Last active
May 29, 2020 23:49
-
-
Save nfsarmento/bf5f7f8d242ed29fadf46cc8a39054a4 to your computer and use it in GitHub Desktop.
WordPress Apache .htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Use the code below only if you had enable .htaccess - "AllowOverride All" | |
## You may need to enable mod_headers on apache - "a2enmod headers" | |
## The code below goes under the rules that you should have if you are using WordPress | |
#BEGIN https code | |
RewriteEngine On | |
RewriteCond %{HTTPS} off | |
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
#BEGIN Block bad hackers | |
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots | |
Deny from env=block_bad_bots | |
# Disable directory browsing | |
Options All -Indexes | |
# Deny access to all .htaccess files | |
<files ~ "^.*\.([Hh][Tt][Aa])"> | |
order allow,deny | |
deny from all | |
satisfy all | |
</files> | |
# Deny access to readme.html | |
<files readme.html> | |
Order allow,deny | |
Deny from all | |
</files> | |
# Deny access to license.txt | |
<files license.txt> | |
Order allow,deny | |
Deny from all | |
</files> | |
# Deny access to wp-config.php file | |
<files wp-config.php> | |
order allow,deny | |
deny from all | |
</files> | |
# Deny access to error_log | |
<files error_log> | |
Order allow,deny | |
Deny from all | |
</files> | |
# Deny access to wp-includes folder and files | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^wp-admin/includes/ - [F,L] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
</IfModule> | |
# Blocks some XSS attacks | |
<IfModule mod_rewrite.c> | |
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] | |
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
RewriteRule .* index.php [F,L] | |
</IfModule> | |
# Restricts access to PHP files from plugin and theme directories | |
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php | |
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ | |
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L] | |
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php | |
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ | |
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L] | |
# Secure headers | |
<IfModule mod_headers.c> | |
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" | |
</IfModule> | |
<IfModule mod_headers.c> | |
Header always append X-Frame-Options SAMEORIGIN | |
</IfModule> | |
<IfModule mod_headers.c> | |
Header set X-XSS-Protection: "1; mode=block" | |
</IfModule> | |
<IfModule mod_headers.c> | |
Header set X-Content-Type-Options nosniff | |
</IfModule> | |
<IfModule mod_headers.c> | |
RequestHeader set X-HTTPS 1 | |
Header set Referrer-Policy "no-referrer-when-downgrade" | |
</IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment