V1rus Private
User / IP
:
216.73.216.191
Host / Server
:
185.77.97.48 / skeotcranes.com
System
:
Linux uk-fast-web1735.main-hosting.eu 5.14.0-611.34.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Feb 18 05:51:10 EST 2026 x86_64
Cmd
|
Upload
|
Mass Deface
|
Create
|
Sym
:
/
home
/
u415165975
/
domains
/
krishanaengineering.com
/
public_html
/
Viewing: .htaccess
# ==================================================== # krishanaengineering.com - Security + Admin protection # Place this file in the site root (public_html / www) # Backup existing .htaccess first # ==================================================== # --------------------------- # 1) Force HTTPS + canonical host (www -> non-www) # Change to your preferred canonical if needed # --------------------------- <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / # Redirect www to non-www and force HTTPS RewriteCond %{HTTP_HOST} ^www\.krishanaengineering\.com$ [NC,OR] RewriteCond %{HTTPS} !=on RewriteRule ^ https://krishanaengineering.com%{REQUEST_URI} [L,R=301] </IfModule> # --------------------------- # 2) Protect /Admin backend # Option A: IP restriction (recommended for static IPs) # Replace YOUR.IP.ADD.ESS with your public IP. Add multiple Require ip lines for multiple admins. # --------------------------- <IfModule mod_authz_core.c> <LocationMatch "^/Admin/"> Require ip YOUR.IP.ADD.ESS # Require ip 203.0.113.22 </LocationMatch> </IfModule> # Option B: HTTP Basic Auth (uncomment & configure if IPs are dynamic) # 1) create .htpasswd outside webroot (e.g. /home/username/.htpasswd) # 2) uncomment block below and comment out the IP block above # <Directory "/home/username/public_html/Admin"> # AuthType Basic # AuthName "Restricted Admin Area" # AuthUserFile /home/username/.htpasswd # Require valid-user # </Directory> # Allow admin-ajax for front-end AJAX (if used) <IfModule mod_rewrite.c> RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php [NC] RewriteRule ^ - [L] </IfModule> # --------------------------- # 3) Basic hardening # --------------------------- Options -Indexes ServerSignature Off # Protect dotfiles including .htaccess and .env <FilesMatch "^\."> Require all denied </FilesMatch> # Deny access to common sensitive files <FilesMatch "^(wp-config\.php|readme\.html|license\.txt|composer\.json|package\.json|\.env|error_log|php.ini)$"> Require all denied </FilesMatch> # Remove X-Powered-By header to hide PHP version <IfModule mod_headers.c> Header unset X-Powered-By </IfModule> # --------------------------- # 4) Block dangerous HTTP methods & common injection patterns # --------------------------- <IfModule mod_rewrite.c> # Block TRACE/TRACK/DELETE/PUT/OPTIONS if not needed RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|DELETE|PUT|OPTIONS) [NC] RewriteRule .* - [F] # Block simple SQLi / XSS patterns in query strings RewriteCond %{QUERY_STRING} (union|select|concat|benchmark|base64_encode|<script|%3Cscript) [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC] RewriteRule .* - [F,L] </IfModule> # Limit allowed HTTP methods <LimitExcept GET POST HEAD> Deny from all </LimitExcept> # --------------------------- # 5) Prevent PHP execution in upload / writable directories (shared-host safe) # Place a copy of the small FilesMatch block inside uploads folder for extra safety. # --------------------------- <IfModule mod_rewrite.c> RewriteRule ^(wp-content|uploads|files|media)/.*\.(php|phtml|php5|phps)$ - [F,L,NC] </IfModule> # Alternative small .htaccess to place INSIDE the uploads folder: # <FilesMatch "\.(php|phtml|php5|phps)$"> # Require all denied # </FilesMatch> # --------------------------- # 6) Block access to common include/core paths (WordPress-style, harmless otherwise) # --------------------------- <IfModule mod_rewrite.c> RewriteRule ^wp-admin/includes/ - [F,L,NC] RewriteRule ^wp-includes/.*\.php$ - [F,L,NC] </IfModule> # --------------------------- # 7) Lightweight bad bot / UA blocking # --------------------------- <IfModule mod_setenvif.c> SetEnvIfNoCase User-Agent "wget" bad_bot SetEnvIfNoCase User-Agent "curl" bad_bot SetEnvIfNoCase User-Agent "libwww-perl" bad_bot SetEnvIfNoCase User-Agent "MJ12bot" bad_bot Deny from env=bad_bot </IfModule> # --------------------------- # 8) Security headers (Apache 2.4+) # Adjust CSP to include any external CDNs/scripts you use # --------------------------- <IfModule mod_headers.c> Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "no-referrer-when-downgrade" Header always set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline'; object-src 'none'" </IfModule> # --------------------------- # 9) Performance: Compression & Caching (optional but recommended) # --------------------------- # Brotli (if available) <IfModule mod_brotli.c> AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript application/json image/svg+xml </IfModule> # Deflate/Gzip <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json application/xml application/xhtml+xml image/svg+xml Header append Vary Accept-Encoding </IfModule> # Expires headers for static resources <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access plus 1 month" ExpiresByType image/jpg "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType image/webp "access plus 1 year" ExpiresByType image/svg+xml "access plus 1 year" ExpiresByType image/x-icon "access plus 1 year" ExpiresByType text/css "access plus 1 month" ExpiresByType application/javascript "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" </IfModule> <IfModule mod_headers.c> <FilesMatch "\.(js|css|jpg|jpeg|png|gif|webp|svg|ico|woff|woff2|ttf|otf)$"> Header set Cache-Control "public, max-age=31536000, immutable" </FilesMatch> <FilesMatch "\.(html|htm|php)$"> Header set Cache-Control "no-cache, must-revalidate" </FilesMatch> </IfModule> # Remove ETags FileETag None <IfModule mod_headers.c> Header unset ETag </IfModule> # --------------------------- # 10) Optional: Disable xmlrpc.php if not used (uncomment to block) # --------------------------- # <IfModule mod_rewrite.c> # RewriteCond %{REQUEST_URI} xmlrpc\.php [NC] # RewriteRule .* - [F,L] # </IfModule> # --------------------------- # 11) Custom error pages (optional — create these) # --------------------------- ErrorDocument 403 /403.html ErrorDocument 404 /404.html ErrorDocument 500 /500.html # ==================================================== # Deployment checklist: # 1) Backup current .htaccess to .htaccess.bak # 2) Replace YOUR.IP.ADD.ESS and /home/username/... paths where used # 3) If using Basic Auth: create .htpasswd outside webroot and update AuthUserFile path # 4) Upload and test from allowed IP and other networks # 5) If locked out: restore .htaccess.bak via hosting file manager or SFTP # 6) Keep CMS/plugins/themes up-to-date, use strong admin passwords and enable 2FA # ====================================================
Coded With 💗 by
HanzOFC
