AWAFAWAF

Joomla

Prefer .htaccess auto_prepend_file when Apache/PHP supports it. It gives broader coverage than including AWAF in only one entry point.

Preferred method

On Apache with mod_php and allowed php_value, place the directive in the Joomla root .htaccess and use the absolute AWAF path.

php_value auto_prepend_file "<path_to_directory>/antibot/index.php"

Coverage

AWAF starts before PHP files in scope: public index.php, administrator/index.php, ajax/component endpoints, legacy scripts, and service handlers. This helps cover requests that do not pass through one public index.php.

Fallback

For PHP-FPM, CGI, Nginx-only setups, or locked .htaccess, use .user.ini, vhost/pool config, or an early project entry point, usually index.php. This fallback is less universal than auto_prepend_file, so verify administrator, AJAX/component endpoints, API/feeds, and direct PHP endpoints.

Verify

  • Test home, articles, categories, search, and 404 pages.
  • Test /administrator/, login, AJAX/component endpoints, API/feeds, and sitemap/XML.
  • Check forms, payments, extension callbacks, and cron/webcron.
  • Add narrow whitelist_url/captcha_uri rules for endpoints where captcha is not acceptable.