6G Firewall 2016

[ 6G Firewall ] After three years of development, testing, and feedback, I’m pleased to announce the official launch version of the 6G Firewall (aka the 6G Blacklist). This version of the nG Firewall is greatly refined, heavily tested, and better than ever. Fine-tuned to minimize false positives, the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks. Blocking bad traffic improves site security, reduces server load, and conserves precious resources. The 6G Firewall is entirely plug-n-play with no configuration required. It’s also open source, easy to use, and completely free, providing strong protection for any Apache-powered website.


Shortcut menu for this post:

About 6G

Over the past few years, malicious server scans and bad requests have increased dramatically. If you have yet to implement strong security measures for your site, now is the time to beef up security and lock things down. There are many great security solutions available for your site, but none provide the simplicity, flexibility, and performance of 6G.

The 6G Firewall is a powerful, well-optimized blacklist that checks all URI requests against a set of carefully constructed .htaccess directives. This happens quietly behind the scenes at the server level, which is optimal for performance and resource conservation. Most WordPress plugins require both PHP and MySQL, which can be overkill and even wasteful depending on the scenario and your overall security strategy. Implementing an .htaccess solution such as the 6G Firewall, the code is executed without invoking the memory and resources required for PHP, MySQL, etc. That gives you better performance while saving server resources for legitimate traffic.

The 6G Firewall integrates the best features of the following resources:

Bottom line: 6G is an easy-to-use, cost-effective way to secure your site against malicious HTTP activity. It helps to protect against evil exploits, ill requests, and other nefarious garbage, such as XSS attacks, SQL/PHP injections, cache poisoning, response splitting, dual-header exploits, and more.

How it works

Like other Apache firewalls and blacklists, the 6G operates at the server-level. Basically you add the 6G code to your site’s root .htaccess file and then sit back and relax while 6G works its magic. That’s the beauty of it: there is no configuration required. Just add the code and done.

Once implemented, 6G scans every HTTP request made to your site. It compares key aspects of each request against a carefully formulated set of patterns and expressions. So if someone or something triggers a match, they immediately are blocked, silently behind the scenes (via 403 Forbidden response). So legitimate visitors can continue to surf your site with total confidence, while the bad guys are busy getting kicked to the curb by 6G.

Learn more about 6G and how it works »


Before installing 6G, please make sure that your setup meets the requirements:

  • Apache version 2 or better
  • .htaccess files enabled on your server

If you are unsure about either of these requirements, ask your web host. If you are new to Apache and/or .htaccess, and want to learn more about it, I wrote an entire book on using .htaccess to secure and optimize your site. Also, here is a tutorial that explains how to create an .htaccess file on your local machine.


Always make a backup copy of your .htaccess before making any changes. That way if something goes awry, you can restore original functionality immediately. I realize that this may be obvious to some, but it’s important for everyone to know.

Reporting bugs

If you encounter any issue with 6G, please refer to the Troubleshooting and Reporting Bugs sections below for important information.

WordPress alternative for 6G

If your site does not meet the requirements, I develop the following WordPress plugins:

Both of these plugins are blazing fast and integrate 5G/6G technology, providing strong firewall protection for your WordPress-powered site.

6G Firewall

The 6G Firewall/Blacklist consists of the following sections:

  • # 6G:[REFERRER]
  • # 6G:[USER AGENT]
  • # 6G:[IP ADDRESS]

Each of these sections works independently of the others, such that you could, say, omit the entire query-string and IP-address blocks and the remaining sections would continue to work just fine. Mix ’n match ’em to suit your needs. This code is formatted for deployment in your site’s root .htaccess file. Remember: always make a backup of your .htaccess before making any changes.

# @ https://perishablepress.com/6g/

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
	RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
	RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
	RewriteRule .* - [F]

<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
	RewriteRule .* - [F]

<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
	RewriteRule .* - [F]

<IfModule mod_alias.c>
	RedirectMatch 403 (?i)([a-z0-9]{2000})
	RedirectMatch 403 (?i)(https?|ftp|php):/
	RedirectMatch 403 (?i)(base64_encode)(.*)(\()
	RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
	RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
	RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
	RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
	RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
	RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
	RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
	RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php

<IfModule mod_setenvif.c>
	SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
	SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
	# Apache < 2.3
	<IfModule !mod_authz_core.c>
		Order Allow,Deny
		Allow from all
		Deny from env=bad_bot

	# Apache >= 2.3
	<IfModule mod_authz_core.c>
			Require all Granted
			Require not env bad_bot

# 6G:[BAD IPS]
	Order Allow,Deny
	Allow from All
	# uncomment/edit/repeat next line to block IPs
	# Deny from 123.456.789

To implement: include the entire 6G Blacklist in the root .htaccess file of your site. Remember to backup your original .htaccess file before making any changes. Then test your pages thoroughly while enjoying a delicious beverage. If you encounter any issues, please read the troubleshooting tips and the section on reporting bugs. As always, feel free to share feedback and ask any questions in the comment section :)


Some notes about the 6G:

Code placement

If you are running WordPress and it is installed in its own directory, you may need to move the QUERY STRING rules to the .htaccess file found in the root of that directory. So for example, if WordPress is installed in a subdirectory named “blackmothsuperrainbow”, 6G would be included as follows:

  • The .htaccess file contained in the /blackmothsuperrainbow/ directory includes the QUERY STRING rules
  • The .htaccess file contained in the site’s root directory contains everything else

Also, in some cases it may be necessary to place the QUERY STRING rules before any WordPress Permalink rules. The best way to determine if this is necessary is to make the following request (note: replace example.com with your own domain name):


After making that request, if you get a 403 Forbidden response, then you’re fine. If you receive a 404 error or something else, make sure that the QUERY STRING rules are included as prescribed above.

Blocking IPs

Apache-based firewalls and blacklists can block just about any part of an URI request: IP address, user agent, request string, query string, referrer, and everything in between. But IP addresses change constantly, and user agents and referrers are easily spoofed. As discussed, blocking via request string yields the best results: greater protection with fewer false positives.

With that in mind, the 6G Firewall includes a section for blocking IP addresses. This is meant to provide a convenient way for admins to block unwanted visitors/bots. But keep in mind that denying access based on IP is a temporary strategy, best suited for quickly blocking specific threats.


6G blocks requests for the TimThumb script/plugin with the following rules:

RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php

So if you are running TimThumb on your site, comment out or remove the previous rules, for example:

# RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
# RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php

By adding a hash symbol (pound sign, whatever) # to the beginning of any line in your .htaccess file, you effectively turn the line into a comment that is ignored by Apache. Alternately, for the RedirectMatch line, you could remove all “thumb” related strings while keeping the others enabled.

WordPress Add-on

For those of you using the WordPress Add-on for 5G, it’s no longer necessary if you’re upgrading to 6G. The WP 5G Add-on is integrated into 6G.

File types

To help secure your site against threats, the 6G blocks requests for specific types of files. These files are specified in the Request Strings section of the 6G, which begins with asp|bash|cfg. 99% of the time, these file types are not requested over HTTP, and are totally safe to block. Even so, you may want to examine the list and make sure that it’s not blocking any file types that are required by your site.


If you’re doing anything with CGI like from /cgi-bin/, remove the cgi- from this line: RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)


Changelog for 6G Firewall:


  • User Agent rules now support mod_authz_core (Apache >= 2.3)


  • Appended php to (wp-)?config\. (Thanks Franceska)


  • Removed % from QUERY STRINGS (Thanks Adam)


  • Initial release!

For more information about development, check out the 6G Beta.


A list of frequently asked questions.

Do I need both 5G and 6G?

Nope, 6G is designed to replace 5G, based on the evolving landscape of malicious threats and exploits. If you want to run both firewalls, that’s fine too. There will be some redundant rules, but otherwise the firewalls are 100% compatible.

Does 6G work with WordPress?

The 6G works beautifully with WordPress, and should help any Apache-powered site conserve bandwidth and server resources while protecting against malicious activity. That said, WordPress is the big player these days, so most of the testing is tuned to that particular platform. If you’re installing 6G on any other CMS, please be mindful and take the time to test all of your pages.

Can I add 6G to a live site?

While it’s always recommended to test all code in a text/development environment, it’s totally fine to add 6G directly to a live/production site. As long as your site meets the above requirements, you should be good to go. Just to be safe, make a backup copy of your .htaccess file, as advised in the next section.


If you encounter any errors or non-loading resources after installing 6G, remove the entire block of code and restore your original .htaccess file. Then continue as follows..

Resource not loading

If some page or resource is not loading after adding 6G, determine its URI. Make note of any non-alphanumeric characters or anything else that looks unusual. Then compare against the rules defined in 6G. If you can spot the offending pattern, you can remove it, comment it out, or report it (see Reporting Bugs).

If you are unable to determine which pattern is at issue, further investigation is required. There are numerous ways of going about it. Here is a good walkthrough of my halving method of isolating problematic code, which I recommend unless you have your own favorite way of troubleshooting ;)

Server error

If you get a server error after installing 6G, double-check that your site meets the requirements. If you are sure that the requirements are met, you can either troubleshoot to determine the offending rule(s), and/or you can report the issue as explained below.

Reporting bugs

If you discover any bugs, issues, or errors, report them directly via my contact form. Please do not report bugs in the comment area, thanks.

Show support

I spend countless hours researching and developing the 6G Firewall. I share it freely and openly with the hope that it will help make the Web a safer place for everyone.

If you benefit from my work with the 6G and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.

Of course, tweets, likes, links, and shares are super helpful and very much appreciated.

Your generous support allows me to continue developing the 6G Firewall and other awesome resources for the community. Thank you kindly :)


As mentioned previously, the 6G Firewall is entirely open source and free for all to use. The only requirement is that the following credit lines are included wherever 6G is used:

# @ https://perishablepress.com/6g/

Other than that, it’s all yours!


The 6G Firewall is provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk & responsibility for anything that happens, whether good or bad. In short, use wisely, test thoroughly, don’t sue me.

Learn More..

To learn more about the theory and development of the 6G Firewall, check out my articles on building the 3G, 4G and 5G Blacklist. The 6G beta article also contains some good information. And if all that’s not enough, a quick search for “blacklist” should also yield many results (search bar is available under the “Archives” menu).

Coming soon..

Like 5G/6G? Keep an eye out for the 7G Firewall Beta, which currently is in the initial development phase. Stay tuned!

Thank You

Thanks to everyone who helped test the beta and provide feedback on 6G. Also thank you to everyone who supports Perishable Press — I couldn’t do it without you!