nielslange/.htaccess

## .htaccess
# Enable .htpasswd authentication
# <If "%{HTTP_HOST} != 'dev'">
# AuthType Basic
# AuthName "Login to dashboard"
# AuthUserFile /path/to/.htpasswd
# Require valid-user
# </If>

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

# Disable directory browsing
Options ALL -Indexes

# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all
</Files>

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Prevent image hotlinking script. Replace last URL with any image link you want.
# <IfModule mod_rewrite.c>
# RewriteEngine on
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
# RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]
# </IfModule>

# Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
</IfModule>

# Restrict PHP file execution
# <Directory "/var/www/wp-content/uploads/">
# <Files "*.php">
# Order Deny,Allow
# Deny from All
# </Files>
# </Directory>

# Protect site against script injections
Options +FollowSymLinks
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>

# Prevent username execution
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

# Require SSL
# SSLOptions +StrictRequire
# SSLRequireSSL
# SSLRequire %{HTTP_HOST} eq "www.you-site.com"
# ErrorDocument 403 https://www.your-site.com
	# Enable .htpasswd authentication
	# <If "%{HTTP_HOST} != 'dev'">
	# AuthType Basic
	# AuthName "Login to dashboard"
	# AuthUserFile /path/to/.htpasswd
	# Require valid-user
	# </If>

	# Deny access to all .htaccess files
	<files ~ "^.*\.([Hh][Tt][Aa])">
	order allow,deny
	deny from all
	satisfy all
	</files>

	# Deny access to wp-config.php file
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>

	# Disable directory browsing
	Options ALL -Indexes

	# Disable access to all file types except the following
	Order deny,allow
	Deny from all
	<Files ~ ".(xml\|css\|js\|jpe?g\|png\|gif\|pdf\|docx\|rtf\|odf\|zip\|rar)$">
	Allow from all
	</Files>

	# Block wp-includes folder and files
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Prevent image hotlinking script. Replace last URL with any image link you want.
	# <IfModule mod_rewrite.c>
	# RewriteEngine on
	# RewriteCond %{HTTP_REFERER} !^$
	# RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
	# RewriteRule \.(jpg\|jpeg\|png\|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]
	# </IfModule>

	# Setup browser caching
	<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresByType image/jpg "access 1 year"
	ExpiresByType image/jpeg "access 1 year"
	ExpiresByType image/gif "access 1 year"
	ExpiresByType image/png "access 1 year"
	ExpiresByType text/css "access 1 month"
	ExpiresByType application/pdf "access 1 month"
	ExpiresByType text/x-javascript "access 1 month"
	ExpiresByType application/x-shockwave-flash "access 1 month"
	ExpiresByType image/x-icon "access 1 year"
	ExpiresDefault "access 2 days"
	</IfModule>

	# Restrict PHP file execution
	# <Directory "/var/www/wp-content/uploads/">
	# <Files "*.php">
	# Order Deny,Allow
	# Deny from All
	# </Files>
	# </Directory>

	# Protect site against script injections
	Options +FollowSymLinks
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=\|[\|%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=\|[\|%[0-9A-Z]{0,2})
	RewriteRule ^(.*)$ index.php [F,L]
	</IfModule>

	# Prevent username execution
	RewriteCond %{QUERY_STRING} author=d
	RewriteRule ^ /? [L,R=301]

	# Require SSL
	# SSLOptions +StrictRequire
	# SSLRequireSSL
	# SSLRequire %{HTTP_HOST} eq "www.you-site.com"
	# ErrorDocument 403 https://www.your-site.com