Skip to content

Instantly share code, notes, and snippets.

@miziomon
Created June 27, 2012 10:54
Show Gist options
  • Save miziomon/3003290 to your computer and use it in GitHub Desktop.
Save miziomon/3003290 to your computer and use it in GitHub Desktop.
WordPress secure .htaccess
Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# www redirect
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# theme utils
RewriteRule ^css/(.*) assets/themes/theme-name/css/$1 [QSA,L]
RewriteRule ^js/(.*) assets/themes/theme-name/js/$1 [QSA,L]
RewriteRule ^images/(.*) assets/themes/theme-name/images/$1 [QSA,L]
# block user enumeration
RewriteCond %{QUERY_STRING} (^|&)author=
RewriteRule . http://%{SERVER_NAME}/? [L]
RewriteRule ^login app/wp-login.php?loginkey=12345g&redirect_to=http://%{SERVER_NAME}/app/wp-admin/index.php [L]
RewriteRule ^recover-password app/wp-login.php?loginkey=12345&action=lostpassword
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/app/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/app/wp-login\.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/login
RewriteCond %{QUERY_STRING} !^loginkey=12345
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^app/wp-login\.php http://%{SERVER_NAME}/? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
</IfModule>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# www redirect
RewriteCond %{HTTP_HOST} !^www\.
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# theme utils
RewriteRule ^css/(.*) wp-content/themes/theme-name/css/$1 [QSA,L]
RewriteRule ^js/(.*) wp-content/themes/theme-name/js/$1 [QSA,L]
RewriteRule ^images/(.*) wp-content/themes/theme-name/images/$1 [QSA,L]
# block user enumeration
RewriteCond %{QUERY_STRING} (^|&)author=
RewriteRule . http://%{SERVER_NAME}/? [L]
RewriteRule ^login wp-login.php?loginkey=12345g&redirect_to=http://%{SERVER_NAME}/wp-admin/index.php [L]
RewriteRule ^recover-password wp-login.php?loginkey=12345&action=lostpassword
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/wp-login\.php
RewriteCond %{HTTP_REFERER} !^http://%{SERVER_NAME}/login
RewriteCond %{QUERY_STRING} !^loginkey=12345
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
RewriteCond %{REQUEST_METHOD} !POST
RewriteRule ^wp-login\.php http://%{SERVER_NAME}/? [R,L]
RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule . http://%{SERVER_NAME}/? [L]
</IfModule>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment