Instantly share code, notes, and snippets.

Embed
What would you like to do?
Safer WordPress with these .htaccess additions
# Don't show errors which contain full path diclosure (FPD)
# Use that line only if PHP is installed as a module and not per CGI
# try using a php.ini in that case.
# Change mod_php5.c to mod_php7.c if you are running PHP7
<IfModule mod_php5.c>
php_flag display_errors Off
</IfModule>
# Don't list directories
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
# If you use that, these tools will not work anymore
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
<FilesMatch "(repair|wp-mail)\.php">
Order Deny,Allow
Deny from all
</FilesMatch>
# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
# Must be placed in /wp-content/.htaccess
<FilesMatch "\.(log|txt)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Hide WordPress, system & sensitive files
<FilesMatch "(^\.|wp-config(-sample)*\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>
# Protect some other files
<FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
Order Deny,Allow
Deny from all
</FilesMatch>
# Block the include-only files.
# Do not use in Multisite without reading the note in Codex!
# See: https://codex.wordpress.org/Hardening_WordPress#WP-Includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
# If you run multisite, comment the next line (see note above)
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Set some security related headers
# See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
# The line below is an advanced method for a more secure configuration, please see documentation before usage!
# Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/
# http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German)
# Documentation: https://content-security-policy.com/
# Analysis: https://securityheaders.io/
# Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
</IfModule>
# Allow WordPress Embed
# https://gist.github.com/sergejmueller/3c4351ec29576fb441fe
<IfModule mod_setenvif.c>
SetEnvIf Request_URI "/embed/$" IS_embed
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
</IfModule>
</IfModule>
#Force secure cookies (uncomment for HTTPS)
<IfModule mod_headers.c>
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
#Unset headers revealing versions strings
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset X-Pingback
Header unset SERVER
</IfModule>
# Filter Request Methods
# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
@jorgemolongua

This comment has been minimized.

jorgemolongua commented Aug 2, 2017

Thank you for this. It does help a lot.
However, is there a way to place the HTTP Security Headers in "wp-config.php" instead of in ".htacess" or "functions.php"? That would really simplify what I'm working on. Each time I try it it stops WordPress from loading.

Thank you in advance.

@fdenis83

This comment has been minimized.

fdenis83 commented Nov 29, 2018

Curious, Is this meant to be in a second .htaccess file within the wp-content? I notice if you use this in the root htaccess it blocks robots.txt, which could effect website ranking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment