obviousdisaster/.htaccess

## .htaccess
# force http to https
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

# disable directory listing
Options -Indexes +FollowSymLinks -MultiViews

# turn off Apache version
ServerSignature Off

# clickjacking protection
<IfModule mod_headers.c>
	Header set Content-Security-Policy "frame-ancestors 'none';"
	Header set X-Frame-Options "sameorigin"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options nosniff
	Header set Referrer-Policy "same-origin"
	Header unset Vary
</IfModule>

# better search url
RewriteCond %{QUERY_STRING} \\?s=([^&]+) [NC]
RewriteRule ^$ /search/%1/? [NC,R,L]

# protect wpconfig
<files wp-config.php>
	Order deny,allow
	deny from all
</files>

# Blocks some XSS attacks
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
	RewriteRule .* index.php [F,L]
</IfModule>

# secure htaccess file
<Files .htaccess>
	order allow,deny
	deny from all
</Files>

# secure other files
<FilesMatch "wp-config\.php|error_log|readme\.html|license\.txt|wp-config-sample\.php">
	order allow,deny
	deny from all
</FilesMatch>

# Block WordPress Author Scans
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{QUERY_STRING} (author=\d+) [NC]
	RewriteRule ^ - [NC,F,L]
</IfModule>

# BEGIN WordPress

RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress
	# force http to https
	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

	# disable directory listing
	Options -Indexes +FollowSymLinks -MultiViews

	# turn off Apache version
	ServerSignature Off

	# clickjacking protection
	<IfModule mod_headers.c>
	Header set Content-Security-Policy "frame-ancestors 'none';"
	Header set X-Frame-Options "sameorigin"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options nosniff
	Header set Referrer-Policy "same-origin"
	Header unset Vary
	</IfModule>

	# better search url
	RewriteCond %{QUERY_STRING} \\?s=([^&]+) [NC]
	RewriteRule ^$ /search/%1/? [NC,R,L]

	# protect wpconfig
	<files wp-config.php>
	Order deny,allow
	deny from all
	</files>

	# Blocks some XSS attacks
	<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} (\\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=\|\[\|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=\|\[\|\%[0-9A-Z]{0,2})
	RewriteRule .* index.php [F,L]
	</IfModule>

	# secure htaccess file
	<Files .htaccess>
	order allow,deny
	deny from all
	</Files>

	# secure other files
	<FilesMatch "wp-config\.php\|error_log\|readme\.html\|license\.txt\|wp-config-sample\.php">
	order allow,deny
	deny from all
	</FilesMatch>

	# Block WordPress Author Scans
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{QUERY_STRING} (author=\d+) [NC]
	RewriteRule ^ - [NC,F,L]
	</IfModule>

	# BEGIN WordPress

	RewriteEngine On
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]

	# END WordPress