“How to protect your website from DDoS attacks and malicious requests?” is a question many website owners grapple with as they face increasingly sophisticated and complex attacks. One effective measure to tackle this issue is using .htaccess rules in Apache/LiteSpeed.
In this article, we will guide you on how to block all requests with the format domain.com/?query-string using .htaccess rules. This will help you prevent malicious requests and keep your website safe and stable.
By implementing rules to block malicious requests in Apache/LiteSpeed, you can establish a robust security barrier and prevent DDoS attacks and unwanted requests. Let’s explore how to deploy .htaccess rules to safeguard your website and maintain its normal operation.”
The image below shows an example from one of my clients whose website was attacked with random domain/?query-string requests. There were hundreds of thousands of such requests, overwhelming resources and making the website inaccessible.
Identifying the Problem and Commonality: The main issue here is the presence of /?query-string, and we will be blocking requests in this format. Open your .htaccess file and add the following code snippet. If the file doesn’t exist, you can create a new one.
Code htaccess #1
RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteRule ^$ - [F]Explanation of the Code
The code snippet uses RewriteCond and RewriteRule directives in Apache to block all requests with the format domain.com/?query-string.
- RewriteEngine On: This line enables the mod_rewrite module in Apache, allowing the use of RewriteCond and RewriteRule directives.
- RewriteCond %{QUERY_STRING}: This line sets a condition (RewriteCond) for the following rule. It checks if a query string (query parameter) exists. The dot (.) in the regex pattern represents any character.
- RewriteRule ^$ – [F]: This line defines a RewriteRule. It applies to the root URL (^$ represents the URL with no path) and results in returning a 403 Forbidden (F) error code.
These lines of code check if a query string exists in the URL. If it does, the RewriteRule will be applied, returning a 403 error and denying access to that request. This effectively blocks requests with the format domain.com/?query-string.
Note: The above configuration will block query strings originating from Facebook and Google in the format/?fbclid=&/?gad_source=. If your website receives traffic from Facebook, Google Ads, and WooCommerce products, please use the following configuration instead.
Code htaccess #2
# Blocks QUERY_STRING
RewriteEngine On
RewriteCond %{QUERY_STRING} .+
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} !^(fbclid=.*|)$ [NC]
RewriteCond %{QUERY_STRING} !^(gad_source=.*|)$ [NC]
RewriteCond %{QUERY_STRING} !^(wc-ajax=.*|)$ [NC]
RewriteCond %{QUERY_STRING} !^(zarsrc=.*|)$ [NC]
RewriteRule ^ - [F]Explanation of the Code with Additional Conditions
- RewriteCond %{QUERY_STRING} .+: Checks if the query string contains at least one character.
- RewriteCond %{REQUEST_URI} ^/$: Checks if the URL is the homepage (/).
- RewriteCond %{QUERY_STRING} !^(fbclid=.*|)$ [NC]: Checks if the query string does not start with
fbclid=or is not empty. The [NC] flag makes the comparison case-insensitive.
If all these conditions are met, the RewriteRule is applied, returning a 403 error and blocking access to /?query-string.
Testing the Configuration
After implementing the rules, revisit the website and test. When accessing the website and valid URL formats, access should be normal. However, when trying to access the /?query-string format, a 403 error should be immediately returned, indicating denied access. This means you have successfully blocked these malicious requests.
I wish you all success in implementing this!
