|exec|exploit|find_text|fsbuff|ftp|friends_links\.|globals|gofile|grab|insert|localhost|logname|loopback|mail_file|md5|meta|mkdir|mkfile|mkmode|mosconfig|muieblackcat|mysql|order|passthru|popen|proc_open|processes|pwd|request|rmdir|root|scanner|script|search_text|select|selfremove|set|shell|sql|sp_executesql|spicon|ssh|system|telnet|trojan|truncate|uname|union|unzip|whoami) [NC] | |
RewriteRule .* - [F] | |
# Follow symbolic links in this directory. | |
Options +FollowSymLinks | |
# Set the default handler. | |
DirectoryIndex index.php index.html index.htm | |
# Set the default handler. | |
DirectoryIndex index.php index.html index.htm | |
# Override PHP settings that cannot be changed at runtime. See | |
# sites/default/default.settings.php and drupal_environment_initialize() in | |
# includes/bootstrap.inc for settings that can be changed at runtime. | |
# PHP 5, Apache 1 and 2. | |
<IfModule mod_php5.c> | |
php_flag magic_quotes_gpc off | |
php_flag magic_quotes_sybase off | |
php_flag register_globals off | |
php_flag session.auto_start off | |
php_value mbstring.http_input pass | |
php_value mbstring.http_output pass | |
php_flag mbstring.encoding_translation off | |
</IfModule> | |
# Default Carset | |
AddDefaultCharset utf-8 | |
DirectoryIndex index.html index.htm index.php | |
# File Control | |
<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|js|css|pdf)$"> | |
Header set Cache-Control "max-age=2592000" | |
</FilesMatch> | |
# Htaccess File Security | |
<Files .htaccess> | |
order allow,deny | |
deny from all | |
</Files> | |
# Adding this to your .htaccess will prevent hotlinking from happening: | |
RewriteEngine on | |
RewriteCond %{HTTP_REFERER} !^$ | |
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC] | |
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L] | |
# Protect the .htaccess Itself | |
<files ~ "^.*\.([Hh][Tt][Aa])"> | |
order allow,deny | |
deny from all | |
satisfy all | |
</files> | |
# Leverage Browser Caching | |
<IfModule mod_expires.c> | |
ExpiresActive On | |
ExpiresByType image/jpg "access 1 year" | |
ExpiresByType image/jpeg "access 1 year" | |
ExpiresByType image/gif "access 1 year" | |
ExpiresByType image/png "access 1 year" | |
ExpiresByType text/css "access 1 month" | |
ExpiresByType text/html "access 1 month" | |
ExpiresByType application/pdf "access 1 month" | |
ExpiresByType text/x-javascript "access 1 month" | |
ExpiresByType application/x-shockwave-flash "access 1 month" | |
ExpiresByType image/x-icon "access 1 year" | |
ExpiresDefault "access 1 month" | |
</IfModule> | |
<IfModule mod_headers.c> | |
<filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf)$"> | |
Header set Cache-Control "max-age=2678400, public" | |
</filesmatch> | |
<filesmatch "\.(html|htm)$"> | |
Header set Cache-Control "max-age=7200, private, must-revalidate" | |
</filesmatch> | |
<filesmatch "\.(pdf)$"> | |
Header set Cache-Control "max-age=86400, public" | |
</filesmatch> | |
<filesmatch "\.(js)$"> | |
Header set Cache-Control "max-age=2678400, private" | |
</filesmatch> | |
</IfModule> | |
# Enable Compression | |
<IfModule mod_deflate.c> | |
AddOutputFilterByType DEFLATE application/javascript | |
AddOutputFilterByType DEFLATE application/rss+xml | |
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject | |
AddOutputFilterByType DEFLATE application/x-font | |
AddOutputFilterByType DEFLATE application/x-font-opentype | |
AddOutputFilterByType DEFLATE application/x-font-otf | |
AddOutputFilterByType DEFLATE application/x-font-truetype | |
AddOutputFilterByType DEFLATE application/x-font-ttf | |
AddOutputFilterByType DEFLATE application/x-javascript | |
AddOutputFilterByType DEFLATE application/xhtml+xml | |
AddOutputFilterByType DEFLATE application/xml | |
AddOutputFilterByType DEFLATE font/opentype | |
AddOutputFilterByType DEFLATE font/otf | |
AddOutputFilterByType DEFLATE font/ttf | |
AddOutputFilterByType DEFLATE image/svg+xml | |
AddOutputFilterByType DEFLATE image/x-icon | |
AddOutputFilterByType DEFLATE text/css | |
AddOutputFilterByType DEFLATE text/html | |
AddOutputFilterByType DEFLATE text/javascript | |
AddOutputFilterByType DEFLATE text/plain | |
</IfModule> | |
<IfModule mod_gzip.c> | |
mod_gzip_on Yes | |
mod_gzip_dechunk Yes | |
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ | |
mod_gzip_item_include handler ^cgi-script$ | |
mod_gzip_item_include mime ^text/.* | |
mod_gzip_item_include mime ^application/x-javascript.* | |
mod_gzip_item_exclude mime ^image/.* | |
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* | |
</IfModule> | |
# Block Bad Bots | |
# Block one or more IP address. | |
# Replace IP_ADDRESS_* with the IP you want to block | |
<Limit GET POST> | |
order allow,deny | |
deny from IP_ADDRESS_1 | |
deny from IP_ADDRESS_2 | |
allow from all | |
</Limit> | |
# Restrict All Access to wp-includes | |
# Block wp-includes folder and files | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^wp-admin/includes/ - [F,L] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
</IfModule> | |
# Allow only Selected IP Addresses to Access wp-admin | |
# Limit logins and admin by IP | |
<Limit GET POST PUT> | |
order deny,allow | |
deny from all | |
allow from 302.143.54.102 | |
allow from IP_ADDRESS_2 | |
</Limit> | |
# Protect wp-config.php and .htaccess from everyone | |
# Deny access to wp-config.php file | |
<files wp-config.php> | |
order allow,deny | |
deny from all | |
</files> | |
# Deny access to all .htaccess files | |
<files ~ "^.*\.([Hh][Tt][Aa])"> | |
order allow,deny | |
deny from all | |
satisfy all | |
</files> | |
# Redirect to a Maintenance page | |
# Redirect all traffic to maintenance.html file | |
RewriteEngine on | |
RewriteCond %{REQUEST_URI} !/maintenance.html$ | |
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123 | |
RewriteRule $ /maintenance.html [R=302,L] | |
# Custom Error Pages | |
# Custom error page for error 403, 404 and 500 | |
ErrorDocument 404 /error.html | |
ErrorDocument 403 /error.html | |
ErrorDocument 500 /error.html | |
# Hide extension like .html or .php from the URL path show only file name in normal HTML or PHP sites | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteRule ^([^\.]+)$ $1.php [NC,L] | |
</IfModule> | |
# Protect .htaccess From Unauthorized Access | |
<files ~ "^.*\.([Hh][Tt][Aa])"> | |
order allow,deny | |
deny from all | |
satisfy all | |
</files> | |
# Increase File Upload Size | |
php_value upload_max_filesize 64M | |
php_value post_max_size 64M | |
php_value max_execution_time 300 | |
php_value max_input_time 300 | |
# Blocking Author Scans in WordPress | |
RewriteEngine On | |
RewriteBase / | |
RewriteCond %{QUERY_STRING} (author=\d+) [NC] | |
RewriteRule .* - [F] | |
# Password Protect your Applection Admin Login DIR | |
AuthName "Admins Only" | |
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd | |
AuthGroupFile /dev/null | |
AuthType basic | |
require user putyourusernamehere | |
<Files admin-ajax.php> | |
Order allow,deny | |
Allow from all | |
Satisfy any | |
</Files> |
Can we use it for any site without change?
You can use as per your need
This is awesome, i want to learn web development and programming , Please someone should help me. Whatsapp/Telegram +855964618767
Please , anything that can help to study let me know.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just a FYI, you can never actually block my htshells project with a .htaccess file :) You really should disable .htaccess globally and use apache config instead.