Modify .htaccess With Extra Safety After Malicious Code - Question | JoomShaper

Modify .htaccess With Extra Safety After Malicious Code

S

Seppe

General 10 hours ago

In the main threat, I saw a couple of answers with people offering extra code to add to the .htaccess in the root folder. When I add it, my front- and backend of the website give me a "500 internal error code". Am I missing something? I tried with 2 different blocks of code:

<IfModule mod_authz_core.c> <FilesMatch ".(php|phtml|php[0-9]|phps)$"> Require all denied </FilesMatch> ></IfModule> <IfModule !mod_authz_core.c> <FilesMatch ".(php|phtml|php[0-9]|phps)$"> Order allow,deny Deny from all </FilesMatch> </IfModule>

or

<DirectoryMatch "/(media|images|uploads|tmp|cache|administrator/cache|assets|icons|fonts)(/|$)"> AllowOverride None <FilesMatch "(?i).(php|phtml|phar|php[0-9]?|php..*|shtml)$"> Require all denied </FilesMatch> </DirectoryMatch>

0
12 Answers
PH
Pascal - HTProtect.org
Accepted Answer
10 hours ago #227560

The 500 Internal Server Error is expected with those snippets.

The second one cannot be used in a .htaccess file because DirectoryMatch and AllowOverride are only valid in the Apache server or VirtualHost configuration. Apache will therefore return a 500 error.

The first snippet also shouldn't be added to Joomla's root .htaccess, as it would block the execution of all PHP files, including index.php, effectively breaking both the frontend and backend.

If your goal is to prevent PHP execution in writable directories (images, media, tmp, cache, etc.), the rules must be applied only to those directories, or configured centrally in the Apache configuration.

For an easier setup, you could use Admin Tools Pro's .htaccess Maker or my free HTProtect extension. Both deploy the appropriate protection rules with just one or two clicks, eliminating the need to edit .htaccess files manually or risk breaking your site.

0
S
Seppe
Accepted Answer
10 hours ago #227561

I tried to install your extension, but I always get a red banner, without any explenation why it won't install....

0
S
Seppe
Accepted Answer
10 hours ago #227563

Debugmode is ON, and error reporting is set to MAX

still no changes. Only the red block, without any text

0
PH
Pascal - HTProtect.org
Accepted Answer
10 hours ago #227562

That's definitely not expected. What does the red banner say? Could you please enable Joomla System Debug, try the installation again, and let me know the exact error message?

System → Global Configuration → System → Debug System = Yes

0
S
Seppe
Accepted Answer
9 hours ago #227565

Now I get a "403 error" that I don't have permission to acces this resource...

0
PH
Pascal - HTProtect.org
Accepted Answer
9 hours ago #227566

Delete all .htaccess files.

Install should look like this https://youtube.com/shorts/zzGJ-HS787A?is=oXu8JX0Mvw4gT186

0
S
Seppe
Accepted Answer
9 hours ago #227567

doesn't make any difference. it stays like this

https://prnt.sc/xI9uOazejC_p

0
PH
Pascal - HTProtect.org
Accepted Answer
9 hours ago #227568

It looks like there's a more general issue with your Joomla installation. I've never seen that empty red bar before.

0
S
Seppe
Accepted Answer
9 hours ago #227570

I tried a 3th website.

Its always the same. at the first try, I get the "403 forbidden" screen: you don't have persmission to access this resource

starting the 2nd attempt, I get this red bar, like in the screenshot.

0
S
Seppe
Accepted Answer
9 hours ago #227564

Even the "https://github.com/zkrana/joomla-security-scanner" says:

Hardening The most effective server-level fix is blocking PHP execution in directories that should only ever hold static assets. Add this to your site's .htaccess:

<DirectoryMatch "/(media|images|uploads|tmp|cache|assets|icons|fonts)(/|$)"> AllowOverride None <FilesMatch "(?i).(php|phtml|phar|php[0-9]?|php..*|shtml)$"> Require all denied </FilesMatch> </DirectoryMatch>

also this gives me the 500 error code

0
S
Seppe
Accepted Answer
9 hours ago #227569

I will try a different website... and is exactly the same

0
PH
Pascal - HTProtect.org
Accepted Answer
9 hours ago #227571

If you'd like, I could help you sort that out: Live-Chat It's already running on a few hundred sites, and I've never encountered an install issue like that before.

Who's your hosting provider? Is this different website hosted on the same webspace?

0