Created
June 16, 2018 20:07
-
-
Save netdesignr/19b6272cd45021c51c83ea5510dcf0cd to your computer and use it in GitHub Desktop.
My personal wordpress htaccess secure | patch | anti-hack 2018
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Find and replace ** yourdomain ** and add your desired domain name | |
| # BEGIN WordPress | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^index\.php$ - [L] | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteRule . /index.php [L] | |
| </IfModule> | |
| # END WordPress | |
| # BULLETPROOF 2.9 SECURE .HTACCESS | |
| # PHP/PHP.INI HANDLER/CACHE CODE | |
| # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently. | |
| # Most Hosts do not have/use/require php/php.ini Handler htaccess code | |
| # TURN OFF YOUR SERVER SIGNATURE | |
| # Suppresses the footer line server version number and ServerName of the serving virtual host | |
| ServerSignature Off | |
| # DO NOT SHOW DIRECTORY LISTING | |
| # Disallow mod_autoindex from displaying a directory listing | |
| # If a 500 Internal Server Error occurs when activating Root BulletProof Mode | |
| # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code | |
| # and paste it into BPS Custom Code and comment out Options -Indexes | |
| # by adding a # sign in front of it. | |
| # Example: #Options -Indexes | |
| Options -Indexes | |
| # DIRECTORY INDEX FORCE INDEX.PHP | |
| # Use index.php as default directory index file. index.html will be ignored. | |
| # If a 500 Internal Server Error occurs when activating Root BulletProof Mode | |
| # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code | |
| # and paste it into BPS Custom Code and comment out DirectoryIndex | |
| # by adding a # sign in front of it. | |
| # Example: #DirectoryIndex index.php index.html /index.php | |
| DirectoryIndex index.php index.html /index.php | |
| # BRUTE FORCE LOGIN PAGE PROTECTION | |
| # PLACEHOLDER ONLY | |
| # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently. | |
| # See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/ | |
| # for more information. | |
| # BPS ERROR LOGGING AND TRACKING | |
| # Use BPS Custom Code to modify/edit/change this code and to save it permanently. | |
| # BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and | |
| # 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors | |
| # that occur on your website. When a hacker attempts to hack your website the hackers IP address, | |
| # Host name, Request Method, Referering link, the file name or requested resource, the user agent | |
| # of the hacker and the query string used in the hack attempt are logged. | |
| # All BPS log files are htaccess protected so that only you can view them. | |
| # The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/ | |
| # The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors | |
| # after you install BPS and have activated BulletProof Mode for your Root folder. | |
| # If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file | |
| # to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file. | |
| # You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file. | |
| # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file. | |
| ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php | |
| ErrorDocument 401 default | |
| ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php | |
| ErrorDocument 404 /404.php | |
| ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php | |
| ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php | |
| # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS | |
| # Use BPS Custom Code to modify/edit/change this code and to save it permanently. | |
| # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs | |
| RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$ | |
| # WP-ADMIN/INCLUDES | |
| # Use BPS Custom Code to remove this code permanently. | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| RewriteRule ^wp-includes/[^/]+\.php$ - [F] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] | |
| RewriteRule ^wp-includes/theme-compat/ - [F] | |
| # WP REWRITE LOOP START | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^index\.php$ - [L] | |
| # CUSTOM CODE REQUEST METHODS FILTERED | |
| # REQUEST METHODS FILTERED | |
| # If you want to allow HEAD Requests use BPS Custom Code and copy | |
| # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code | |
| # text box: CUSTOM CODE REQUEST METHODS FILTERED. | |
| # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps. | |
| RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC] | |
| RewriteRule ^(.*)$ - [F] | |
| #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC] | |
| #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L] | |
| # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES | |
| # To add plugin/theme skip/bypass rules use BPS Custom Code. | |
| # The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules. | |
| # The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9... | |
| # If you delete a skip rule, change the other skip rule numbers accordingly. | |
| # Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc. | |
| # If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13] | |
| # CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES | |
| # WPBakery Visual Composer plugin skip/bypass rule | |
| RewriteCond %{REQUEST_URI} ^/wp-content/plugins/js_composer/ [NC] | |
| RewriteRule . - [S=13] | |
| # Adminer MySQL management tool data populate | |
| RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] | |
| RewriteRule . - [S=12] | |
| # Comment Spam Pack MU Plugin - CAPTCHA images not displaying | |
| RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC] | |
| RewriteRule . - [S=11] | |
| # Peters Custom Anti-Spam display CAPTCHA Image | |
| RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] | |
| RewriteRule . - [S=10] | |
| # Status Updater plugin fb connect | |
| RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] | |
| RewriteRule . - [S=9] | |
| # Stream Video Player - Adding FLV Videos Blocked | |
| RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC] | |
| RewriteRule . - [S=8] | |
| # XCloner 404 or 403 error when updating settings | |
| RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC] | |
| RewriteRule . - [S=7] | |
| # BuddyPress Logout Redirect | |
| RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC] | |
| RewriteRule . - [S=6] | |
| # redirect_to= | |
| RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC] | |
| RewriteRule . - [S=5] | |
| # Login Plugins Password Reset And Redirect 1 | |
| RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC] | |
| RewriteRule . - [S=4] | |
| # Login Plugins Password Reset And Redirect 2 | |
| RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC] | |
| RewriteRule . - [S=3] | |
| # CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE | |
| # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE | |
| # Use BPS Custom Code to modify/edit/change this code and to save it permanently. | |
| # Remote File Inclusion (RFI) security rules | |
| # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files | |
| RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR] | |
| RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC] | |
| RewriteRule .* index.php [F] | |
| # | |
| # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php) | |
| RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] | |
| # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).* | |
| RewriteCond %{HTTP_REFERER} ^.*yourdomain-two.* | |
| RewriteRule . - [S=1] | |
| # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS | |
| # BEGIN BPSQSE BPS QUERY STRING EXPLOITS | |
| # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too. | |
| # Good sites such as W3C use it for their W3C-LinkChecker. | |
| # Use BPS Custom Code to add or remove user agents temporarily or permanently from the | |
| # User Agent filters directly below or to modify/edit/change any of the other security code rules below. | |
| RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] | |
| RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] | |
| RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] | |
| RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] | |
| RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR] | |
| RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] | |
| RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] | |
| RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] | |
| RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ftp\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] | |
| RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] | |
| RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR] | |
| RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] | |
| RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (sp_executesql) [NC] | |
| RewriteRule ^(.*)$ - [F] | |
| # END BPSQSE BPS QUERY STRING EXPLOITS | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteRule . /index.php [L] | |
| # WP REWRITE LOOP END | |
| # DENY BROWSER ACCESS TO THESE FILES | |
| # Use BPS Custom Code to modify/edit/change this code and to save it permanently. | |
| # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html | |
| # To be able to view these files from a Browser, replace 127.0.0.1 with your actual | |
| # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1 | |
| # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 | |
| # Note: The BPS System Info page displays which modules are loaded on your server. | |
| <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)"> | |
| <IfModule mod_authz_core.c> | |
| Require all denied | |
| #Require ip 127.0.0.1 | |
| </IfModule> | |
| <IfModule !mod_authz_core.c> | |
| <IfModule mod_access_compat.c> | |
| Order Allow,Deny | |
| Deny from all | |
| #Allow from 127.0.0.1 | |
| </IfModule> | |
| </IfModule> | |
| </FilesMatch> | |
| # HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE | |
| # PLACEHOLDER ONLY | |
| # Use BPS Custom Code to add custom code and save it permanently here. | |
| Options All -Indexes | |
| # Block wp-includes folder and files | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F,L] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
| RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
| </IfModule> | |
| # Deny access to wp-config.php file | |
| <files wp-config.php> | |
| order allow,deny | |
| deny from all | |
| </files> | |
| # Deny access to all .htaccess files | |
| <files ~ "^.*\.([Hh][Tt][Aa])"> | |
| order allow,deny | |
| deny from all | |
| satisfy all | |
| </files> | |
| # Prevent image hotlinking script. Replace last URL with any image link you want. | |
| RewriteEngine on | |
| RewriteCond %{HTTP_REFERER} !^$ | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com/ [NC] | |
| RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourodmain.com/ [NC] | |
| RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L] | |
| # Setup browser caching | |
| <IfModule mod_expires.c> | |
| ExpiresActive On | |
| ExpiresByType image/jpg "access 1 year" | |
| ExpiresByType image/jpeg "access 1 year" | |
| ExpiresByType image/gif "access 1 year" | |
| ExpiresByType image/png "access 1 year" | |
| ExpiresByType text/css "access 1 month" | |
| ExpiresByType application/pdf "access 1 month" | |
| ExpiresByType text/x-javascript "access 1 month" | |
| ExpiresByType application/x-shockwave-flash "access 1 month" | |
| ExpiresByType image/x-icon "access 1 year" | |
| ExpiresDefault "access 2 days" | |
| </IfModule> | |
| # BEGIN WP CERBER GROOVE | |
| # END WP CERBER GROOVE | |
| # BEGIN DEFLATE COMPRESSION | |
| <IfModule mod_filter.c> | |
| AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
| "application/javascript" \ | |
| "application/json" \ | |
| "application/ld+json" \ | |
| "application/manifest+json" \ | |
| "application/rdf+xml" \ | |
| "application/rss+xml" \ | |
| "application/schema+json" \ | |
| "application/vnd.geo+json" \ | |
| "application/vnd.ms-fontobject" \ | |
| "application/x-font-ttf" \ | |
| "application/x-javascript" \ | |
| "application/x-web-app-manifest+json" \ | |
| "application/xhtml+xml" \ | |
| "application/xml" \ | |
| "font/eot" \ | |
| "font/opentype" \ | |
| "image/bmp" \ | |
| "image/svg+xml" \ | |
| "image/vnd.microsoft.icon" \ | |
| "image/x-icon" \ | |
| "text/cache-manifest" \ | |
| "text/css" \ | |
| "text/html" \ | |
| "text/javascript" \ | |
| "text/plain" \ | |
| "text/vcard" \ | |
| "text/vnd.rim.location.xloc" \ | |
| "text/vtt" \ | |
| "text/x-component" \ | |
| "text/x-cross-domain-policy" \ | |
| "text/xml" | |
| </IfModule> | |
| # END DEFLATE COMPRESSION | |
| # BEGIN GZIP COMPRESSION | |
| <IfModule mod_gzip.c> | |
| mod_gzip_on Yes | |
| mod_gzip_dechunk Yes | |
| mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$ | |
| mod_gzip_item_include handler ^cgi-script$ | |
| mod_gzip_item_include mime ^text/.* | |
| mod_gzip_item_include mime ^application/x-javascript.* | |
| mod_gzip_item_exclude mime ^image/.* | |
| mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* | |
| </IfModule> | |
| # END GZIP COMPRESSION |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment