Protection shield⬢ 6.1.2
👤 User menu
Interactive demo – click around. Nothing is saved, sent or executed.Interactive demo – nothing is saved or executed.↗ Get HTProtectDEEN
v2.4.13 · htprotect.org · Docs
v2.4.13 · htprotect.org · Docs

Protection shield – main .htaccess

💾 To the .htaccess backups

Most important settings

Show advanced settings

The recommended settings are already active (via „Secure now“ on the overview). Here you can fine-tune everything in detail – if unsure, just leave it.

Basics & server

Automatically detected from Joomla's base URL and kept in sync – no need (or option) to set it manually. If the site runs in a subdirectory, the detected path is shown here.

The /api interface (Joomla 4+) is configured in the Exploit shield section (route / block).

Canonical address

Force HTTPS and www mode are above under „Most important settings“.

Response headers

Apply server-wide (static files too) and replace duplicates – they complement Joomla’s ‘HTTP Headers’ plugin (CSP/nginx), without conflict.

Request filters

Exploit shield

Wards off known Joomla attacks (JCE, Novarain/Tassos, Astroid, com_ajax LFI ...) and generic attack classes – in two layers from one signature list: the .htaccess blocks GET attacks before PHP, the real-time firewall additionally catches POST attacks and uses new signatures instantly. This switch controls both.

On/off is above under „Most important settings“. Here are the details:

A complete /api block would have prevented the Joomla core leak CVE-2023-23752 (reading the configuration including database credentials) from the outset. Only block if no extension uses the Joomla web services.

Manage signatures individually (17)

The real-time WAF blocks „everyone“ patterns for logged-in/newly registered users too (no legitimate call exists); „guests only“ patterns could be used legitimately and therefore only affect non-logged-in visitors. Super users are never blocked. Query-string signatures cannot be simulated in the path test, path-based ones can.

Upload folder hardening

Additionally places its own mini .htaccess in upload/system folders (images, media, tmp, cache ...) that blocks PHP execution there. This works even if an attacker deletes the main .htaccess – and against unknown future upload holes.

On/off is above under „Most important settings“. Applied automatically on writing.

Folders under a PHP exception are skipped automatically. Current status below after saving.

File shield

The Joomla update endpoints (extract.php/restore.php of com_joomlaupdate) are permanently allowed and need not be listed here – core updates always work.

Stronger than the access rules above: for these paths it also lifts directory locks and exploit signatures (but not the query-string injection filters). Use only for provably harmless paths you have checked yourself. The Akeeba Panopticon connector is included out of the box.

Delivery & caching

Custom rules

These rules belong permanently to the configuration and are re-embedded into the file on every write – manual changes directly in the .htaccess, on the other hand, are lost on the next write.

Manage .htaccess externally

Protection works on Apache and LiteSpeed servers (mod_rewrite). Before every write a backup is made automatically; a self-test with auto rollback catches server incompatibilities. Donate