diegoos/.htaccess

## .htaccess
##### Wordpress security BEGIN #####

## Disable directory browsing
Options All -Indexes

## Protect wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>

## Protect htaccess
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>

## Prevent image hotlinking script. Replace last URL with any image link you want.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
# Send to others an custom image
RewriteRule \.(jpg|jpeg|png|gif)$ http://www.somedomain.com/myimage.jpg [NC,R,L]

## Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
</IfModule>

## Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

## Protect login with other password
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "restricted area"
AuthUserFile /var/www/.htpasswd
require valid-user
</FilesMatch>

##### Wordpress security END #####

## my-apache-vhost.conf
## Protect wp-login directory on apache vhost config
<Directory /var/www/html/wp-admin >
AuthType Basic
AuthName "Área Restrita"
AuthUserFile /var/www/.htpasswd
require valid-user
</Directory>
	##### Wordpress security BEGIN #####

	## Disable directory browsing
	Options All -Indexes

	## Protect wp-config
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>

	## Protect htaccess
	<files ~ "^.*\.([Hh][Tt][Aa])">
	order allow,deny
	deny from all
	</files>

	## Prevent image hotlinking script. Replace last URL with any image link you want.
	RewriteEngine on
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
	# Send to others an custom image
	RewriteRule \.(jpg\|jpeg\|png\|gif)$ http://www.somedomain.com/myimage.jpg [NC,R,L]

	## Setup browser caching
	<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresByType image/jpg "access 1 year"
	ExpiresByType image/jpeg "access 1 year"
	ExpiresByType image/gif "access 1 year"
	ExpiresByType image/png "access 1 year"
	ExpiresByType text/css "access 1 month"
	ExpiresByType application/pdf "access 1 month"
	ExpiresByType text/x-javascript "access 1 month"
	ExpiresByType application/x-shockwave-flash "access 1 month"
	ExpiresByType image/x-icon "access 1 year"
	ExpiresDefault "access 2 days"
	</IfModule>

	## Block the include-only files.
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	## Protect login with other password
	<FilesMatch "wp-login.php">
	AuthType Basic
	AuthName "restricted area"
	AuthUserFile /var/www/.htpasswd
	require valid-user
	</FilesMatch>

	##### Wordpress security END #####
	## Protect wp-login directory on apache vhost config
	<Directory /var/www/html/wp-admin >
	AuthType Basic
	AuthName "Área Restrita"
	AuthUserFile /var/www/.htpasswd
	require valid-user
	</Directory>