Web hosting is not an easy task. Not at all.
Just perfectly knowing Apache/nginx configuration, MySQL tuning and whatsoever is not enough. Most of the people will develop their website using the most popular CMS, like Joomla or WordPress, and daily you will have to deal with cracking attempt against them. And while the core CMS are usually actively developed and updated, security issues are promptly fixed and distributed, you may often say the opposite for extensions.
The main violation vectors in CMSes are extensions. Some people may use rare and deprecated extensions which are still working, but may contain security holes which will never be known and corrected.
I often have to deal with broken or spamming Joomla websites. And while some times upgrading Joomla itself and its extension fixes the vulnerabilities, in some case it doesn’t.
So while you investigate, how to block access to spamming php scripts or other vulnerabilities?
A little background: usually crackers get into website accessing vulnerable PHP files directly from outside. Buy Joomla uses just index.php to serve all (or 99%) of the requests. So it comes the idea:
why not blocking access to all php files, except index.php?
This would also close out all spammer, in case your site has been already infected.
This quick solution is easily achievable via .htaccess configuration. The following example blocks all requests to .php files except the ones to /index.php and /administrator/index.php. You can optionally add whitelisted IP addresses that can run any file anyway with the Allow from directive.
<Files *.php>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 1.2.3.4
</Files>
<Files index.php>
Order Allow,Deny
Allow from all
</Files>
<Files administrator/index.php>
Order Allow,Deny
Allow from all
</Files>
That’s it. This is not a solution, but at least can keep you away from some spammers!
For a more comprehensive and extended blocking see htaccess examples (security) on Joomla Docs.
