Secure Joomla site using htaccess

.htaccess is a very ancient and one of the most powerful configuration files that controls the Web Server settings which runs your website. The powerful .htaccess file has the ability to control access of the WWW’s Hypertext Transfer Protocol(HTTP) using Password Protection, Error Page Redirects, 301 Redirects, URL rewrites etc.

Now we will see how we can create a .htaccess file and put some directives into it to configure the security.

Create .htaccess file and put it under root directory of your project. If you are using windows operating system then you will not be able to create a file which starts with ‘.’. So you have to create the file from command(cmd) prompt using the command ‘mkdir .htaccess’. Then you can copy this created .htaccess file put it under root directory of your project.
Now below onwards we will write everything inside the .htaccess file

1. We need to initialize the mod_rewrite engine so that whatever configurations or directives we put inside .htaccess file webserver understand what to do with these directives.

RewriteEngine On


2. Prevent .htaccess file itself from external access using the following directive

<Files .htaccess>
 order allow,deny
 deny from all


3. Let webserver know your base URL

# If your URL is, use /
# If your URL is, use /site_folder/
RewriteBase /


4. Prevent directory browsing. The following directive will not allow anyone to browse the directory in the browser. Suppose you have a project directory structure like application/config and a user wants to see what are the files inside the directory config. SO user will type a URL in the browser something like and user will be able to see all the files inside the config directory. To prevent such kind of thing we need the following directive

Options All -Indexes


5. These rewrite conditions check if the requested URL does not match a folder or a file on the server then redirect to index.php.

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond $1 !^(index\.php|resources|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L,QSA]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s(.*)/index\.php [NC]
RewriteRule ^ /%1 [R=301,L]


6. Do not display server signature when an error occurrs in the requested URL.

ServerSignature Off


7. Hotlinking refers to linking directly to non-html objects on other servers, such as images, movie, css, zip, pdf files etc. This can greatly impact bandwidth usage. Hotlink protection can save you lots of bandwidth by preventing other sites from displaying your non-html.

#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^http://(www\.)*$ [NC]
#RewriteRule \.(gif|jpg|jpeg|jpe|png|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]


8. You can restrict the access to the /administrator directory only to your IP address or from certain IP addresses. If there is no .htaccess file in the /administrator directory, create one and upload it to the /administrator directory and add the below line to it.

If you want to restrict from only one IP address

Deny from ALL
Allow from x.x.x.x


If you want to restrict from multiple IP addresses

Deny from ALL
Allow from x.x.x.x
Allow from y.y.y.y
Allow from z.z.z.z


where x.x.x.x, y.y.y.y or z.z.z.z should be replaced by actual IP addresses.

9. Cache Certain file types, saving bandwidth and decreasing load times

# 1 YEAR
#<FilesMatch "\.(ico)$">
#Header set Cache-Control "max-age=29030400, public"

#<FilesMatch "\.(jpg|jpeg|png|gif|swf|css|js)$">
#Header set Cache-Control "max-age=2689743, public"

# 2 DAYS
#<FilesMatch "\.(xml|txt|html|php)$">
#Header set Cache-Control "max-age=172800, proxy-revalidate"


10. Removes trailing slash from URL. It prevents SEO duplicate content issue.

RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)/$ $1 [L,R=301]


That’s all. If you have more ideas then you can leave it in comment section. Thank you for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *