Blocking direct access to your PHP scripts in Joomla

I was scratching me head for a few days, trying to protect my stand alone PHP scripts for being accessed directly on the URL in a Joomla CMS system.

Googling here and there always referred me to the same htaccess codes, which didn’t work on my case for some reasons. So if you come here from the Search Engine, then you may want to try a slight modification to the htaccess codes that you have seen over and over again here.

Let’s say:

  • Your website domain is http://www.YOURDOMAIN.COM (and it’s in Joomla – I was using Joomla 1.5)
  • You have some individual PHP scripts under a folder called myscripts/
  • You are using the Joomla wrapper and wrap your PHP scripts nicely through the admin interface and only registered members can access the scripts.
  • However, if you type http://www.YOURDOMAIN.COM/myscript/myPHPscript.php on the browser, you find out that anyone can execute the script without registering/logging in to your Joomla System!

So the easy solution, is to put a [dot]htaccess (replace the [dot] with .) inside your myscript folder to block direct access to the folder or the scripts.

Your htaccess file should contain:

RewriteEngine On

# Blocking direct access
RewriteCond %{HTTP_REFERER} !^http://www.YOURDOMAIN.COM/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://YOURDOMAIN.COM/.*$ [NC]
RewriteCond %{REQUEST_URI} myscripts [NC]
RewriteRule .* – [F]

This will actually block any access if the URL contains …myscripts… This will work, because Joomla’s wrapper doesn’t tell you the directory name, but instead is using the Wrapper title that you specified on the Administration. So as long as you don’t put in the same name as the script folder, this will work.

Instructions:

  1. Replace your DOMAIN.COM with your real site’s URL.
  2. Replace myscripts with your own folder name
  3. Upload the htaccess file to your folder that you want to protect
  4. Test that going to the script using Joomla Wrapper’s URL works
  5. Test that typing straight on your browser to the PHP scripts gives you the Forbidden error message

Hope this helps.

Comments are closed.

Share via
Copy link