Skip to content

Instantly share code, notes, and snippets.

@nfsarmento nfsarmento/.htaccess

Last active May 29, 2020
Embed
What would you like to do?
WordPress Apache .htaccess
## Use the code below only if you had enable .htaccess - "AllowOverride All"
## You may need to enable mod_headers on apache - "a2enmod headers"
## The code below goes under the rules that you should have if you are using WordPress
#BEGIN https code
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#BEGIN Block bad hackers
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots
# Disable directory browsing
Options All -Indexes
# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
# Deny access to readme.html
<files readme.html>
Order allow,deny
Deny from all
</files>
# Deny access to license.txt
<files license.txt>
Order allow,deny
Deny from all
</files>
# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
# Deny access to error_log
<files error_log>
Order allow,deny
Deny from all
</files>
# Deny access to wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Blocks some XSS attacks
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>
# Restricts access to PHP files from plugin and theme directories
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
# Secure headers
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
<IfModule mod_headers.c>
Header set X-XSS-Protection: "1; mode=block"
</IfModule>
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>
<IfModule mod_headers.c>
RequestHeader set X-HTTPS 1
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.