While reading Jean-Baptiste Jung's 10 awesome .htaccess hacks for WordPress I was inspired to write my own version of the 10 awesome hacks post, but for Movable Type. Because I use Movable Type instead of WordPress, I decided to take Jean-Baptiste's post and tweak it for MT. Many of the concepts are the same, just with a slightly different twist. I've also added my own tweaks to the mix as well; some of the hacks below are not specific to WordPress or Movable Type and can be easily integrated into any blogging platform running on Apache.- Redirect Movable Type RSS Feeds to FeedBurner
- Encourage Browser Caching For a Faster Load Time
- Use Apache's mod_deflate To Gzip Compress Static Data
- Combat/Block Trackback Spam
- Redirect Visitors to a Maintenance Page
- Prevent Hot-Linking of Your Images on Other Sites
- Control Access to mt*.cgi Movable Type Core Scripts
- Deny Access to Your Blog by IP Address
- Deny Access to Rogue Bots and Other Invalid User-Agents
- Combat HTTP Referrer Spam
Continue reading for the details ...
PREFACE/WARNING:
Before tweaking any Apache configuration files (including your .htaccess files), be sure you know what you're doing. Also, it's always a good idea to make backup copies of any configuration files you plan to modify.
- Redirect Movable Type RSS Feeds to FeedBurner
My Movable Type platform publishes my RSS feed to /atom.xml (this is the default). If you want to force your feed subscribers to use your FeedBurner cached feed instead of retrieving the RSS XML directly from your server, you can use Apache's mod_rewrite to gracefully redirect them. This .htaccess hack redirects all non-FeedBurner User-Agents to your FeedBurner cached feed:# Redirect subscribers to your FeedBurner feed
Be sure to change http://feeds2.feedburner.com/yourfeed above to your correct FeedBurner address.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^/atom.xml$ http://feeds2.feedburner.com/yourfeed [R=301,NC,L]
</IfModule> - Encourage Browser Caching For a Faster Load Time
Many images, CSS files, and other JavaScript resources are fairly static. They don't change that often, so asking the browser to cache these resources can help improve the loading time of your blog. Note that this hack asks the browser to cache static content; it's not a guarantee that the browser will actually cache it. Nevertheless, you can use Apache's mod_expires module to tweak e-tagging:FileETag MTime Size
<IfModule mod_expires.c>
<FilesMatch "\.(jpg|jpeg|gif|png|css|js|zip)$">
ExpiresActive on
ExpiresDefault "access plus 1 year"
</FilesMatch>
</IfModule> - Use Apache's mod_deflate To Gzip Compress Static Content
Somewhat similar to e-tagging, you can use Apache's mod_deflate module to Gzip compress content on the server before it's sent to the browser. I discussed Apache's mod_deflate module in nice detail in another post. In a nutshell, this technique can save precious bandwidth, and greatly improve the loading time of your blog. However, keep in mind that not all browsers support compression. Good news though, is that the mod_deflate module is smart enough to look for the "Accept-Encoding" HTTP header. If the browser dosen't send this header (meaning the browser doen't support compression) then mod_deflate will NOT compress the content. Here's how you can turn on compression; note that I'm using the highest compression level possible (9):<IfModule mod_deflate.c>
DeflateCompressionLevel 9
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|ico)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:pdf|avi|mov|mp3)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:zip|bz2|gz|sit|rar)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
</IfModule>
# THIS GOES IN YOUR HTTPD.CONF FILE, NOT .HTACCESS
# Use a special deflate/compress log so you know what's compressed
DeflateFilterNote ratio
LogFormat '"%r" %b (%{ratio}n%%) "%{User-agent}i"' deflate
CustomLog logs/your.server.log-deflate_log deflate - Combat/Block Trackback Spam
If you're like me, you hate Trackback spam. I enjoy receiving incoming Trackbacks from other bloggers, but I simply don't have time to sort through all of the spam. So, I used a fairly large hammer and decided to block all incoming Trackbacks. I did so using Apache's FilesMatch directive. I discussed my battle with Trackback spam in another post. Here's a quick config tweak that will reject incoming Trackbacks from all clients except those on your local network:<FilesMatch "mt\-tb\.cgi">
SetEnvIf Remote_Addr "^192\.168\.1\." TB_OK=1
Order deny,allow
Deny from all
Allow from env=TB_OK
</FilesMatch> - Redirect Visitors to a Maintenance Page
If you happen to be making some changes to your blog, you might want to temporarily redirect a user to a "Sorry, I'm temporarily down for maintenance" page. Again, this is easily doable using Apache's mod_rewrite module:<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.
RewriteRule $ /maintenance.html [R=302,L]
</IfModule> - Prevent Hot-Linking of Your Images on Other Sites
As described on 10 awesome .htaccess hacks for WordPress, hot-linking occurs when a resource hosted on your server is used on another page or blog. This most commonly occurs with images. Wikipedia has a nice description of hot-linking. Here's a quick .htaccess hack to prevent hot-linking by verifying that the requested resource was requested by a browser at your blog:<IfModule mod_rewrite.c>
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
</IfModule> - Control Access to mt*.cgi Movable Type Core Scripts
Movable Type's core scripts start with "mt". These scripts include the publishing channel, the MT upgrade tool, and other interesting utilities. You can find my core mt.cgi script here (if you click this, you'll get a 403 Forbidden error because of this hack). Generally speaking, you don't want to give the public access to these core scripts. So, here's a quick hack that denies access to all browsers except those on your local network. Note that this blocks access to every core MT script with the exception of mt-search.cgi, which is used for tagging (thanks to @marcus for the heads up):<FilesMatch "mt(?!-search).*?\.cgi">
SetEnvIf Remote_Addr "^192\.168\.1\." MT_OK=1
Order deny,allow
Deny from all
Allow from env=MT_OK
</FilesMatch> - Deny Access to Your Blog by IP Address
If you know the IP address of a rouge user or bot that is pounding on your server, you can use Apache's Limit directive to block them from your blog. If you have root access to your blogging server, you may also enjoy using iptables to deny access by IP address. Note if you want to block more than one IP, you'll need to add another "deny from ..." line to your .htaccess file; you need one "deny from ..." line per IP address. If you want to deny access to a block of IP's, you can specify a partial IP address block as shown below (200.49.177 blocks everyone that has an IP starting with 200.49.177):<Limit GET POST>
order allow,deny
deny from 200.49.176.139
deny from 200.49.177
allow from all
</Limit> - Deny Access to Rogue Bots and Other Invalid User-Agents
I hate invalid User-Agents; empty agents, bogus bots, etc. I decided to get tough and blocked clients issuing requests to my blog with bogus User-Agent strings. Here you'll find a quick .htaccess hack that blocks empty User-Agents, bogus User-Agents, and agents from web-caching proxies:SetEnvIf User-Agent ^-$ block=1
SetEnvIf User-Agent ^$ block=1
SetEnvIf User-Agent "^Mozilla\/4\.0 \(compatible\;\)$" block=1
SetEnvIfNoCase User-Agent "(morfeus|gigabot|emailsearch|radian)" block=1
SetEnvIfNoCase User-Agent "(MiniRedir|SurveyBot|PMAFind|java)" block=1
Order allow,deny
Allow from all
Deny from env=block - Combat HTTP Referrer Spam
Referrer spam is also very irritating. Rogue bots might pound on your server by issuing bogus requests with ads in the HTTP referrer header. Usually the ads are links to porn sites, and other nonsense. To combat this problem, I tweaked my .htaccess file to block the incoming request if the referrer contains any of of the given keywords (note the profanities, and other lovely words):SetEnvIfNoCase Referer "(hold-?em|poker|casino|hotel|loan|stockleaf)" block=1
SetEnvIfNoCase Referer "(viagra|cialis|penis|porn|fuck|mortgage)" block=1
SetEnvIfNoCase Referer "(payday|pingdom|diet)" block=1
Order allow,deny
Allow from all
Deny from env=block
Did you find this post helpful, or at least, interesting?