-
-
Save glueckpress/db55237fff3028a69de646ec68d7b4c1 to your computer and use it in GitHub Desktop.
[WordPress] Security-related sort of stuff. **REVIEW AND EDIT BEFORE COPY-PASTING!**
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don’t show errors which contain full path diclosure (FPD) | |
| # Use that line only if PHP is installed as a module and not per CGI | |
| # try using a php.ini in that case. | |
| # CHANGE mod_php5.c TO mod_php7.c IF YOU RUN PHP7. | |
| <IfModule mod_php5.c> | |
| php_flag display_errors Off | |
| </IfModule> | |
| # Protect XMLRPC (needed for apps, offline blogging tools, pingback, etc.) | |
| # If you use that, these tools will not work anymore | |
| <Files xmlrpc.php> | |
| Order Deny,Allow | |
| Deny from all | |
| </Files> | |
| # Don’t list directories | |
| <IfModule mod_autoindex.c> | |
| Options -Indexes | |
| </IfModule> | |
| # Protect all readme.txt files from all plugins | |
| <Files readme.txt> | |
| Order allow,deny | |
| Deny from all | |
| </Files> | |
| # Protect wp-config.php and other files | |
| <FilesMatch "(.htaccess|.htpasswd|wp-config.php|liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak|(.*)\.log)"> | |
| Order deny,allow | |
| Deny from all | |
| </FilesMatch> | |
| # Block include-only files. | |
| # Don’t use on Multisite without reading this Codex note! | |
| # See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F,L] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
| RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
| </IfModule> | |
| # Set some security related headers | |
| # See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN) | |
| <IfModule mod_headers.c> | |
| Header set X-Content-Type-Options nosniff | |
| Header set X-XSS-Protection "1; mode=block" | |
| Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;" | |
| </IfModule> | |
| # Allow WordPress Embed | |
| # https://gist.github.com/sergejmueller/3c4351ec29576fb441fe | |
| <IfModule mod_setenvif.c> | |
| SetEnvIf Request_URI "/embed/$" IS_embed | |
| <IfModule mod_headers.c> | |
| Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed | |
| </IfModule> | |
| </IfModule> | |
| # Force secure cookies (uncomment for HTTPS) | |
| <IfModule mod_headers.c> | |
| # Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure | |
| </IfModule> | |
| # Unset headers revealing versions strings | |
| <IfModule mod_headers.c> | |
| Header unset X-Powered-By | |
| Header unset X-Pingback | |
| Header unset SERVER | |
| </IfModule> | |
| # Filter Request Methods | |
| # See: https://perishablepress.com/disable-trace-and-track-for-better-security/ | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] | |
| RewriteRule ^(.*)$ - [F,L] | |
| </IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment