Skip to content

Instantly share code, notes, and snippets.

@RichardTMiles
Last active March 23, 2024 17:36
Show Gist options
  • Save RichardTMiles/940b533683422b684c6d0aac2fb6ead7 to your computer and use it in GitHub Desktop.
Save RichardTMiles/940b533683422b684c6d0aac2fb6ead7 to your computer and use it in GitHub Desktop.
better wordpress .htaccess
<FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|xml|txt|css|js|svg|html|htm|hbs|json|map|woff|ttf|webp)$">
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
</FilesMatch>
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^xmlrpc\.php$ / [R=302,L]
RewriteRule ^wp-admin.*$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} !-d [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteRule . /index.php [L]
@RichardTMiles
Copy link
Author

Disable XMLRPC entirely. Limit access to what WordPress PHP files can be called.

I will turn this into a script to analyze the actual wp-admin directory from LTS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment