Created
September 8, 2021 15:43
-
-
Save devellopah/2930954d4392f7d6041dd816f408033e to your computer and use it in GitHub Desktop.
wordpress .htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<IfModule mod_rewrite.c> | |
#Close the listing of files and folders | |
Options +FollowSymLinks -Indexes | |
#Activate mod_rewrite extension | |
RewriteEngine On | |
#### @RS | |
# Block out any script trying to base64_encode data within the URL. | |
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] | |
# Block out any script that includes a <script> tag in URL. | |
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
# Block out any script trying to set a PHP GLOBALS variable via URL. | |
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
# Block out any script trying to modify a _REQUEST variable via URL. | |
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
# Return 403 Forbidden header and show the content of the root homepage | |
RewriteRule .* index.php [F] | |
#### @RS | |
#### @RS | |
#Rewrite rules to block out some common exploits. | |
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] | |
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] | |
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) | |
RewriteRule ^(.*)$ index.php [F,L] | |
#### @RS | |
#### @RS | |
# Deny access to php, xml and ini files | |
# within components and plugins directories | |
RewriteCond %{REQUEST_FILENAME} -f | |
RewriteCond %{REQUEST_URI} \.php|\.ini|\.xml [NC] | |
RewriteCond %{REQUEST_URI} \/components\/ [OR] | |
RewriteCond %{REQUEST_URI} ^\/includes\/|^\/administrator\/includes\/ [OR] | |
RewriteCond %{REQUEST_URI} \/language\/ [OR] | |
RewriteCond %{REQUEST_URI} \/libraries\/ [OR] | |
RewriteCond %{REQUEST_URI} \/modules\/ [OR] | |
RewriteCond %{REQUEST_URI} \/plugins\/ [OR] | |
RewriteCond %{REQUEST_URI} \/templates\/ [OR] | |
RewriteCond %{REQUEST_URI} \/xmlrpc\/ | |
RewriteRule ^(.*)$ index.php [R=404,L] | |
#### @RS | |
#### @RS | |
# Prevent most common SQL-Injections | |
RewriteCond %{query_string} concat.*\( [NC,OR] | |
RewriteCond %{query_string} union.*select.*\( [NC,OR] | |
RewriteCond %{query_string} union.*all.*select [NC] | |
RewriteRule ^(.*)$ index.php [F,L] | |
#### @RS | |
#### @RS | |
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | |
RewriteBase / | |
RewriteRule ^index\.php$ - [L] | |
# If the requested path and file is not /index.php and the request | |
# has not already been internally rewritten to the index.php script | |
RewriteCond %{REQUEST_URI} !^/index\.php | |
# and the request is for something within the component folder, | |
# or for the site root, or for an extensionless URL, or the | |
# requested URL ends with one of the listed extensions | |
RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC] | |
# and the requested path and file doesn't directly match a physical file | |
RewriteCond %{REQUEST_FILENAME} !-f | |
# and the requested path and file doesn't directly match a physical folder | |
RewriteCond %{REQUEST_FILENAME} !-d | |
# internally rewrite the request to the index.php script | |
RewriteRule . /index.php [L] | |
#### @RS | |
#### @RS | |
#PREVENT IMAGE HOTLINKING | |
RewriteCond %{HTTP_REFERER} !^$ | |
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] | |
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] | |
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC] | |
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC] | |
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L] | |
#### @RS | |
</IfModule> | |
<IfModule mod_setenvif.c> | |
#### @RS | |
# Block most common hacking tools | |
SetEnvIf user-agent "Indy Library" stayout=1 | |
SetEnvIf user-agent "libwww-perl" stayout=1 | |
SetEnvIf user-agent "Wget" stayout=1 | |
deny from env=stayout | |
#### @RS | |
</IfModule> | |
<IfModule mod_deflate.c> | |
# force compression for clients that mangle 'Accept-Encoding' request headers | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
</IfModule> | |
</IfModule> | |
# compress all output with one of the following file extensions | |
<IfModule mod_filter.c> | |
AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
"application/javascript" \ | |
"application/json" \ | |
"application/ld+json" \ | |
"application/manifest+json" \ | |
"application/rdf+xml" \ | |
"application/rss+xml" \ | |
"application/schema+json" \ | |
"application/geo+json" \ | |
"application/vnd.ms-fontobject" \ | |
"application/wasm" \ | |
"application/x-font-ttf" \ | |
"application/x-javascript" \ | |
"application/x-web-app-manifest+json" \ | |
"application/xhtml+xml" \ | |
"application/xml" \ | |
"font/eot" \ | |
"font/opentype" \ | |
"font/otf" \ | |
"font/ttf" \ | |
"image/bmp" \ | |
"image/svg+xml" \ | |
"image/vnd.microsoft.icon" \ | |
"text/cache-manifest" \ | |
"text/calendar" \ | |
"text/css" \ | |
"text/html" \ | |
"text/javascript" \ | |
"text/plain" \ | |
"text/markdown" \ | |
"text/vcard" \ | |
"text/vnd.rim.location.xloc" \ | |
"text/vtt" \ | |
"text/x-component" \ | |
"text/x-cross-domain-policy" \ | |
"text/xml" | |
</IfModule> | |
# define and map media types to their appropriate encoding type | |
# Using SVG format (Scalable Vector Graphics) is highly recommended to | |
# load logos, icons, text, and simple images. You can compress .SVG files | |
# further using GZIP to create .SVGZ files. However, most browsers don’t | |
# know that they need to decompress them first if they’re not served | |
# without an appropriate ‘content-encoding’ HTTP response header. Thus, | |
# these images wouldn’t show up in the browser. Hence, this module. | |
<IfModule mod_mime.c> | |
AddType image/svg+xml svg svgz | |
AddEncoding gzip svgz | |
</IfModule> | |
</IfModule> | |
<IfModule mod_gzip.c> | |
mod_gzip_on Yes | |
mod_gzip_dechunk Yes | |
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$ | |
mod_gzip_item_include mime ^application/x-javascript.* | |
mod_gzip_item_include mime ^text/.* | |
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* | |
mod_gzip_item_exclude mime ^image/.* | |
mod_gzip_item_include handler ^cgi-script$ | |
</IfModule> | |
<IfModule mod_expires.c> | |
# Enable expiration control | |
ExpiresActive On | |
# Default expiration: 1 hour after request | |
ExpiresDefault "now plus 1 hour" | |
# CSS and JS expiration: 1 week after request | |
ExpiresByType text/css "now plus 1 week" | |
ExpiresByType application/javascript "now plus 1 week" | |
ExpiresByType application/x-javascript "now plus 1 week" | |
# Image files expiration: 1 month after request | |
ExpiresByType image/bmp "now plus 1 month" | |
ExpiresByType image/gif "now plus 1 month" | |
ExpiresByType image/jpeg "now plus 1 month" | |
ExpiresByType image/jp2 "now plus 1 month" | |
ExpiresByType image/pipeg "now plus 1 month" | |
ExpiresByType image/png "now plus 1 month" | |
ExpiresByType image/svg+xml "now plus 1 month" | |
ExpiresByType image/tiff "now plus 1 month" | |
ExpiresByType image/vnd.microsoft.icon "now plus 1 month" | |
ExpiresByType image/x-icon "now plus 1 month" | |
ExpiresByType image/ico "now plus 1 month" | |
ExpiresByType image/icon "now plus 1 month" | |
ExpiresByType text/ico "now plus 1 month" | |
ExpiresByType application/ico "now plus 1 month" | |
ExpiresByType image/vnd.wap.wbmp "now plus 1 month" | |
ExpiresByType application/vnd.wap.wbxml "now plus 1 month" | |
ExpiresByType application/smil "now plus 1 month" | |
# Audio files expiration: 1 month after request | |
ExpiresByType audio/basic "now plus 1 month" | |
ExpiresByType audio/mid "now plus 1 month" | |
ExpiresByType audio/midi "now plus 1 month" | |
ExpiresByType audio/mpeg "now plus 1 month" | |
ExpiresByType audio/x-aiff "now plus 1 month" | |
ExpiresByType audio/x-mpegurl "now plus 1 month" | |
ExpiresByType audio/x-pn-realaudio "now plus 1 month" | |
ExpiresByType audio/x-wav "now plus 1 month" | |
# Movie files expiration: 1 month after request | |
ExpiresByType application/x-shockwave-flash "now plus 1 month" | |
ExpiresByType x-world/x-vrml "now plus 1 month" | |
ExpiresByType video/x-msvideo "now plus 1 month" | |
ExpiresByType video/mpeg "now plus 1 month" | |
ExpiresByType video/mp4 "now plus 1 month" | |
ExpiresByType video/quicktime "now plus 1 month" | |
ExpiresByType video/x-la-asf "now plus 1 month" | |
ExpiresByType video/x-ms-asf "now plus 1 month" | |
</IfModule> | |
########## End - Optimal expiration time | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(js|css|xml|gz)$"> | |
Header append Vary: Accept-Encoding | |
</FilesMatch> | |
</IfModule> | |
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> | |
Order deny,allow | |
Deny from all | |
</FilesMatch> | |
<FilesMatch "^(readme.html|license.txt)"> | |
Order allow,deny | |
Deny from all | |
Satisfy All | |
</FilesMatch> | |
<FilesMatch "^(xmlrpc\.php)"> | |
Order deny,allow | |
Deny from all | |
</FilesMatch> | |
# START ENABLE KEEP ALIVE | |
<ifModule mod_headers.c> | |
Header set Connection keep-alive | |
</ifModule> | |
# END ENABLE KEEP ALIVE | |
# block humans.txt scans | |
<IfModule mod_rewrite.c> | |
RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC] | |
RewriteRule .* - [F,L] | |
</IfModule> | |
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS | |
Header always set Content-Security-Policy "upgrade-insecure-requests" | |
Header always set X-Content-Type-Options "nosniff" | |
Header always set X-XSS-Protection "1; mode=block" | |
Header always set Expect-CT "max-age=7776000, enforce" | |
Header always append X-Frame-Options SAMEORIGIN | |
Header always set Referrer-Policy: "no-referrer-when-downgrade" | |
AddDefaultCharset utf-8 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment