Skip to content

Instantly share code, notes, and snippets.

Forked from Zodiac1978/.htaccess
Last active Feb 19, 2018
What would you like to do?
Safer WordPress with these .htaccess additions
# Don't show errors which contain full path diclosure (FPD)
# Use that line only if PHP is installed as a module and not per CGI
# try using a php.ini in that case.
# Change mod_php5.c to mod_php7.c if you are running PHP7
<IfModule mod_php5.c>
php_flag display_errors Off
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
# Don't list directories
<IfModule mod_autoindex.c>
Options -Indexes
# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
# If you use that, these tools will not work anymore
<Files xmlrpc.php>
# Order Deny,Allow
# Deny from all
# If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
<FilesMatch "(repair|wp-mail)\.php">
Order Deny,Allow
Deny from all
# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
# Must be placed in /wp-content/.htaccess
<FilesMatch "\.(log|txt)$">
Order Allow,Deny
Deny from all
# Hide WordPress, system & sensitive files
<FilesMatch "(^\.|wp-config(-sample)*\.php)">
Order Deny,Allow
Deny from all
# Protect some other files
<FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
Order Deny,Allow
Deny from all
# Block the include-only files.
# Do not use in Multisite without reading the note in Codex!
# See:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
# If you run multisite, comment the next line (see note above)
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# Set some security related headers
# See: (GERMAN)
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
# The line below is an advanced method for a more secure configuration, please see documentation before usage!
# Introduction:
# (German)
# Documentation:
# Analysis:
# Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *;"
# Allow WordPress Embed
<IfModule mod_setenvif.c>
SetEnvIf Request_URI "/embed/$" IS_embed
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
#Force secure cookies (uncomment for HTTPS)
<IfModule mod_headers.c>
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#Unset headers revealing versions strings
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset X-Pingback
Header unset SERVER
# Filter Request Methods
# See:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*)$ - [F,L]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment