Joomla comes with a bunch of exploits filters (see below), but I need to add one more. I want to block the use of a plus sign (+) in the querystring. I want to block qs like this: http://www.website.org/index.php?tmpl=component+and+1=1 This is what I added to .htaccess, after RewriteEngine On, but it does nothing: # Send request using a plus sign in querystring to homepage without error! RewriteCond %{QUERY_STRING} (.*\+.*) [NC] RewriteRule ^(.*)$ index.php [L] Any suggestions? These are the out of the box exploits filters: ## Can be commented out if causes errors, see notes above. Options +FollowSymLinks # mod_rewrite in use RewriteEngine On ########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a <script> tag in URL RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [L] # ########## End - Rewrite rules to block out some common exploits