Securing Joomla .htaccess in the root directory - HTProtect Server-Schild

Secure Joomla .htaccess in the root directory - HTProtect Server ShieldThe central .htaccess in the Joomla root directory helps decide which requests can reach the server at all - making it one of the most effective places to harden security. HTProtect Server-Schild is a free Joomla component (com_htprotect) that automatically generates this main .htaccess: configured for maximum security and compatible with Joomla 2.5 to 6 on PHP 7.4 to 8.5. Instead of piecing individual rules together by hand, the component generates a coordinated rule set and checks it itself immediately after writing.

The latest Joomla vulnerabilities in widely used extensions show how current the threat is: the JCE vulnerability, the vulnerability in the Astroid framework, and the vulnerability in the Tassos or Novarain framework. Such flaws are often exploited automatically within hours - typically by having an attacker upload a PHP file disguised as harmless and then calling it directly. That second step is exactly where a strictly configured main .htaccess comes in: it blocks direct access to such files, so that a site that is vulnerable but well protected can prevent the real damage - the execution of the uploaded backdoor. The .htaccess does not replace updates, but it drastically reduces the impact if a vulnerability is not closed in time.

Download: HTProtect Server-Schild

Kostenlose Joomla-Komponente (com_htprotect), Version 2.0.9. Kompatibel mit Joomla 2.5 bis 6.x auf Apache und LiteSpeed, PHP 7.4 bis 8.5. Lizenz: GNU GPL v2 oder später.

htprotect-shield-joomla.zip herunterladen

Installation in Joomla via Extensions > Manage > Install > Upload Package File. Questions and support are available in the comments under this post.

Contents

  1. PHP shield: direct script calls are blocked
  2. File type shield: only permitted extensions get through
  3. Security headers and query string filters
  4. HTTPS and canonical in one step
  5. Lock sensitive files
  6. Custom rules are preserved
  7. Auto-backup, self-test, and auto-rollback
  8. Site crawler detects required exceptions
  9. /administrator password protection can be set up directly

PHP shield: direct script calls are blocked

The PHP shield prevents direct access to PHP files wherever there should be no entry point. Only the defined entry points such as index.php remain allowed; any other direct PHP call - for example a file uploaded to images/ or media/ - is rejected. In addition, the shield blocks dangerous extensions such as .phar, .phtml, .php3 and similar ones, which can otherwise be used to disguise executable code. This eliminates the most common route by which a file upload becomes a web shell or backdoor. Even a backdoor already placed in the web directory can no longer be accessed directly through the browser.

File type shield: only permitted extensions get through

While the PHP Shield specifically blocks scripts, the file type shield works on a whitelist principle: only explicitly approved extensions are delivered, everything else is kept out. This prevents accidentally accessible log, backup, or source code files from being retrieved through the browser in the first place.

Security headers and query string filter

HTProtect sets common security headers such as X-Content-Type-Options, X-Frame-Options and a Referrer-Policy, which instruct the visitor's browser to behave more securely. An additional query string attack filter detects typical patterns of injection and manipulation attempts in the request string and blocks them before they reach Joomla.

HTTPS and canonical in one step

Redirects to HTTPS and to the canonical domain (with or without www) are handled by the component as a single-step redirect. Instead of a chain of multiple 301 hops, there is exactly one redirect to the destination - that is faster and avoids the SEO and performance disadvantages of redirect chains.

Block sensitive files

Files that should never end up in the browser are consistently blocked: .env, .git, .sql, configuration.php and other typical candidates. This keeps credentials, version control directories and database dumps inaccessible even if they are accidentally located in the web directory.

Your own rules are preserved

Existing customizations are not lost. On the first run, HTProtect imports the existing .htaccess, and each time it is regenerated your own rules are embedded again. This means you can recreate the rule set at any time without having to manually add your individual customizations again.

Auto-backup, self-test and auto-rollback

Before each write, the component creates a backup and keeps the last 15 versions. A self-test follows immediately after writing: if the site no longer responds as expected, HTProtect automatically restores the previous version (auto-rollback). This means an overly strict rule cannot permanently disable the site.

Site crawler detects required exceptions

Some extensions or entry points require targeted exceptions to the protection rules. An integrated site crawler scans the site, automatically detects such cases and suggests the appropriate exceptions - you do not have to guess which paths need to be allowed first.

/administrator password protection can be set up directly

Right after installation, password protection for /administrator can be set up. This protects the Joomla backend with an additional .htaccess prompt, so login attempts are intercepted before they reach Joomla.

Details
Last Updated: 11 June 2026

Never miss another security update!

Additional offers

Customers about us

„The conversion of our Joomla website from PHP 5.3 to PHP 7 was super fast, affordable, and with impeccable results. Very good and friendly communication.“
– H. Bergmann

„Within one day, everything was done extremely professionally and extremely quickly. Very trustworthy. Excellent. 5 stars“
– Fernando V.

„I was unable to help myself, but here I found the expertise needed to get everything cleaned up again. Necessary updates and backups were carried out, everything was extremely affordable, fast, and good!“
– Klaus-Peter

„The site looks great – everything as before – and on PHP 7.2 – I am impressed - many heartfelt thanks!“
– Dr. Ingo Wuddel

„Since we run an online shop, it was very important to us that our site was quickly available again with full functionality for our customers. All work is carried out extremely quickly to our complete satisfaction.“ – Loewen Handels GmbH

„Very fast, reliable, and effective handling of the problem. In addition, I was given tips and Strato-specific information to reduce the risk of the problem recurring.“
– Heino B.

„The contact was exceptionally friendly, and some cosmetic additional work was taken care of on its own - as if it were completely natural. I am relieved and very grateful.“
– R. Mayer

„Great. In an absolute emergency, after 2 domains were blocked by Strato due to a hacker attack, both domains were initially temporarily back online the same day.“
– I. Radchenko

„Excellent service. Problem solved within 18 hours. We are delighted. Thank you very much 🙏“
– Tien Sy Vuong

Website-Bereinigung.de Support Service
5,0 205 Reviews > 5
Google Reviews

Contact options

This email address is being protected from spambots. You need JavaScript enabled to view it.
Contact form

Schedule a call
+49 (0)2406 969796
Mon. - Fri. | 9 am - 9 pm