Last active
August 24, 2021 18:37
-
-
Save inetbiz/0c7d2915cb0f620088e2646e6db85e28 to your computer and use it in GitHub Desktop.
WordPress Security & Optimization in htaccess and Robots.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # BEGIN WordPress https://wordpress.org/support/article/htaccess/ | |
| <Files xmlrpc.php> | |
| Order Deny,Allow | |
| Deny from all | |
| Allow [ Trusted Domains/IPs ] | |
| </Files> | |
| # FINISH XML RPC BLOCKING | |
| RewriteEngine On | |
| RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | |
| RewriteBase / | |
| RewriteRule ^index\.php$ - [L] | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteRule . /index.php [L] | |
| # END WordPress | |
| # Mod Headers | |
| # Use HTTP Strict Transport Security to force client to use secure connections only Apache** | |
| Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | |
| # Apache Keep-Alive | |
| Header set Connection keep-alive | |
| # START – Disable server signature # | |
| ServerSignature email | |
| # Set Character Set | |
| AddDefaultCharset UTF-8 | |
| # Security | |
| Header set Content-Security-Policy "default-src self" | |
| Header always set X-Frame-Options SAMEORIGIN | |
| Header set X-XSS-Protection "1" | |
| Header set X-Content-Type-Options nosniff | |
| Header set Referrer-Policy: no-referrer-when-downgrade | |
| # CORS | |
| Header set Access-Control-Allow-Origin "*" | |
| Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE" | |
| Header set Access-Control-Allow-Headers "Content-Type, Authorization" | |
| # Set Server Timezone | |
| SetEnv TZ America/Chicago | |
| # BEGIN DEFLATE COMPRESSION | |
| <IfModule mod_deflate.c> | |
| # Compress HTML, CSS, JavaScript, Text, XML, Fonts, JSON | |
| <IfModule mod_deflate.c> | |
| AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
| "application/javascript" \ | |
| "application/json" \ | |
| "application/ld+json" \ | |
| "application/manifest+json" \ | |
| "application/rdf+xml" \ | |
| "application/rss+xml" \ | |
| "application/schema+json" \ | |
| "application/vnd.geo+json" \ | |
| "application/vnd.ms-fontobject" \ | |
| "application/x-font" \ | |
| "application/x-font-opentype" \ | |
| "application/x-font-otf" \ | |
| "application/x-font-truetype" \ | |
| "application/x-font-ttf" \ | |
| "application/x-javascript" \ | |
| "application/x-web-app-manifest+json" \ | |
| "application/xhtml+xml" \ | |
| "application/xml" \ | |
| "font/eot" \ | |
| "font/otf" \ | |
| "font/ttf" \ | |
| "font/opentype" \ | |
| "image/bmp" \ | |
| "image/svg+xml" \ | |
| "image/vnd.microsoft.icon" \ | |
| "image/x-icon" \ | |
| "text/cache-manifest" \ | |
| "text/css" \ | |
| "text/html" \ | |
| "text/javascript" \ | |
| "text/plain" \ | |
| "text/vcard" \ | |
| "text/vnd.rim.location.xloc" \ | |
| "text/vtt" \ | |
| "text/x-component" \ | |
| "text/x-cross-domain-policy" \ | |
| "text/xml" | |
| </IfModule> | |
| </IfModule> | |
| # END DEFLATE COMPRESSION | |
| #BEGIN EXPIRES HEADERS | |
| <IfModule mod_expires.c> | |
| # Enable expirations | |
| ExpiresActive On | |
| # Default expiration: 1 hour after request | |
| ExpiresDefault "now plus 1 hour" | |
| # CSS, HTML, JS expiration: 1 week after request | |
| ExpiresByType text/css "now plus 1 week" | |
| ExpiresByType text/html "access 1 month" | |
| ExpiresByType application/javascript "now plus 1 week" | |
| ExpiresByType application/x-javascript "now plus 1 week" | |
| # Image files expiration: 1 month after request | |
| ExpiresByType image/bmp "now plus 1 month" | |
| ExpiresByType image/gif "now plus 1 month" | |
| ExpiresByType image/jpeg "now plus 1 month" | |
| ExpiresByType image/jp2 "now plus 1 month" | |
| ExpiresByType image/pipeg "now plus 1 month" | |
| ExpiresByType image/png "now plus 1 month" | |
| ExpiresByType image/svg+xml "now plus 1 month" | |
| ExpiresByType image/tiff "now plus 1 month" | |
| ExpiresByType image/vnd.microsoft.icon "now plus 1 month" | |
| ExpiresByType image/x-icon "now plus 1 month" | |
| ExpiresByType image/ico "now plus 1 month" | |
| ExpiresByType image/icon "now plus 1 month" | |
| ExpiresByType text/ico "now plus 1 month" | |
| ExpiresByType image/svg+xml "access plus 1 month" | |
| ExpiresByType audio/ogg "access plus 1 year" | |
| ExpiresByType video/mp4 "access plus 1 year" | |
| ExpiresByType video/ogg "access plus 1 year" | |
| ExpiresByType video/webm "access plus 1 year" | |
| # Webfonts | |
| ExpiresByType font/truetype "access plus 1 month" | |
| ExpiresByType font/opentype "access plus 1 month" | |
| ExpiresByType application/x-font-woff "access plus 1 month" | |
| ExpiresByType image/svg+xml "access plus 1 month" | |
| ExpiresByType application/vnd.ms-fontobject "access plus 1 month" | |
| # Feeds | |
| ExpiresByType application/atom+xml "access plus 1 hour" | |
| ExpiresByType application/rss+xml "access plus 1 hour" | |
| # Media Other | |
| ExpiresByType application/pdf "access 1 month" | |
| </IfModule> | |
| #END EXPIRES HEADERS | |
| Cache-Control | |
| # BEGIN Cache-Control Headers | |
| <ifModule mod_headers.c> | |
| <filesMatch "\.(ico|jpe?g|png|gif|swf)$"> | |
| Header set Cache-Control "max-age=2592000, public" | |
| </filesMatch> | |
| <filesMatch "\.(css)$"> | |
| Header set Cache-Control "max-age=604800, public" | |
| </filesMatch> | |
| <filesMatch "\.(js)$"> | |
| Header set Cache-Control "max-age=216000, private" | |
| </filesMatch> | |
| <filesMatch "\.(x?html?|php)$"> | |
| Header set Cache-Control "max-age=600, private, must-revalidate" | |
| </filesMatch> | |
| </ifModule> | |
| # END Cache-Control Headers | |
| # Prevent Hot-linked Images | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?facebook.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?pinterest.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?duckduckgo.com(/)? [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alexa.com(/)? [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*(googlebot-image|google favicon|mediapartners-googlegooglebot).*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*slurp.*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*bingbot.*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*facebookexternalhit.*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*pinterestbot.*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*twitterbot.*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*duckduckbot.*$ [NC] | |
| RewriteCond %{HTTP_USER_AGENT} !^.*ia_archiver.*$ [NC] | |
| RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F] | |
| # Images Exploit | |
| RewriteCond %{HTTP:Content-Disposition} \.php [NC] | |
| RewriteCond %{HTTP:Content-Type} image/.+ [NC] | |
| RewriteRule .? - [F,NS,L] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| User-Agent: * | |
| Allow: /wp-content/uploads/ | |
| Disallow: /wp-content/plugins/ | |
| Disallow: /wp-admin/ | |
| Disallow: /readme.html | |
| Disallow: /license.txt | |
| Disallow: /refer/ | |
| # Sitemap modify your domain | |
| Sitemap: https://www.example.com/sitemap_index.xml |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment