Safer WordPress with these .htaccess additions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don't show errors which contain full path diclosure (FPD) | |
| # Use that line only if PHP is installed as a module and not per CGI | |
| # try using a php.ini in that case. | |
| # Change mod_php5.c to mod_php7.c if you are running PHP7 | |
| <IfModule mod_php5.c> | |
| php_flag display_errors Off | |
| </IfModule> | |
| # Don't list directories | |
| <IfModule mod_autoindex.c> | |
| Options -Indexes | |
| </IfModule> | |
| # PROTECT install.php | |
| # Uncomment or change to 'Allow from all' for install of WordPress | |
| <Files install.php> | |
| Order Allow,Deny | |
| Deny from all | |
| Satisfy all | |
| </Files> | |
| # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.) | |
| # If you use that, these tools will not work anymore | |
| <Files xmlrpc.php> | |
| Order Deny,Allow | |
| Deny from all | |
| </Files> | |
| # If you don't use the Database Optimizing and Post-by-Email features, turn off the access too: | |
| <FilesMatch "(repair|wp-mail)\.php"> | |
| Order Deny,Allow | |
| Deny from all | |
| </FilesMatch> | |
| # Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. | |
| # Must be placed in /wp-content/.htaccess | |
| <FilesMatch "\.(log|txt)$"> | |
| Order Allow,Deny | |
| Deny from all | |
| </FilesMatch> | |
| # Hide WordPress, system & sensitive files | |
| <FilesMatch "(^\.|wp-config(-sample)*\.php)"> | |
| Order Deny,Allow | |
| Deny from all | |
| </FilesMatch> | |
| # Protect some other files | |
| <FilesMatch "(liesmich.html|readme.html|license.txt|(.*)\.bak)"> | |
| Order Deny,Allow | |
| Deny from all | |
| </FilesMatch> | |
| # Block the include-only files. | |
| # Do not use in Multisite without reading the note in Codex! | |
| # See: https://wordpress.org/support/article/hardening-wordpress/#securing-wp-includes | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F,L] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| # If you run multisite, comment the next line out (see note above) | |
| RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
| RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
| </IfModule> | |
| # Set some security related headers | |
| # See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN) | |
| <IfModule mod_headers.c> | |
| Header set X-Content-Type-Options nosniff | |
| Header set X-XSS-Protection "1; mode=block" | |
| # The line below is an advanced method for a more secure configuration, please see documentation before usage! | |
| # Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/ | |
| # http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German) | |
| # Documentation: https://content-security-policy.com/ | |
| # Analysis: https://securityheaders.io/ | |
| # Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;" | |
| </IfModule> | |
| # Allow WordPress Embed | |
| # https://gist.github.com/sergejmueller/3c4351ec29576fb441fe | |
| <IfModule mod_setenvif.c> | |
| SetEnvIf Request_URI "/embed/$" IS_embed | |
| <IfModule mod_headers.c> | |
| Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed | |
| </IfModule> | |
| </IfModule> | |
| #Force secure cookies (uncomment for HTTPS) | |
| <IfModule mod_headers.c> | |
| #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure | |
| </IfModule> | |
| #Unset headers revealing versions strings | |
| <IfModule mod_headers.c> | |
| Header unset X-Powered-By | |
| Header unset X-Pingback | |
| Header unset SERVER | |
| </IfModule> | |
| # Filter Request Methods | |
| # See: https://perishablepress.com/disable-trace-and-track-for-better-security/ | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] | |
| RewriteRule ^(.*)$ - [F,L] | |
| </IfModule> |
Curious, Is this meant to be in a second .htaccess file within the wp-content? I notice if you use this in the root htaccess it blocks robots.txt, which could effect website ranking.
Maybe rewrite Order Deny Allow with Require?
@fdenis83 Yes, this single block needs to be in a second .htaccess in /wp-content. Maybe I can set up a better solution soon.
https://gist.github.com/Zodiac1978/d25a8f3aebba7cd1c01c#file-htaccess-L28
I had an issue with this, but due to using a managed WordPress I couldn't edit the .htaccess files or they didn't seem to be working. I needed this fix because a Wordpress site I administer failed a payment processor security scan with the error "Non-HttpOnly Session Cookies Identified".
I was able to pass the scan with the following gist added to my functions.php.
https://gist.github.com/dgallegos/1a7373002e5f9959315b0a6c31bd72ac
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for this. It does help a lot.
However, is there a way to place the HTTP Security Headers in "wp-config.php" instead of in ".htacess" or "functions.php"? That would really simplify what I'm working on. Each time I try it it stops WordPress from loading.
Thank you in advance.