Last active
February 3, 2016 13:34
-
-
Save cdsalmons/dadce2a0357729362124 to your computer and use it in GitHub Desktop.
Wordpress htaccess File
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <IfModule mod_headers.c> | |
| # Use HTTP Strict Transport Security to force client to use secure connections only | |
| Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains" | |
| </IfModule> | |
| SSLHonorCipherOrder On | |
| SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 | |
| #SSLProtocol ALL -TLSv1 -SSLv2 | |
| # CVE-2011-3389 | |
| SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown | |
| # BEGIN WordPress | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^index.php$ - [L] | |
| RewriteRule ^login/?$ /wp-login.php [QSA,L] | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteRule . /index.php [L] | |
| </IfModule> | |
| # END WordPress | |
| ####################### | |
| # Hardening WordPress # | |
| ####################### | |
| # <files wp-config.php> | |
| # Order allow,deny | |
| # Deny from all | |
| # </files> | |
| # <files readme.html> | |
| # Order allow,deny | |
| # Deny from all | |
| # </files> | |
| # <files license.txt> | |
| # Order allow,deny | |
| # Deny from all | |
| # </files> | |
| <FilesMatch "^(wp-config.php|readme.html|license.txt)"> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </FilesMatch> | |
| # Block the include-only files. | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F,L] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| RewriteRule ^wp-includes/[^/]+.php$ - [F,L] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] | |
| RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
| </IfModule> | |
| # Block access to wp-login.php | |
| # <Files wp-login.php> | |
| # Order Deny,Allow | |
| # Deny from all | |
| # Allow from xx.xx.xx.xx | |
| # </Files> | |
| # Block access to the following file types, i.e. filename.type | |
| <FilesMatch "(^#.*#|.(bak|config|dist|txt|zip|eot|otf|ttc|ttf|woff|inc|phps|ini|log|psd|sh|sql)|~)$"> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </FilesMatch> | |
| # Disallow directory listing | |
| <IfModule mod_autoindex.c> | |
| Options -Indexes | |
| </IfModule> | |
| # Block outside domain names from using the POST method | |
| #<IfModule mod_rewrite.c> | |
| # RewriteEngine On | |
| # RewriteCond %{REQUEST_METHOD} POST | |
| # RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login).php* | |
| # RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR] | |
| # RewriteCond %{HTTP_USER_AGENT} ^$ | |
| # RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L] | |
| #</ifModule> | |
| # Security Headers - X-Content-Type: nosniff | |
| # https://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx | |
| <IfModule mod_headers.c> | |
| Header set X-Content-Type-Options nosniff | |
| </IfModule> | |
| # Security Headers - X-Frame-Options | |
| # Prevents ClickJacking - Prevents an attacker from iframing your content | |
| # https://blog.mozilla.org/security/2013/12/12/on-the-x-frame-options-security-header/ | |
| # <IfModule mod_headers.c> | |
| # Header always append X-Frame-Options SAMEORIGIN | |
| # </IfModule> | |
| # Security Headers - X-XSS-Protection | |
| # Protects against some types of XSS (cross-site scripting) attacks | |
| <IfModule mod_headers.c> | |
| Header set X-XSS-Protection "1; mode=block" | |
| </IfModule> | |
| ############################ | |
| # Performance Optimization # | |
| ############################ | |
| # Leverage Browser Caching by setting HTTP header expires | |
| <IfModule mod_expires.c> | |
| ExpiresActive On | |
| ExpiresByType image/jpg "access plus 1 year" | |
| ExpiresByType image/jpeg "access plus 1 year" | |
| ExpiresByType image/gif "access plus 1 year" | |
| ExpiresByType image/png "access plus 1 year" | |
| ExpiresByType text/css "access plus 1 month" | |
| ExpiresByType application/pdf "access plus 1 month" | |
| ExpiresByType text/x-javascript "access plus 1 month" | |
| ExpiresByType application/javascript "access plus 1 month" | |
| ExpiresByType text/javascript "access plus 1 month" | |
| ExpiresByType application/x-shockwave-flash "access plus 1 month" | |
| ExpiresByType image/x-icon "access plus 1 year" | |
| ExpiresDefault "access plus 2 days" | |
| </IfModule> | |
| # Use UTF-8 encoding | |
| <FilesMatch "\.(htm|html|css|js|php)$"> | |
| AddDefaultCharset UTF-8 | |
| DefaultLanguage en-US | |
| </FilesMatch> | |
| # Force the use of UTF-8 encoding | |
| <IfModule mod_mime.c> | |
| AddCharset utf-8 .css .js | |
| </IfModule> | |
| # Specify a Vary: Accept-Encoding header | |
| <IfModule mod_headers.c> | |
| <FilesMatch ".(js|css|xml|gz)$"> | |
| Header append Vary: Accept-Encoding | |
| </FilesMatch> | |
| </IfModule> | |
| # Use the GZIP Apache module | |
| <ifModule mod_gzip.c> | |
| mod_gzip_on Yes | |
| mod_gzip_dechunk Yes | |
| mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ | |
| mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* | |
| mod_gzip_item_include mime ^application/x-javascript.* | |
| mod_gzip_item_exclude mime ^image/.* | |
| mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* | |
| </ifModule> | |
| # Enable DEFALTE | |
| <IfModule mod_deflate.c> | |
| AddOutputFilter DEFLATE js css | |
| AddOutputFilterByType DEFLATE text/plain | |
| AddOutputFilterByType DEFLATE text/html | |
| AddOutputFilterByType DEFLATE text/xml | |
| AddOutputFilterByType DEFLATE text/css | |
| AddOutputFilterByType DEFLATE text/javascript | |
| AddOutputFilterByType DEFLATE application/xml | |
| AddOutputFilterByType DEFLATE application/xhtml+xml | |
| AddOutputFilterByType DEFLATE application/rss+xml | |
| AddOutputFilterByType DEFLATE application/javascript | |
| AddOutputFilterByType DEFLATE application/x-javascript | |
| BrowserMatch ^Mozilla/4 gzip-only-text/html | |
| BrowserMatch ^Mozilla/4.0[678] no-gzip | |
| BrowserMatch bMSIE !no-gzip !gzip-only-text/html | |
| Header append Vary User-Agent | |
| </IfModule> | |
| # Keep alive for persistent connections | |
| # <IfModule mod_headers.c> | |
| # Header set Connection Keep-Alive | |
| # </IfModule> | |
| # ============================================== | |
| # some security rules | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| # prevent php execution in uploads | |
| RewriteRule /uploads/.*\.php - [F] | |
| # login and signup page protection -- thanks to BulletProof Security | |
| # reject spambots, hackerbots & proxies that use server protocol HTTP/1.0 or a blank user agent | |
| RewriteCond %{REQUEST_URI} /wp-(login|signup)\.php | |
| RewriteCond %{HTTP_USER_AGENT} ^$ [OR] | |
| RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] | |
| RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ | |
| RewriteRule . - [F] | |
| # Rules to help reduce spam | |
| RewriteCond %{REQUEST_METHOD} POST | |
| RewriteCond %{REQUEST_URI} /wp-comments-post\.php | |
| #RewriteCond %{HTTP_REFERER} !^.*com.* | |
| #RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR] | |
| #RewriteCond %{HTTP_USER_AGENT} ^$ | |
| RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] | |
| RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ | |
| RewriteRule . - [F] | |
| # stop all access to the XML RPC API (e.g. pingbacks, but also apps!) | |
| RewriteCond %{REQUEST_URI} /xmlrpc\.php | |
| # uncomment next line to block bots with no user agent (browser version string) | |
| #RewriteCond %{HTTP_USER_AGENT} ^$ [OR] | |
| RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR] | |
| RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$ | |
| RewriteRule . - [F] | |
| # common vulnerabilities not permitted, scripts not found in WordPress | |
| RewriteCond %{REQUEST_URI} /(login\.php|hello\.php|helo\.php|register\.php|tiki-register\.php|doku\.php|signup\.php|reg\.asp|Class/Post\.asp|post\.asp)$ | |
| RewriteRule . - [F] | |
| # Latest vulnerabilities not permitted | |
| RewriteCond %{REQUEST_URI} /(helo\.zip|wellsfargo\.zip|sitek\.php|Manix\.php|wp-inc\.php|filez\.zip|ourtime\.zip|wp-app\.php|newfile\.php|other\.php)$ | |
| RewriteRule . - [F] | |
| # spam botnet mounting some sort of attack | |
| # @link http://webmasters.stackexchange.com/q/58871/38641 | |
| RewriteCond %{REQUEST_URI} /RK=0/RS= | |
| RewriteRule . - [F] | |
| # Stop Crawler Spam | |
| RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} 100dollars\-seo\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} best\-seo\-solution\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} buttons\-for\-your\-website\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} forum69\.info [NC,OR] | |
| RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} ranksonic\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} 7makemoneyonline\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} sharebutton\.net [NC,OR] | |
| RewriteCond %{HTTP_REFERER} sitevaluation\.org [NC,OR] | |
| RewriteCond %{HTTP_REFERER} dailyrank\.net [NC,OR] | |
| RewriteCond %{HTTP_REFERER} videos\-for\-your\-business\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} semaltmedia\.com [NC,OR] | |
| RewriteCond %{HTTP_REFERER} best\-seo\-offer\.com [NC] | |
| RewriteRule .* - [F] | |
| # Block attackers by agents | |
| RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp\.WinHttpRequest\.5.*$ | |
| RewriteRule .* http://%{REMOTE_ADDR}/ [R,L] | |
| </IfModule> | |
| # set correct mime types for some files | |
| AddType image/svg+xml .svg | |
| AddType application/font-woff .woff | |
| AddType application/x-font-ttf .ttf | |
| AddType application/vnd.ms-fontobject .eot | |
| AddType application/octet-stream .otf | |
| AddType text/x-component .htc | |
| # Secure /uploads/ directory from unwanted file types | |
| <Files ~ ".*..*"> | |
| Order Allow,Deny | |
| Deny from all | |
| </Files> | |
| <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff)$"> | |
| Order Deny,Allow | |
| Allow from all | |
| </FilesMatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment