.htaccess - General Improvments as of 2018-01-01

Do something cool with CMS? Show us ...
This board is for 'Answers', and the discussion of answers... Not for questions.
Forum Members
Forum Members
Posts: 16
Joined: Fri Dec 25, 2015 4:03 pm

.htaccess - General Improvments as of 2018-01-01

Post by Hupi »

Hi all,

in the last 2 week, I spent literally days with SEO improving, speed testing, cache optimization and security settings on my various CMSMS installations.

Finally I am happy with the settings and I get "A" ratings on most topics when testing on GTMetrics (https://gtmetrix.com/) and WebPageTest (https://www.webpagetest.org/).

Since it was quiet some tidious work and a lot of time have bee invested into that, I would like to share my settings here. It hopefully may help to save some time when you try to improve your setup.

It is based on the original template (included in the actual cmsms setup), adds lots of security measures including the G6 firewall and properly working cache/gzip settings.

These settings I run now - so far without any issue - on 3 different hostings (1&1, webland.ch, hoststar.ch) for cmsms version

BR Hupi

PS: please also post some further improvements or ideas in case you have some.

Code: Select all

# This file is specific to Apache configurations
# It attempts to optimize traffic and configuration for your CMS Made Simple website
# Many options are disabled by default, as some providers do not allow you to override some of these settings in the .htaccess file
# Please read carefully each section comment and enable/disable parts as required
# Updated 2018-01-01 by Hupi (hupi@hupi.ch) / v3-with-cache-and-G6-firewall

# START - Attempt to override some PHP settings
# These settings may be helpful on some hosts if your default configuration does not meet CMSMS's minimum requirements,
# and your host has given your account appropriate permissions.
	#php_value upload_max_filesize "10M"
	#php_value session_save_path "tmp/cache"
	#php_value session.cookie_httponly true
	#php_flag magic_quotes_gpc Off
	#php_flag register_globals Off
	#php_flag session.use_trans_sid Off
# To prevent E_STRICT problems with PHP 5.3+ you can uncomment the following lines
# Note: These settings should only be enabled for production sites!
	#php_flag display_startup_errors 0
	#php_flag display_errors 0
	#php_flag html_errors 0
	#php_value docref_root 0
	#php_value docref_ext 0
# END - Attempt to override some PHP settings

# START - Misc settings
# Disallow directory indexes. This can be an important security enhancement
	#Options -Indexes

# Don't allow the browser to know the type of signature
ServerSignature Off

# Allow the Apache server to follow symbolic links.  This is usually not necessary
	#Options +FollowSymLinks

# Define / add missing mime-types (used on some hosts due to mod-sec settings). If admin panel does not works properly, try this
	#AddType application/javascript .js
# END - Misc settings

# START - Enable pretty URLS and related stuff (only applicable if url_rewriting is set to 'mod_rewrite' in the config.php)
# This is for good SEO results basically mandatory
<IfModule mod_rewrite.c>
RewriteEngine on

# If your CMSMS installation is in a subdirectory of your domain, you may need to specify the relative path (from the root of the domain) here
# i.e: RewriteBase /cmsms
RewriteBase /

# IMPORTANT: Activate ONLY 1 of the next two sections (HTTP or HTTPS). DO NOT activate both
# Both section removes www from any URLs that have them. This is mainly for SEO improvements.
# Example: request "http(s)://www.example.com/test/" will look like "http(s)://example.com/test/"

# START - HTTP hosting (Activate this section for HTTP hosting only)
	RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
	RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
# END - HTTP hosting

# START - HTTPS hosting (Activate this section for HTTPS hosting only)
	#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
	#RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

	# Force all URLs to https instead of http (HTTPS hosting only)
	#RewriteCond %{HTTPS} off
	#RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END - HTTPS hosting

# Rewrites urls in the form of /parent/child/grandchild but only rewrites if the requested URL is not a file or directory.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA]
# END - Enable pretty URLS

# START - Security settings

# Blocking Libwww-perl access to improve website security
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_USER_AGENT} libwww-perl.* 
	RewriteRule .* ? [F,L]

# The following are highly recommended security settings for files in your CMSMS install that should not be browsed directly.
RedirectMatch 403 ^/.*\.htaccess$
RedirectMatch 403 ^/.*\.ini$
RedirectMatch 403 ^/.*config\.php$
RedirectMatch 403 ^.*/assets/.*\.php$
RedirectMatch 403 ^.*/assets/.*\.tpl$
RedirectMatch 403 ^.*/doc/.*$
RedirectMatch 403 ^.*/lib/.*\.php$
RedirectMatch 403 ^.*/log/.*$
RedirectMatch 403 ^.*/modules/.*\.php$
RedirectMatch 403 ^.*/tmp/.*\.php$
RedirectMatch 403 ^.*/uploads/.*\.php$

# Disallow cross-certification
<IfModule mod_headers.c>
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options "nosniff"
# END - Security settings

# START - Cache settings (source: "WP FastestCache" adapted for CMS Made Simple by Hupi)

# BEGIN FastestCache
<FilesMatch "index\.(html|htm)$">
	AddDefaultCharset UTF-8
	<ifModule mod_headers.c>
		FileETag None
		Header unset ETag
		Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
		Header set Pragma "no-cache"
		Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT"
# END FastestCache

# BEGIN Gzip FastestCache
<IfModule mod_deflate.c>
	AddType x-font/woff .woff
	AddType x-font/ttf .ttf
	AddOutputFilterByType DEFLATE image/svg+xml
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE text/ecmascript
	AddOutputFilterByType DEFLATE application/x-pointplus
	AddOutputFilterByType DEFLATE application/ecmascript
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE application/xml
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/x-javascript
	AddOutputFilterByType DEFLATE application/x-font-ttf
	AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
	AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf
	# Exceptions for old browsers
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4\.0[678] no-gzip
	BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# END Gzip FastestCache

# BEGIN LBC FastestCache
# Values in seconds ( 1 day=86400, 1 week=604800, 1 month=2592000, 1 year=31104000 )
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$">
	<IfModule mod_expires.c>
		AddType application/font-woff2 .woff2
		ExpiresActive On
		ExpiresDefault A2592000
		ExpiresByType image/webp A2592000
		ExpiresByType image/gif A2592000
		ExpiresByType image/png A2592000
		ExpiresByType image/jpg A2592000
		ExpiresByType image/jpeg A2592000
		ExpiresByType image/ico A2592000
		ExpiresByType image/svg+xml A2592000
		ExpiresByType text/css A2592000
		ExpiresByType text/javascript A2592000
		ExpiresByType application/javascript A2592000
		ExpiresByType application/x-javascript A2592000
		ExpiresByType application/font-woff2 A2592000
	<IfModule mod_headers.c>
		Header set Expires "max-age=2592000, public"
		Header append Vary Accept-Encoding
		Header set Connection keep-alive
		Header unset ETag
		FileETag None
# END LBC FastestCache

# END - Cache settings

# START - G6 Firewall. This should stop most hacking attemps rightaway
# Original settings from the autor "https://perishablepress.com/6g/".
# I did not apply changes. Complete section can be removed too (up to you)
# @ https://perishablepress.com/6g/

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
	RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
	RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
	RewriteRule .* - [F]

<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
	RewriteRule .* - [F]

<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
	RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
	RewriteRule .* - [F]

<IfModule mod_alias.c>
	RedirectMatch 403 (?i)([a-z0-9]{2000,})
	RedirectMatch 403 (?i)(https?|ftp|php):/
	RedirectMatch 403 (?i)(base64_encode)(.*)(\()
	RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
	RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$
	RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
	RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
	RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
	RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
	RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
	RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php

<IfModule mod_setenvif.c>
	SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
	SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
	# Apache < 2.3
	<IfModule !mod_authz_core.c>
		Order Allow,Deny
		Allow from all
		Deny from env=bad_bot

	# Apache >= 2.3
	<IfModule mod_authz_core.c>
			Require all Granted
			Require not env bad_bot

# 6G:[BAD IPS]
	Order Allow,Deny
	Allow from All
	# uncomment/edit/repeat next line to block IPs
	# Deny from 123.456.789

# END - G6 Firewall

[The extension txt has been deactivated and can no longer be displayed.]

User avatar
Dev Team Member
Dev Team Member
Posts: 7759
Joined: Wed Apr 23, 2008 7:53 am
Location: The Netherlands

Re: .htaccess - General Improvments as of 2018-01-01

Post by Rolf »

Thank you for sharing this!!

Grtz. Rolf
- + - + - + - + - + -
Latest CMSMS tutorial: FormBuilder WatchGuard
- + - + - + - + - + -
Did my post help you solving a problem at your (customers) website and it saved you many hours of work?
Great!! Buy me a cup of coffee in return as a small token of appreciation!
User avatar
Dev Team Member
Dev Team Member
Posts: 248
Joined: Tue Jun 12, 2007 1:29 pm
Location: France

Re: .htaccess - General Improvments as of 2018-01-01

Post by Franck »

Yeah, thank you for this, much appreciated!

Return to “Tips and Tricks”