Webmasters running Joomla CMS need to use a customized .htaccess file to secure their Joomla installations on any hosting environment. Joomla htaccess security works especially well on shared hosting from Bluehost. As I understand it, we have two strategies to source our own custom, tweaked implementation. If you don’t get this right your Joomla install will likely get hacked. Let’s take a look. I currently use the Boilerplate file, with some minor adjustments.

HTML5 Bolierplate htaccess

https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

Nikosdion  Master htaccess

https://github.com/nikosdion/master-htaccess/blob/master/htaccess.txt

Installation Notes

First, rename the currently working .htaccess file as htaccess.bak If you can’t get this working, you’ll need to revert to the old file.

Both of these will probably work, but you can’t just ctrl + c, ctrl + v copy/paste these into a fresh Joomla htaccess security file in your root ‘public_html/’ folder.  You need to often tweak these, and as I found out yesterday, the boilerplate htaccess can go in with only a few small tweaks. I commented out the 404 error redirection on Line 91,

# Customize what Apache returns to the client in case of an error.
# https://httpd.apache.org/docs/current/mod/core.html#errordocument

# ErrorDocument 404 /404.html

and then added the following Joomla! core SEF section, to get my permalinks working correctly.

## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.

That represents the entirity of the process as of now. Sure to have more to write about this as time moves on.

[Edit 2/23/17] Well what do you know?  So far, so good with this latest .htaccess file.  Still, never turn your back on the ocean.