.htaccess is a very powerful tool for those that take their Joomla website security seriously. This file gives you the power to modify quite a few settings that will secure your site.
According to the Apache site:
.htaccess files provide a way to make configurative changes on a per-directory basis. A file containing one or more configuration directives is placed in a particular document directory and the directives are applied to that directory and all sub-directories thereof.
Below you see a list of the most important rules that you can add to your .htaccess file to enhance security, by greatly limiting the exposure of your website to many types of attacks.
First of all, you must rename the htaccess.txt file to .htaccess
1. Disable the Server Signature
# Disable the server signature ServerSignature Off
2. No Access to .htaccess
This will block unauthorized external access to .htaccess.
# Prevent access to .htaccess <Files .htaccess> Order allow, deny Deny from all </Files>
3. Bandwidth Preservation
This will limit bandwidth consumption for PHP enabled servers.
# Limit bandwidth consumption <ifmodule mod_php5.c> php_value zlib.output_compression 16386 </ifmodule>
4. Disable Directory Browsing
# Disable unauthorized directory browsing Options All - Indexes
5. No Access to Files
This will block access to specific files.
# Block access to specific file <files myfile.doc> Order allow, deny Deny from all </files>
This will block access to multiple file types.
# Block access to multiple file types <FilesMatch "\.(htaccess|htpasswd|ini|psd|log|sh)$"> Order allow, deny Deny from all </FilesMatch>
6. No Access to IP's or Domains
This will allow access to specific IP's or domains or restrict access to specific IP's or domains.
# Restrict access to IP's & domains (replace x with numbers) <Limit GET POST PUT> Order allow, deny allow from all deny from xx.xxx.xx.xxx deny from .*domain\.com.* </Limit>
7. Disguise File Extensions
This will change the file extension to whatever you like. Note that you should also rename your file extension to the setting you apply here.
# Disguise php files as html files AddType application/x-httpd-html .php
8. Protect Files & Directories with Passwords
# Protect a single file <Files myfile.php> AuthType Basic AuthName "Mypassword" AuthUserFile /home/path/.htpasswd Require valid-user </Files>
# Protect multiple files <FilesMatch "^(execute|index|myfile|anotherfile)*$"> AuthType Basic AuthName "Mypassword" AuthUserFile /home/path/.htpasswd Require valid-user </FilesMatch>
9. Display Custom Error Pages
With this rule you can set your own set of custom error pages.
# Display custom error pages ErrorDocument 400 /errors/400.html ErrorDocument 404 /errors/404.html ErrorDocument 500 /errors/500.html