Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

.htaccess codes to help against getting hacked
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

Nothing is full proof and this is just a start. I found a really nice set of .htaccess rules to help guard against things like sql injection and bad bots.

http://perishablepress.com/press/2009/03/16/the-perishable-press-4g-blacklist/

However, simply copying and pasting this list in your Magento .htaccess root file will probably return you a error 500 or something (the list on this site is really designed to work well with WordPress). So I went through the code and commented out a couple lines which caused in Magento. As a result, my store works fine now and all I did was comment out a couple lines.

Notes about my site:
I’m using Magento version 1.3.2
My payment processor is PayPal Standard (anyone know how to get the quantity to show out of stock after someone purchases?)

Before I paste the code below, I’d just like to know if you have anything to add. What have you done to protect your Magento install? Let’s work together on this and make our Magento installs more secure by working together.

UPDATE: I’ve noticed with these codes in my .htaccess file that I’m unable to add related products, cross sells, and upsells in my Manage Products area (other than when I initially create a new product). To add related products, etc., just cut this out of your .htaccess file for a few moments while you update your products and then paste it back in. The protection this provides is well worth that tiny inconvenience. Take it from someone who knows, getting hacked sucks big time!

##### Begin Perishable #######
ServerSignature Off
Options All -Indexes
# FILTER REQUEST METHODS
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

# BLACKLIST CANDIDATES
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 75.126.85.215 “# blacklist candidate 2008-01-02 = admin-ajax.php attack “
Deny from 128.111.48.138 “# blacklist candidate 2008-02-10 = cryptic character strings “
Deny from 87.248.163.54 “# blacklist candidate 2008-03-09 = block administrative attacks “
Deny from 84.122.143.99 “# blacklist candidate 2008-04-27 = block clam store loser “
Deny from 210.210.119.145 “# blacklist candidate 2008-05-31 = block _vpi.xml attacks “
Deny from 66.74.199.125 “# blacklist candidate 2008-10-19 = block mindless spider running “
Deny from 203.55.231.100 “# 1048 attacks in 60 minutes”
Deny from 24.19.202.10 “# 1629 attacks in 90 minutes”
</Limit>

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|’|"|;|\?|\*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
# RewriteRule ^(.*)$ - [F,L]
</IfModule>

# CHARACTER STRINGS
<IfModule mod_alias.c>
# BASIC CHARACTERS
# RedirectMatch 403 \,
RedirectMatch 403 \:
RedirectMatch 403 \;
RedirectMatch 403 \=
RedirectMatch 403 \@
RedirectMatch 403 \[
RedirectMatch 403 \]
RedirectMatch 403 \^
RedirectMatch 403 \`
RedirectMatch 403 \{
RedirectMatch 403 \}
RedirectMatch 403 \~
RedirectMatch 403 \”
RedirectMatch 403 \$
RedirectMatch 403 \<
RedirectMatch 403 \>
RedirectMatch 403 \|
RedirectMatch 403 \.\.
RedirectMatch 403 \/\/
RedirectMatch 403 \%0
RedirectMatch 403 \%A
RedirectMatch 403 \%B
RedirectMatch 403 \%C
RedirectMatch 403 \%D
RedirectMatch 403 \%E
RedirectMatch 403 \%F
RedirectMatch 403 \&#x22;
RedirectMatch 403 \&#x27;
RedirectMatch 403 \&#x28;
RedirectMatch 403 \&#x29;
RedirectMatch 403 \&#x3C;
RedirectMatch 403 \&#x3E;
RedirectMatch 403 \&#x3F;
RedirectMatch 403 \&#x5B;
RedirectMatch 403 \&#x5C;
RedirectMatch 403 \&#x5D;
RedirectMatch 403 \&#x7B;
RedirectMatch 403 \&#x7C;
RedirectMatch 403 \&#x7D;
# COMMON PATTERNS
Redirectmatch 403 \_vpi
RedirectMatch 403 \.inc
Redirectmatch 403 xAou6
Redirectmatch 403 db\_name
Redirectmatch 403 select\(
Redirectmatch 403 convert\(
Redirectmatch 403 \/query\/
RedirectMatch 403 ImpEvData
Redirectmatch 403 \.XMLHTTP
Redirectmatch 403 proxydeny
RedirectMatch 403 function\.
Redirectmatch 403 remoteFile
Redirectmatch 403 servername
Redirectmatch 403 \&rptmode;\=
Redirectmatch 403 sys\_cpanel
RedirectMatch 403 db\_connect
RedirectMatch 403 doeditconfig
RedirectMatch 403 check\_proxy
Redirectmatch 403 system\_user
Redirectmatch 403 \/\(null\)\/
Redirectmatch 403 clientrequest
Redirectmatch 403 option\_value
RedirectMatch 403 ref\.outcontrol
# SPECIFIC EXPLOITS
RedirectMatch 403 errors\.
RedirectMatch 403 config\.
RedirectMatch 403 include\.
RedirectMatch 403 display\.
RedirectMatch 403 register\.
Redirectmatch 403 password\.
RedirectMatch 403 maincore\.
RedirectMatch 403 authorize\.
Redirectmatch 403 macromates\.
RedirectMatch 403 head\_auth\.
RedirectMatch 403 submit\_links\.
RedirectMatch 403 change\_action\.
Redirectmatch 403 com\_facileforms\/
RedirectMatch 403 admin\_db\_utilities\.
RedirectMatch 403 admin\.webring\.docs\.
Redirectmatch 403 Table\/Latest\/index\.
</IfModule>

##### End Perishable ######

 
Magento Community Magento Community
Magento Community
Magento Community
 
Dannyz1984
Sr. Member
 
Avatar
Total Posts:  153
Joined:  2009-04-12
 

excellent post

 
Magento Community Magento Community
Magento Community
Magento Community
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

Thanks pharmokan. If there’s one thing I hate, it’s malicious hackers.

 
Magento Community Magento Community
Magento Community
Magento Community
 
PeterCl
Jr. Member
 
Total Posts:  5
Joined:  2009-06-19
 

Try commenting out:

RedirectMatch 403 \/\/
to get the ajax stuff for the related products to work
 
Magento Community Magento Community
Magento Community
Magento Community
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 
PeterCl - 19 June 2009 08:05 AM

Try commenting out:

RedirectMatch 403 \/\/
to get the ajax stuff for the related products to work

Hmm… I tried commenting that out instead of my other lines and my problems came back so I uncommented this line and commented out the other two again. Thanks though.

I’m still curious what anyone else has done to help secure their Magento install. Surely this isn’t the only thing we can do?

 
Magento Community Magento Community
Magento Community
Magento Community
 
stevegrant1
Jr. Member
 
Total Posts:  7
Joined:  2009-05-26
 

John,

Great post! I think everyone should give there top tips for security in these forums - help to make everyone’s systems more secure.

Quick question - which .htaccess file do I change? Just the one in the /magento/ index or them all?

Cheers

 
Magento Community Magento Community
Magento Community
Magento Community
 
John34
Member
 
Total Posts:  33
Joined:  2009-05-31
 

Just the one in the root install of your Magento program.

So if it’s in your root (i.e. www.my-store.com), then put it in your root .htaccess file.

If your store is located in the /magento directory, then put it in the /magento .htaccess directory.

You don’t need to put it in multiple .htacess files. Just the top level one.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Jack Chow
Jr. Member
 
Total Posts:  6
Joined:  2009-04-25
 

Very useful

 
Magento Community Magento Community
Magento Community
Magento Community
 
CT Schubert
Sr. Member
 
Avatar
Total Posts:  197
Joined:  2008-10-08
Southern California
 

Excellent post. Added this to the bottom of my .htaccess, thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
 
CT Schubert
Sr. Member
 
Avatar
Total Posts:  197
Joined:  2008-10-08
Southern California
 

Ok, I don’t know if this is because of some conflict with my existing .htaccess but when I appended this list to the end of mine it caused some major malfunctions in the admin panel

Basically, when you go into the manage products and do searches under the name field or status, or try to associate products in a configurable and do a name search, etc, it would kick you back out to the dashboard. Using the enhanced product grid module, a lot of the search filters would just give you bad 404 pages.

I haven’t investigated this much just thought I would share

Edit: this may be related to the RedirectMatch 403 \/\/ comment above but I am not sure as I had that commented out and it did not make a difference

 
Magento Community Magento Community
Magento Community
Magento Community
 
clorne
Sr. Member
 
Total Posts:  236
Joined:  2008-01-10
London
 

Good post, thank you.

I have found that

RedirectMatch 403 \=
has to be commented out as well as the already mentioned

RedirectMatch 403 \/\/

So far all admin functions are working normally!

 
Magento Community Magento Community
Magento Community
Magento Community
 
robzero
Jr. Member
 
Total Posts:  15
Joined:  2008-07-20
 

We’ve been testing it this afternoon as a result of our PCI penetration test coming up with some high risk issues, such as XSS, SQL INJECTION, Parameter Manipulation to name the top 3 (out of over a dozen actual identified vunerabilities of varying degress of high medium and low risk levels - nice one PCI Compliant magento...not so sure that is such a valid claim right now Varien...)

Right anyway, the issue we’ve found with these htaccess alterations so far is that the REMOVE button on the basket page no longer works. Anyone got any ideas?

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
loeffel
Guru
 
Avatar
Total Posts:  427
Joined:  2009-02-03
 

This would be really useful, but my site is too slow on the first load with these options.

 
Magento Community Magento Community
Magento Community
Magento Community
 
WebhostUK LTD
Sr. Member
 
Avatar
Total Posts:  163
Joined:  2009-08-27
UK
 
MagentoMagik - 17 July 2011 11:57 PM

I have written a post Stop Bad Bots (SpamBots) On your Magento Site to stop bad bots (SpamBots) from accessing your site.

I hope this will help someone.

Thank you for the shared that really a good article.

 
Magento Community Magento Community
Magento Community
Magento Community
 
loeffel
Guru
 
Avatar
Total Posts:  427
Joined:  2009-02-03
 

I have to correct my previous post, it was actually my hosters fault, the sites speed won\’t be affected by these entries.

 
Magento Community Magento Community
Magento Community
Magento Community
 
electromech
Jr. Member
 
Avatar
Total Posts:  1
Joined:  2011-12-23
St. Louis, MO
 

On the blacklist account make sure your text editor doesn’t change the quotation marks to some similar character. I used Notepad++ and for some reason it pasted them incorrectly. Just an FYI.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top