Ah, the generic recommended .htaccess file that comes with moodle is moodle/lib/htaccess, and the contents are here
http://xref.moodle.org/nav.html?lib/htaccess.source.html
And it is explained here
http://docs.moodle.org/en/Installing_Moodle#Using_a_.htaccess_file_for_webserver_and_PHP_settings
It includes (which are already set on my server) except for the last two of which I can find no mention.
php_flag magic_quotes_gpc 1
php_flag magic_quotes_runtime 0
php_flag register_globals 0
php_flag file_uploads 1
php_flag short_open_tag 1
php_flag session.auto_start 0
php_flag session.bug_compat_warn 0
There is no mention of
php_flag allow_url_fopen 0
so perhaps it is not needed.
Elsewhere Oliver Kuy reccomends the following .htaccess for 1&1 Servers
upload_max_filesize = 20M;
browscap = /usr/local/lib/browscap.ini;
error_reporting = (E_ALL & ~E_NOTICE & ~E_WARNING);
url_rewriter.tags = "a=href,area=href,frame=src,form=fakeentry,fieldset=";
register_globals = off;
allow_url_fopen = off;
max_execution_time = 50000;
safe_mode = off;
file_uploads = on;
magic_quotes_gpc = on;
memory_limit = 41943040;
short_open_tag = on;
post_max_size = 26214400;
This page has all sorts of information about using .htaccess to increase security.
For example, I thought that the following might be a good idea to remove the threat of malware in the following languages.
RemoveHandler cgi-script .pl .py .cgi
AddType text/plain .pl .py .cgi
Limiting ip addresses to ones country (Japan in my case) is almost impossible as ip addresses are all over the place and some international. But some Japanese do it with a very long htaccess file which one can base on this but I will not be doing it.
Conversely, we are warned against using htaccess for the reasons explained here
http://httpd.apache.org/docs/1.3/howto/htaccess.html#when
but since allowoveride does seem to be set on my server, meaning that apache is looking for htaccess files, the only drawback seems to be the need to download the file, which is very short at the moment. But perhaps even a short htaccess is better avoided.
I am just trying to think of ways to improve security on an old moodle version, since upgrading is not easily possible and I don't know what to patch.