Last active
February 13, 2022 03:14
-
-
Save feliperomero3/6cbdf2aabc2e1f1e6c7c0e2332dd15c1 to your computer and use it in GitHub Desktop.
WordPress based rules and Cache invalidation from h5bp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ###################################################################### | |
# # WEB PERFORMANCE # | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Compression | | |
# ---------------------------------------------------------------------- | |
<IfModule mod_deflate.c> | |
# Force compression for mangled `Accept-Encoding` request headers | |
# https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
</IfModule> | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Compress all output labeled with one of the following media types. | |
# | |
# (!) For Apache versions below version 2.3.7 you don't need to | |
# enable `mod_filter` and can remove the `<IfModule mod_filter.c>` | |
# and `</IfModule>` lines as `AddOutputFilterByType` is still in | |
# the core directives. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype | |
<IfModule mod_filter.c> | |
AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
"application/javascript" \ | |
"application/json" \ | |
"application/ld+json" \ | |
"application/manifest+json" \ | |
"application/rdf+xml" \ | |
"application/rss+xml" \ | |
"application/schema+json" \ | |
"application/vnd.geo+json" \ | |
"application/vnd.ms-fontobject" \ | |
"application/x-font-ttf" \ | |
"application/x-javascript" \ | |
"application/x-web-app-manifest+json" \ | |
"application/xhtml+xml" \ | |
"application/xml" \ | |
"font/eot" \ | |
"font/opentype" \ | |
"image/bmp" \ | |
"image/svg+xml" \ | |
"image/vnd.microsoft.icon" \ | |
"image/x-icon" \ | |
"text/cache-manifest" \ | |
"text/css" \ | |
"text/html" \ | |
"text/javascript" \ | |
"text/plain" \ | |
"text/vcard" \ | |
"text/vnd.rim.location.xloc" \ | |
"text/vtt" \ | |
"text/x-component" \ | |
"text/x-cross-domain-policy" \ | |
"text/xml" | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Map the following filename extensions to the specified | |
# encoding type in order to make Apache serve the file types | |
# with the appropriate `Content-Encoding` response header | |
# (do note that this will NOT make Apache compress them!). | |
# | |
# If these files types would be served without an appropriate | |
# `Content-Enable` response header, client applications (e.g.: | |
# browsers) wouldn't know that they first need to uncompress | |
# the response, and thus, wouldn't be able to understand the | |
# content. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding | |
<IfModule mod_mime.c> | |
AddEncoding gzip svgz | |
</IfModule> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Content transformation | | |
# ---------------------------------------------------------------------- | |
# Prevent intermediate caches or proxies (e.g.: such as the ones | |
# used by mobile network providers) from modifying the website's | |
# content. | |
# | |
# https://tools.ietf.org/html/rfc2616#section-14.9.5 | |
# | |
# (!) If you are using `mod_pagespeed`, please note that setting | |
# the `Cache-Control: no-transform` response header will prevent | |
# `PageSpeed` from rewriting `HTML` files, and, if the | |
# `ModPagespeedDisableRewriteOnNoTransform` directive isn't set | |
# to `off`, also from rewriting other resources. | |
# | |
# https://developers.google.com/speed/pagespeed/module/configuration#notransform | |
# <IfModule mod_headers.c> | |
# Header merge Cache-Control "no-transform" | |
# </IfModule> | |
# ---------------------------------------------------------------------- | |
# | ETags | | |
# ---------------------------------------------------------------------- | |
# Remove `ETags` as resources are sent with far-future expires headers. | |
# | |
# https://developer.yahoo.com/performance/rules.html#etags | |
# https://tools.ietf.org/html/rfc7232#section-2.3 | |
# `FileETag None` doesn't work in all cases. | |
<IfModule mod_headers.c> | |
Header unset ETag | |
</IfModule> | |
FileETag None | |
# ---------------------------------------------------------------------- | |
# | Expires headers | | |
# ---------------------------------------------------------------------- | |
# Serve resources with far-future expires headers. | |
# | |
# (!) If you don't control versioning with filename-based | |
# cache busting, you should consider lowering the cache times | |
# to something like one week. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_expires.html | |
<IfModule mod_expires.c> | |
ExpiresActive on | |
ExpiresDefault "access plus 1 month" | |
# CSS | |
ExpiresByType text/css "access plus 1 year" | |
# Data interchange | |
ExpiresByType application/atom+xml "access plus 1 hour" | |
ExpiresByType application/rdf+xml "access plus 1 hour" | |
ExpiresByType application/rss+xml "access plus 1 hour" | |
ExpiresByType application/json "access plus 0 seconds" | |
ExpiresByType application/ld+json "access plus 0 seconds" | |
ExpiresByType application/schema+json "access plus 0 seconds" | |
ExpiresByType application/vnd.geo+json "access plus 0 seconds" | |
ExpiresByType application/xml "access plus 0 seconds" | |
ExpiresByType text/xml "access plus 0 seconds" | |
# Favicon (cannot be renamed!) and cursor images | |
ExpiresByType image/vnd.microsoft.icon "access plus 1 week" | |
ExpiresByType image/x-icon "access plus 1 week" | |
# HTML | |
ExpiresByType text/html "access plus 0 seconds" | |
# JavaScript | |
ExpiresByType application/javascript "access plus 1 year" | |
ExpiresByType application/x-javascript "access plus 1 year" | |
ExpiresByType text/javascript "access plus 1 year" | |
# Manifest files | |
ExpiresByType application/manifest+json "access plus 1 week" | |
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" | |
ExpiresByType text/cache-manifest "access plus 0 seconds" | |
# Media files | |
ExpiresByType audio/ogg "access plus 1 month" | |
ExpiresByType image/bmp "access plus 1 month" | |
ExpiresByType image/gif "access plus 1 month" | |
ExpiresByType image/jpeg "access plus 1 month" | |
ExpiresByType image/png "access plus 1 month" | |
ExpiresByType image/svg+xml "access plus 1 month" | |
ExpiresByType image/webp "access plus 1 month" | |
ExpiresByType video/mp4 "access plus 1 month" | |
ExpiresByType video/ogg "access plus 1 month" | |
ExpiresByType video/webm "access plus 1 month" | |
# Web fonts | |
# Embedded OpenType (EOT) | |
ExpiresByType application/vnd.ms-fontobject "access plus 1 month" | |
ExpiresByType font/eot "access plus 1 month" | |
# OpenType | |
ExpiresByType font/opentype "access plus 1 month" | |
# TrueType | |
ExpiresByType application/x-font-ttf "access plus 1 month" | |
# Web Open Font Format (WOFF) 1.0 | |
ExpiresByType application/font-woff "access plus 1 month" | |
ExpiresByType application/x-font-woff "access plus 1 month" | |
ExpiresByType font/woff "access plus 1 month" | |
# Web Open Font Format (WOFF) 2.0 | |
ExpiresByType application/font-woff2 "access plus 1 month" | |
# Other | |
ExpiresByType text/x-cross-domain-policy "access plus 1 week" | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | File concatenation | | |
# ---------------------------------------------------------------------- | |
# Allow concatenation from within specific files. | |
# | |
# e.g.: | |
# | |
# If you have the following lines in a file called, for | |
# example, `main.combined.js`: | |
# | |
# <!--#include file="js/jquery.js" --> | |
# <!--#include file="js/jquery.timer.js" --> | |
# | |
# Apache will replace those lines with the content of the | |
# specified files. | |
# <IfModule mod_include.c> | |
# <FilesMatch "\.combined\.js$"> | |
# Options +Includes | |
# AddOutputFilterByType INCLUDES application/javascript \ | |
# application/x-javascript \ | |
# text/javascript | |
# SetOutputFilter INCLUDES | |
# </FilesMatch> | |
# <FilesMatch "\.combined\.css$"> | |
# Options +Includes | |
# AddOutputFilterByType INCLUDES text/css | |
# SetOutputFilter INCLUDES | |
# </FilesMatch> | |
# </IfModule> | |
# ---------------------------------------------------------------------- | |
# | Filename-based cache busting | | |
# ---------------------------------------------------------------------- | |
# If you're not using a build process to manage your filename version | |
# revving, you might want to consider enabling the following directives | |
# to route all requests such as `/style.12345.css` to `/style.css`. | |
# | |
# To understand why this is important and even a better solution than | |
# using something like `*.css?v231`, please see: | |
# http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/ | |
# <IfModule mod_rewrite.c> | |
# RewriteEngine On | |
# RewriteCond %{REQUEST_FILENAME} !-f | |
# RewriteRule ^(.+)\.(\d+)\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp|webmanifest)$ $1.$3 [L] | |
# </IfModule> | |
# ###################################################################### | |
# # WORDPRESS # | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Redirect all requests to home_url() | | |
# ---------------------------------------------------------------------- | |
# http://moz.com/blog/301-redirect-or-relcanonical-which-one-should-you-use | |
# <IfModule mod_rewrite.c> | |
# RewriteCond %{HTTP_HOST} !^www\.example\.com$ | |
# RewriteRule ^ %{ENV:PROTO}://www.example.com%{REQUEST_URI} [R=301,L] | |
# | |
# RewriteCond %{THE_REQUEST} index(\.php)? | |
# RewriteRule ^index(\.php)?$ %{ENV:PROTO}://www.example.com/ [R=301,L] | |
# </IfModule> | |
# ---------------------------------------------------------------------- | |
# | Block potentially unwanted or undesired requests | | |
# ---------------------------------------------------------------------- | |
# Many of these were taken from iThemes Security | |
# https://github.com/wp-plugins/better-wp-security/blob/master/modules/free/tweaks/class-itsec-tweaks-admin.php | |
# <IfModule mod_rewrite.c> | |
# # Block HTTP request methods that are unused by browsers | |
# RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD) [NC] | |
# RewriteRule ^(.*)$ - [F] | |
# | |
# # Block suspicious queries | |
# RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] | |
# RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] | |
# RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] | |
# RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] | |
# RewriteCond %{QUERY_STRING} ftp\: [NC,OR] | |
# RewriteCond %{QUERY_STRING} http\: [NC,OR] | |
# RewriteCond %{QUERY_STRING} https\: [NC,OR] | |
# RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
# RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] | |
# RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] | |
# RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] | |
# RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] | |
# RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] | |
# RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] | |
# RewriteCond %{QUERY_STRING} !^loggedout=true | |
# RewriteCond %{QUERY_STRING} !^action=jetpack-sso | |
# RewriteCond %{QUERY_STRING} !^action=rp | |
# RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ | |
# RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$ | |
# RewriteRule ^(.*)$ - [F] | |
# # Block foreign characters in queries | |
# RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC] | |
# RewriteRule ^(.*)$ - [F] | |
# </IfModule> | |
# ---------------------------------------------------------------------- | |
# | Block outside access to WordPress includes files | | |
# ---------------------------------------------------------------------- | |
<IfModule mod_rewrite.c> | |
RewriteRule ^wp-admin/includes/ - [F,L] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Block sensitive WordPress files | | |
# ---------------------------------------------------------------------- | |
<FilesMatch "^(wp-config\.php|readme\.html|license\.txt|licencia\.txt|install\.php)"> | |
# Apache < 2.3 | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
Satisfy All | |
</IfModule> | |
# Apache ≥ 2.3 | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
</FilesMatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment