mtx-z/.htaccess

## .htaccess
#WP block - see https://fr.wordpress.org/support/article/htaccess/
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]

# ajouter un slash après /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
#END WP

# Disable folder indexing
Options All -Indexes
IndexIgnore *
<IfModule mod_autoindex.c>
	Options -Indexes
</IfModule>

ServerSignature Off

# Follow symlink
Options +FollowSymLinks

# Timezone
SetEnv TZ Europe/Paris

# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset UTF-8
# Force UTF-8 for a number of file formats
<IfModule mod_mime.c>
	AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
</IfModule>

# Protect .htaccess and .htpasswds
<Files ~ "^.*\.([Hh][Tt][AaPp])">
	order allow,deny
	deny from all
	satisfy all
</Files>

# Prevent comment spamming
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
	RewriteCond %{HTTP_REFERER} !.monsite.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

# author URL protection ?author=
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} ^author=([0-9]*)
	RewriteRule .* - [F]
</IfModule>

# Prevent hotlinking by referer check
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mon-site.fr [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ https://fakeimg.pl/400x200/?text=Pas_touche_aux_images [NC,R,L]

# Redirect non-www to www
#RewriteEngine On
#RewriteCond %{HTTP_HOST} ^monsite.com [NC]
#RewriteRule ^(.*)$ https://www.monsite.com/$1 [L,R=301]

# Redirect www to non-www
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.monsite\.com [NC]
RewriteRule ^(.*)$ https://monsite.com/$1 [L,R=301]

# Redirect to HTTPS
RewriteCond     %{SERVER_PORT} ^80$
RewriteRule     ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


# CACHE
# Browser header cache
<IfModule mod_expires.c>
	ExpiresActive on
	ExpiresDefault                              "access plus 1 month"
	# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
	ExpiresByType text/cache-manifest           "access plus 0 seconds"
	# Your document html
	ExpiresByType text/html                     "access plus 0 seconds"
	# Data
	ExpiresByType text/xml                      "access plus 0 seconds"
	ExpiresByType application/xml               "access plus 0 seconds"
	ExpiresByType application/json              "access plus 0 seconds"
	# Feed
	ExpiresByType application/rss+xml           "access plus 1 hour"
	ExpiresByType application/atom+xml          "access plus 1 hour"
	# Favicon (cannot be renamed)
	ExpiresByType image/x-icon                  "access plus 1 week"
	# Media: images, video, audio
	ExpiresByType image/gif                     "access plus 4 months"
	ExpiresByType image/png                     "access plus 4 months"
	ExpiresByType image/jpeg                    "access plus 4 months"
	ExpiresByType image/webp                    "access plus 4 months"
	ExpiresByType video/ogg                     "access plus 4 months"
	ExpiresByType audio/ogg                     "access plus 4 months"
	ExpiresByType video/mp4                     "access plus 4 months"
	ExpiresByType video/webm                    "access plus 4 months"
	# HTC files  (css3pie)
	ExpiresByType text/x-component              "access plus 1 month"
	# Webfonts
	ExpiresByType font/ttf                      "access plus 4 months"
	ExpiresByType font/otf                      "access plus 4 months"
	ExpiresByType font/woff                     "access plus 4 months"
	ExpiresByType font/woff2                    "access plus 4 months"
	ExpiresByType image/svg+xml                 "access plus 1 month"
	ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
	# CSS and JavaScript
	ExpiresByType text/css                      "access plus 1 year"
	ExpiresByType application/javascript        "access plus 1 year"
</IfModule>

# Gzip compression
<IfModule mod_deflate.c>
	# Active compression
	SetOutputFilter DEFLATE
	# Force deflate for mangled headers
	<IfModule mod_setenvif.c>
		<IfModule mod_headers.c>
		SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
		RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
		# Don’t compress images and other uncompressible content
		SetEnvIfNoCase Request_URI \
		\.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary
		</IfModule>
	</IfModule>

# Compress all output labeled with one of the following MIME-types
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE application/atom+xml \
		                          application/javascript \
		                          application/json \
		                          application/rss+xml \
		                          application/vnd.ms-fontobject \
		                          application/x-font-ttf \
		                          application/xhtml+xml \
		                          application/xml \
		                          font/opentype \
		                          image/svg+xml \
		                          image/x-icon \
		                          text/css \
		                          text/html \
		                          text/plain \
		                          text/x-component \
		                          text/xml
</IfModule>
<IfModule mod_headers.c>
Header append Vary: Accept-Encoding
</IfModule>
</IfModule>

# Add mime type
<IfModule mod_mime.c>
AddType text/html .html_gzip
AddEncoding gzip .html_gzip
</IfModule>
<IfModule mod_setenvif.c>
SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
</IfModule>

# Headers
Header unset ETag
FileETag None

# FileETag None is not enough for every server.
<IfModule mod_headers.c>
Header unset ETag
</IfModule>

<ifModule mod_headers.c>
<filesMatch "\.(ico|jpe?g|png|gif|swf)$">
    Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(css)$">
    Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(js)$">
    Header set Cache-Control "private"
</filesMatch>
<filesMatch "\.(x?html?|php)$">
    Header set Cache-Control "private, must-revalidate"
</filesMatch>
</ifModule>

<IfModule mod_alias.c>
<FilesMatch "\.(css|htc|js|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$">
<IfModule mod_headers.c>
Header unset Pragma
Header append Cache-Control "public"
</IfModule>
</FilesMatch>
</IfModule>
# END CACHE

# Static compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/xhtml text/html text/plain text/xml text/javascript application/x-javascript text/css
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
    Header append Vary User-Agent env=!dont-vary
</IfModule>

AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/json

# Block few scripts
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Injection protection
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]

# CPS (XSS, clickjacking & MIME-Type sniffing)
<ifModule mod_headers.c>
    Header set X-Frame-Options "sameorigin"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header set Strict-Transport-Security "max-age=31536000; preload"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set X-DNS-Prefetch-Control "on"
    Header set Permissions-Policy "autoplay=*, fullscreen=* vertical-scroll=*"
</ifModule>


# PROTECT install.php
# Uncomment or change to 'Allow from all' for install of WordPress
<Files install.php>
	Order Allow,Deny
	Deny from all
	Satisfy all
</Files>

# Prevent wp-config.php access
<files wp-config.php>
	order allow,deny
	deny from all
</files>

# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
# If you use that, these tools will not work anymore
<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
</Files>

# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
# Must be placed in /wp-content/.htaccess
<FilesMatch "\.(log|txt)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Hide WordPress, system & sensitive files
<FilesMatch "(^\.|wp-config(-sample)*\.php)">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Protect some other files
<FilesMatch "(liesmich.html|readme.html|license.txt|(.*)\.bak)">
  Order Deny,Allow
  Deny from all
</FilesMatch>

# Block the include-only files.
# Do not use in Multisite without reading the note in Codex!
# See: https://wordpress.org/support/article/hardening-wordpress/#securing-wp-includes
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  # If you run multisite, comment the next line out (see note above)
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]

	RewriteRule ^wp-admin/install\.php$ - [F]
	RewriteCond %{REQUEST_FILENAME} -f
	RewriteRule (^|.*/)\.(git|svn)/.* - [F]

	# Disable PHP in Uploads
	RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

	# Disable PHP in Plugins
	RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

	# Disable PHP in themes
	RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
</IfModule>

# Force secure cookies (uncomment if you use HTTP://, which you should NOT, use HTTPS with letsencrypt at least)
<IfModule mod_headers.c>
  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

#Unset headers revealing versions strings
<IfModule mod_headers.c>
  Header unset X-Powered-By
  Header unset X-Pingback
  Header unset SERVER
</IfModule>

# Filter Request Methods
# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]
</IfModule>
	#WP block - see https://fr.wordpress.org/support/article/htaccess/
	RewriteEngine On
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	RewriteBase /
	RewriteRule ^index\.php$ - [L]

	# ajouter un slash après /wp-admin
	RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^ - [L]
	RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content\|admin\|includes).*) $2 [L]
	RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
	RewriteRule . index.php [L]
	#END WP

	# Disable folder indexing
	Options All -Indexes
	IndexIgnore *
	<IfModule mod_autoindex.c>
	Options -Indexes
	</IfModule>

	ServerSignature Off

	# Follow symlink
	Options +FollowSymLinks

	# Timezone
	SetEnv TZ Europe/Paris

	# Use UTF-8 encoding for anything served text/plain or text/html
	AddDefaultCharset UTF-8
	# Force UTF-8 for a number of file formats
	<IfModule mod_mime.c>
	AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
	</IfModule>

	# Protect .htaccess and .htpasswds
	<Files ~ "^.*\.([Hh][Tt][AaPp])">
	order allow,deny
	deny from all
	satisfy all
	</Files>

	# Prevent comment spamming
	<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
	RewriteCond %{HTTP_REFERER} !.monsite.com.* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
	</IfModule>

	# author URL protection ?author=
	<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} ^author=([0-9]*)
	RewriteRule .* - [F]
	</IfModule>

	# Prevent hotlinking by referer check
	RewriteEngine On
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mon-site.fr [NC]
	RewriteRule \.(jpg\|jpeg\|png\|gif)$ https://fakeimg.pl/400x200/?text=Pas_touche_aux_images [NC,R,L]

	# Redirect non-www to www
	#RewriteEngine On
	#RewriteCond %{HTTP_HOST} ^monsite.com [NC]
	#RewriteRule ^(.*)$ https://www.monsite.com/$1 [L,R=301]

	# Redirect www to non-www
	RewriteEngine on
	RewriteCond %{HTTP_HOST} ^www\.monsite\.com [NC]
	RewriteRule ^(.*)$ https://monsite.com/$1 [L,R=301]

	# Redirect to HTTPS
	RewriteCond %{SERVER_PORT} ^80$
	RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]


	# CACHE
	# Browser header cache
	<IfModule mod_expires.c>
	ExpiresActive on
	ExpiresDefault "access plus 1 month"
	# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
	ExpiresByType text/cache-manifest "access plus 0 seconds"
	# Your document html
	ExpiresByType text/html "access plus 0 seconds"
	# Data
	ExpiresByType text/xml "access plus 0 seconds"
	ExpiresByType application/xml "access plus 0 seconds"
	ExpiresByType application/json "access plus 0 seconds"
	# Feed
	ExpiresByType application/rss+xml "access plus 1 hour"
	ExpiresByType application/atom+xml "access plus 1 hour"
	# Favicon (cannot be renamed)
	ExpiresByType image/x-icon "access plus 1 week"
	# Media: images, video, audio
	ExpiresByType image/gif "access plus 4 months"
	ExpiresByType image/png "access plus 4 months"
	ExpiresByType image/jpeg "access plus 4 months"
	ExpiresByType image/webp "access plus 4 months"
	ExpiresByType video/ogg "access plus 4 months"
	ExpiresByType audio/ogg "access plus 4 months"
	ExpiresByType video/mp4 "access plus 4 months"
	ExpiresByType video/webm "access plus 4 months"
	# HTC files (css3pie)
	ExpiresByType text/x-component "access plus 1 month"
	# Webfonts
	ExpiresByType font/ttf "access plus 4 months"
	ExpiresByType font/otf "access plus 4 months"
	ExpiresByType font/woff "access plus 4 months"
	ExpiresByType font/woff2 "access plus 4 months"
	ExpiresByType image/svg+xml "access plus 1 month"
	ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
	# CSS and JavaScript
	ExpiresByType text/css "access plus 1 year"
	ExpiresByType application/javascript "access plus 1 year"
	</IfModule>

	# Gzip compression
	<IfModule mod_deflate.c>
	# Active compression
	SetOutputFilter DEFLATE
	# Force deflate for mangled headers
	<IfModule mod_setenvif.c>
	<IfModule mod_headers.c>
	SetEnvIfNoCase ^(Accept-EncodXng\|X-cept-Encoding\|X{15}\|~{15}\|-{15})$ ^((gzip\|deflate)\s,?\s)+\|[X~-]{4,13}$ HAVE_Accept-Encoding
	RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
	# Don’t compress images and other uncompressible content
	SetEnvIfNoCase Request_URI \
	\.(?:gif\|jpe?g\|png\|rar\|zip\|exe\|flv\|mov\|wma\|mp3\|avi\|swf\|mp?g\|mp4\|webm\|webp\|pdf)$ no-gzip dont-vary
	</IfModule>
	</IfModule>

	# Compress all output labeled with one of the following MIME-types
	<IfModule mod_filter.c>
	AddOutputFilterByType DEFLATE application/atom+xml \
	application/javascript \
	application/json \
	application/rss+xml \
	application/vnd.ms-fontobject \
	application/x-font-ttf \
	application/xhtml+xml \
	application/xml \
	font/opentype \
	image/svg+xml \
	image/x-icon \
	text/css \
	text/html \
	text/plain \
	text/x-component \
	text/xml
	</IfModule>
	<IfModule mod_headers.c>
	Header append Vary: Accept-Encoding
	</IfModule>
	</IfModule>

	# Add mime type
	<IfModule mod_mime.c>
	AddType text/html .html_gzip
	AddEncoding gzip .html_gzip
	</IfModule>
	<IfModule mod_setenvif.c>
	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
	</IfModule>

	# Headers
	Header unset ETag
	FileETag None

	# FileETag None is not enough for every server.
	<IfModule mod_headers.c>
	Header unset ETag
	</IfModule>

	<ifModule mod_headers.c>
	<filesMatch "\.(ico\|jpe?g\|png\|gif\|swf)$">
	Header set Cache-Control "public"
	</filesMatch>
	<filesMatch "\.(css)$">
	Header set Cache-Control "public"
	</filesMatch>
	<filesMatch "\.(js)$">
	Header set Cache-Control "private"
	</filesMatch>
	<filesMatch "\.(x?html?\|php)$">
	Header set Cache-Control "private, must-revalidate"
	</filesMatch>
	</ifModule>

	<IfModule mod_alias.c>
	<FilesMatch "\.(css\|htc\|js\|asf\|asx\|wax\|wmv\|wmx\|avi\|bmp\|class\|divx\|doc\|docx\|eot\|exe\|gif\|gz\|gzip\|ico\|jpg\|jpeg\|jpe\|json\|mdb\|mid\|midi\|mov\|qt\|mp3\|m4a\|mp4\|m4v\|mpeg\|mpg\|mpe\|mpp\|otf\|odb\|odc\|odf\|odg\|odp\|ods\|odt\|ogg\|pdf\|png\|pot\|pps\|ppt\|pptx\|ra\|ram\|svg\|svgz\|swf\|tar\|tif\|tiff\|ttf\|ttc\|wav\|wma\|wri\|xla\|xls\|xlsx\|xlt\|xlw\|zip)$">
	<IfModule mod_headers.c>
	Header unset Pragma
	Header append Cache-Control "public"
	</IfModule>
	</FilesMatch>
	</IfModule>
	# END CACHE

	# Static compression
	<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/xhtml text/html text/plain text/xml text/javascript application/x-javascript text/css
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4\.0[678] no-gzip
	BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
	SetEnvIfNoCase Request_URI \.(?:gif\|jpe?g\|png)$ no-gzip dont-vary
	Header append Vary User-Agent env=!dont-vary
	</IfModule>

	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE font/opentype
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/json

	# Block few scripts
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]

	# Injection protection
	RewriteCond %{REQUEST_METHOD} GET
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
	RewriteRule .* - [F]

	# CPS (XSS, clickjacking & MIME-Type sniffing)
	<ifModule mod_headers.c>
	Header set X-Frame-Options "sameorigin"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options "nosniff"
	Header set Strict-Transport-Security "max-age=31536000; preload"
	Header set Referrer-Policy "strict-origin-when-cross-origin"
	Header set X-DNS-Prefetch-Control "on"
	Header set Permissions-Policy "autoplay=, fullscreen= vertical-scroll=*"
	</ifModule>


	# PROTECT install.php
	# Uncomment or change to 'Allow from all' for install of WordPress
	<Files install.php>
	Order Allow,Deny
	Deny from all
	Satisfy all
	</Files>

	# Prevent wp-config.php access
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>

	# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
	# If you use that, these tools will not work anymore
	<Files xmlrpc.php>
	Order Deny,Allow
	Deny from all
	</Files>

	# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
	# Must be placed in /wp-content/.htaccess
	<FilesMatch "\.(log\|txt)$">
	Order Allow,Deny
	Deny from all
	</FilesMatch>

	# Hide WordPress, system & sensitive files
	<FilesMatch "(^\.\|wp-config(-sample)*\.php)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	# Protect some other files
	<FilesMatch "(liesmich.html\|readme.html\|license.txt\|(.*)\.bak)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	# Block the include-only files.
	# Do not use in Multisite without reading the note in Codex!
	# See: https://wordpress.org/support/article/hardening-wordpress/#securing-wp-includes
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	# If you run multisite, comment the next line out (see note above)
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]

	RewriteRule ^wp-admin/install\.php$ - [F]
	RewriteCond %{REQUEST_FILENAME} -f
	RewriteRule (^\|./)\.(git\|svn)/. - [F]

	# Disable PHP in Uploads
	RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?\|pht\|phtml?\|phps)\.?$ - [NC,F]

	# Disable PHP in Plugins
	RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?\|pht\|phtml?\|phps)\.?$ - [NC,F]

	# Disable PHP in themes
	RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?\|pht\|phtml?\|phps)\.?$ - [NC,F]
	</IfModule>

	# Force secure cookies (uncomment if you use HTTP://, which you should NOT, use HTTPS with letsencrypt at least)
	<IfModule mod_headers.c>
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
	</IfModule>

	#Unset headers revealing versions strings
	<IfModule mod_headers.c>
	Header unset X-Powered-By
	Header unset X-Pingback
	Header unset SERVER
	</IfModule>

	# Filter Request Methods
	# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
	<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_METHOD} ^(TRACE\|DELETE\|TRACK) [NC]
	RewriteRule ^(.*)$ - [F,L]
	</IfModule>