Joomla
Prefer .htaccess auto_prepend_file when Apache/PHP supports it. It gives broader coverage than including AWAF in only one entry point.
Preferred method
On Apache with mod_php and allowed php_value, place the directive in the Joomla root .htaccess and use the absolute AWAF path.
php_value auto_prepend_file "<path_to_directory>/antibot/index.php"Coverage
AWAF starts before PHP files in scope: public index.php, administrator/index.php, ajax/component endpoints, legacy scripts, and service handlers. This helps cover requests that do not pass through one public index.php.
Fallback
For PHP-FPM, CGI, Nginx-only setups, or locked .htaccess, use .user.ini, vhost/pool config, or an early project entry point, usually index.php. This fallback is less universal than auto_prepend_file, so verify administrator, AJAX/component endpoints, API/feeds, and direct PHP endpoints.
Verify
- Test home, articles, categories, search, and 404 pages.
- Test /administrator/, login, AJAX/component endpoints, API/feeds, and sitemap/XML.
- Check forms, payments, extension callbacks, and cron/webcron.
- Add narrow whitelist_url/captcha_uri rules for endpoints where captcha is not acceptable.