UPDATE 2022/08: Perfect .htaccess file for highspeed and security. You can use it for every WordPress-Website without problems. Highspeed and Security - testet on hundreds of Websites. If you are using a WordPress Multisite, change the last part of this file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ######################################################################## | |
| # OPTIMAL .htaccess FILE FOR SPEED AND SECURITY @Version 2.0.5 - 08/2022 | |
| # ---------------------------------------------------------------------- | |
| # @Author: Andreas Hecht | |
| # @Author URI: https://seoagentur-hamburg.com | |
| # License: GNU General Public License v2 or later | |
| # License URI: http://www.gnu.org/licenses/gpl-2.0.html | |
| ######################################################################## | |
| # ---------------------------------------------------------------------- | |
| # Rewrite from HTTP to HTTPS - if you want to use it, comment it out | |
| # ---------------------------------------------------------------------- | |
| #<IfModule mod_rewrite.c> | |
| #RewriteEngine On | |
| #RewriteCond %{HTTPS} !=on | |
| #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| #</IfModule> | |
| # ---------------------------------------------------------------------- | |
| # | Activate CORS | |
| # ---------------------------------------------------------------------- | |
| <IfModule mod_headers.c> | |
| <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js|mjs|gif|png|jpe?g|svg|svgz|ico|webp)$"> | |
| Header set Access-Control-Allow-Origin "*" | |
| </FilesMatch> | |
| </IfModule> | |
| # ----------------------------------------------------------------------- | |
| # | 404 Fix: Block Nuisance Requests for Non-Existent Files - New in 2018 | |
| # https://perishablepress.com/block-nuisance-requests - @Update 2019 | |
| # ----------------------------------------------------------------------- | |
| <IfModule mod_alias.c> | |
| RedirectMatch 403 (?i)\.php\.suspected | |
| RedirectMatch 403 (?i)apple-app-site-association | |
| RedirectMatch 403 (?i)/autodiscover/autodiscover.xml | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # | Compressing and Caching - Version 2022 Update javascript modules | | |
| # ---------------------------------------------------------------------- | |
| # Serve resources with far-future expires headers. | |
| # | |
| # (!) If you don't control versioning with filename-based | |
| # cache busting, you should consider lowering the cache times | |
| # to something like one week. | |
| # | |
| # https://httpd.apache.org/docs/current/mod/mod_expires.html | |
| <IfModule mod_expires.c> | |
| ExpiresActive on | |
| ExpiresDefault "access plus 1 month" | |
| # CSS | |
| ExpiresByType text/css "access plus 1 year" | |
| # Data interchange | |
| ExpiresByType application/atom+xml "access plus 1 hour" | |
| ExpiresByType application/rdf+xml "access plus 1 hour" | |
| ExpiresByType application/rss+xml "access plus 1 hour" | |
| ExpiresByType application/json "access plus 0 seconds" | |
| ExpiresByType application/ld+json "access plus 0 seconds" | |
| ExpiresByType application/schema+json "access plus 0 seconds" | |
| ExpiresByType application/vnd.geo+json "access plus 0 seconds" | |
| ExpiresByType application/xml "access plus 0 seconds" | |
| ExpiresByType text/xml "access plus 0 seconds" | |
| # Favicon (cannot be renamed!) and cursor images | |
| ExpiresByType image/vnd.microsoft.icon "access plus 1 week" | |
| ExpiresByType image/x-icon "access plus 1 week" | |
| # HTML - No Caching | |
| ExpiresByType text/html "access plus 0 seconds" | |
| # JavaScript | |
| ExpiresByType application/javascript "access plus 1 year" | |
| ExpiresByType application/x-javascript "access plus 1 year" | |
| ExpiresByType text/javascript "access plus 1 year" | |
| # Manifest files | |
| ExpiresByType application/manifest+json "access plus 1 week" | |
| ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" | |
| ExpiresByType text/cache-manifest "access plus 0 seconds" | |
| # Update 2020: Google recommendation: cache duration increased to 1 year | |
| # @see: https://web.dev/uses-long-cache-ttl/ | |
| # Media files | |
| ExpiresByType audio/ogg "access plus 1 year" | |
| ExpiresByType image/bmp "access plus 1 year" | |
| ExpiresByType image/gif "access plus 1 year" | |
| ExpiresByType image/jpeg "access plus 1 year" | |
| ExpiresByType image/png "access plus 1 year" | |
| ExpiresByType image/svg+xml "access plus 1 year" | |
| ExpiresByType image/webp "access plus 1 year" | |
| ExpiresByType video/mp4 "access plus 1 year" | |
| ExpiresByType video/ogg "access plus 1 year" | |
| ExpiresByType video/webm "access plus 1 year" | |
| # Web fonts | |
| # Embedded OpenType (EOT) | |
| ExpiresByType application/vnd.ms-fontobject "access plus 1 year" | |
| ExpiresByType font/eot "access plus 1 year" | |
| # OpenType | |
| ExpiresByType font/opentype "access plus 1 year" | |
| # TrueType | |
| ExpiresByType application/x-font-ttf "access plus 1 year" | |
| # Web Open Font Format (WOFF) 1.0 | |
| ExpiresByType application/font-woff "access plus 1 year" | |
| ExpiresByType application/x-font-woff "access plus 1 year" | |
| ExpiresByType font/woff "access plus 1 year" | |
| # Web Open Font Format (WOFF) 2.0 | |
| ExpiresByType application/font-woff2 "access plus 1 year" | |
| # Other | |
| ExpiresByType text/x-cross-domain-policy "access plus 1 week" | |
| </IfModule> | |
| <IfModule mod_deflate.c> | |
| # Insert filters / compress text, html, javascript, css, xml: | |
| AddOutputFilterByType DEFLATE text/plain | |
| AddOutputFilterByType DEFLATE text/html | |
| AddOutputFilterByType DEFLATE text/xml | |
| AddOutputFilterByType DEFLATE text/css | |
| AddOutputFilterByType DEFLATE text/vtt | |
| AddOutputFilterByType DEFLATE text/x-component | |
| AddOutputFilterByType DEFLATE application/xml | |
| AddOutputFilterByType DEFLATE application/xhtml+xml | |
| AddOutputFilterByType DEFLATE application/rss+xml | |
| AddOutputFilterByType DEFLATE application/js | |
| AddOutputFilterByType DEFLATE application/javascript | |
| AddOutputFilterByType DEFLATE application/x-javascript | |
| AddOutputFilterByType DEFLATE application/x-httpd-php | |
| AddOutputFilterByType DEFLATE application/x-httpd-fastphp | |
| AddOutputFilterByType DEFLATE application/atom+xml | |
| AddOutputFilterByType DEFLATE application/json | |
| AddOutputFilterByType DEFLATE application/ld+json | |
| AddOutputFilterByType DEFLATE application/vnd.ms-fontobject | |
| AddOutputFilterByType DEFLATE application/x-font-ttf | |
| AddOutputFilterByType DEFLATE application/font-woff2 | |
| AddOutputFilterByType DEFLATE application/x-font-woff | |
| AddOutputFilterByType DEFLATE application/x-web-app-manifest+json font/woff | |
| AddOutputFilterByType DEFLATE font/woff | |
| AddOutputFilterByType DEFLATE font/opentype | |
| AddOutputFilterByType DEFLATE image/svg+xml | |
| AddOutputFilterByType DEFLATE image/x-icon | |
| # Exception: Images | |
| SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary | |
| # Drop problematic browsers | |
| BrowserMatch ^Mozilla/4 gzip-only-text/html | |
| BrowserMatch ^Mozilla/4\.0[678] no-gzip | |
| BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html | |
| # Make sure proxies don't deliver the wrong content | |
| Header append Vary User-Agent env=!dont-vary | |
| </IfModule> | |
| #Alternative caching using Apache's "mod_headers", if it's installed. | |
| #Caching of common files - ENABLED | |
| <IfModule mod_headers.c> | |
| <FilesMatch "\.(ico|pdf|flv|swf|js|mjs|css|gif|png|jpg|jpeg|txt|woff2|woff)$"> | |
| Header set Cache-Control "max-age=31536000, public" | |
| </FilesMatch> | |
| </IfModule> | |
| <IfModule mod_headers.c> | |
| <FilesMatch "\.(js|mjs|css|xml|gz)$"> | |
| Header append Vary Accept-Encoding | |
| </FilesMatch> | |
| </IfModule> | |
| # Set Keep Alive Header | |
| <IfModule mod_headers.c> | |
| Header set Connection keep-alive | |
| </IfModule> | |
| # If your server don't support ETags deactivate with "None" (and remove header) | |
| <IfModule mod_expires.c> | |
| <IfModule mod_headers.c> | |
| Header unset ETag | |
| </IfModule> | |
| FileETag None | |
| </IfModule> | |
| <IfModule mod_headers.c> | |
| <FilesMatch ".(js|mjs|css|xml|gz|html|woff|woff2|ttf)$"> | |
| Header append Vary: Accept-Encoding | |
| </FilesMatch> | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # | 7G Firewall for Security - Do not change this part @Update 2021 | |
| # ---------------------------------------------------------------------- | |
| # 7G FIREWALL v1.5 20211103 | |
| # @ https://perishablepress.com/7g-firewall/ | |
| # 7G:[CORE] | |
| ServerSignature Off | |
| Options -Indexes | |
| RewriteEngine On | |
| RewriteBase / | |
| # 7G:[QUERY STRING] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (/|%2f)(:|%3a)(/|%2f) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (order(\s|%20)by(\s|%20)1--) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (/|%2f)(\*|%2a)(\*|%2a)(/|%2f) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (`|<|>|\^|\|\\|0x00|%00|%0d%0a) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (ckfinder|fck|fckeditor|fullclick) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ((.*)header:|(.*)set-cookie:(.*)=) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (cmd|command)(=|%3d)(chdir|mkdir)(.*)(x20) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (globals|mosconfig([a-z_]{1,22})|request)(=|\[) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (/|%2f)((wp-)?config)((\.|%2e)inc)?((\.|%2e)php) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumbs?)?)((\.|%2e)php) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (absolute_|base|root_)(dir|path)(=|%3d)(ftp|https?) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (localhost|loopback|127(\.|%2e)0(\.|%2e)0(\.|%2e)1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (s)?(ftp|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215)) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\.|20)(get|the)(_|%5f)(permalink|posts_page_url)(\(|%28) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ((boot|win)((\.|%2e)ini)|etc(/|%2f)passwd|self(/|%2f)environ) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (((/|%2f){3,3})|((\.|%2e){3,3})|((\.|%2e){2,2})(/|%2f|%u2215)) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (benchmark|char|exec|fopen|function|html)(.*)(\(|%28)(.*)(\)|%29) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (php)([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (e|%65|%45)(v|%76|%56)(a|%61|%31)(l|%6c|%4c)(.*)(\(|%28)(.*)(\)|%29) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (/|%2f)(=|%3d|$&|_mm|cgi(\.|-)|inurl(:|%3a)(/|%2f)|(mod|path)(=|%3d)(\.|%2e)) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3c)(.*)(e|%65|%45)(m|%6d|%4d)(b|%62|%42)(e|%65|%45)(d|%64|%44)(.*)(>|%3e) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3c)(.*)(i|%69|%49)(f|%66|%46)(r|%72|%52)(a|%61|%41)(m|%6d|%4d)(e|%65|%45)(.*)(>|%3e) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3c)(.*)(o|%4f|%6f)(b|%62|%42)(j|%4a|%6a)(e|%65|%45)(c|%63|%43)(t|%74|%54)(.*)(>|%3e) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3c)(.*)(s|%73|%53)(c|%63|%43)(r|%72|%52)(i|%69|%49)(p|%70|%50)(t|%74|%54)(.*)(>|%3e) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\+|%2b|%20)(d|%64|%44)(e|%65|%45)(l|%6c|%4c)(e|%65|%45)(t|%74|%54)(e|%65|%45)(\+|%2b|%20) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\+|%2b|%20)(i|%69|%49)(n|%6e|%4e)(s|%73|%53)(e|%65|%45)(r|%72|%52)(t|%74|%54)(\+|%2b|%20) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\+|%2b|%20)(s|%73|%53)(e|%65|%45)(l|%6c|%4c)(e|%65|%45)(c|%63|%43)(t|%74|%54)(\+|%2b|%20) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\+|%2b|%20)(u|%75|%55)(p|%70|%50)(d|%64|%44)(a|%61|%41)(t|%74|%54)(e|%65|%45)(\+|%2b|%20) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\\x00|(\"|%22|\'|%27)?0(\"|%22|\'|%27)?(=|%3d)(\"|%22|\'|%27)?0|cast(\(|%28)0x|or%201(=|%3d)1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (g|%67|%47)(l|%6c|%4c)(o|%6f|%4f)(b|%62|%42)(a|%61|%41)(l|%6c|%4c)(s|%73|%53)(=|\[|%[0-9A-Z]{0,2}) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (_|%5f)(r|%72|%52)(e|%65|%45)(q|%71|%51)(u|%75|%55)(e|%65|%45)(s|%73|%53)(t|%74|%54)(=|\[|%[0-9A-Z]{2,}) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (j|%6a|%4a)(a|%61|%41)(v|%76|%56)(a|%61|%31)(s|%73|%53)(c|%63|%43)(r|%72|%52)(i|%69|%49)(p|%70|%50)(t|%74|%54)(:|%3a)(.*)(;|%3b|\)|%29) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (b|%62|%42)(a|%61|%41)(s|%73|%53)(e|%65|%45)(6|%36)(4|%34)(_|%5f)(e|%65|%45|d|%64|%44)(e|%65|%45|n|%6e|%4e)(c|%63|%43)(o|%6f|%4f)(d|%64|%44)(e|%65|%45)(.*)(\()(.*)(\)) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (@copy|\$_(files|get|post)|allow_url_(fopen|include)|auto_prepend_file|blexbot|browsersploit|(c99|php)shell|curl(_exec|test)|disable_functions?|document_root|elastix|encodeuricom|exploit|fclose|fgets|file_put_contents|fputs|fsbuff|fsockopen|gethostbyname|grablogin|hmei7|input_file|null|open_basedir|outfile|passthru|phpinfo|popen|proc_open|quickbrute|remoteview|root_path|safe_mode|shell_exec|site((.){0,2})copier|sux0r|trojan|user_func_array|wget|xertive) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (;|<|>|\'|\"|\)|%0a|%0d|%22|%27|%3c|%3e|%00)(.*)(/\*|alter|base64|benchmark|cast|concat|convert|create|encode|declare|delete|drop|insert|md5|request|script|select|set|union|update) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ((\+|%2b)(concat|delete|get|select|union)(\+|%2b)) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (union)(.*)(select)(.*)(\(|%28) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (concat|eval)(.*)(\(|%28) [NC] | |
| RewriteRule .* - [F,L] | |
| # RewriteRule .* /7G_log.php?log [END,NE,E=7G_QUERY_STRING:%1___%2___%3] | |
| </IfModule> | |
| # 7G:[REQUEST URI] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{REQUEST_URI} (\^|`|<|>|\\|\|) [NC,OR] | |
| RewriteCond %{REQUEST_URI} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (=?\\(\'|%27)/?)(\.) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(\*|\"|\'|\.|,|&|&?)/?$ [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\.)(php)(\()?([0-9]+)(\))?(/)?$ [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(vbulletin|boards|vbforum)(/)? [NC,OR] | |
| RewriteCond %{REQUEST_URI} /((.*)header:|(.*)set-cookie:(.*)=) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(ckfinder|fck|fckeditor|fullclick) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\.(s?ftp-?)config|(s?ftp-?)config\.) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\{0\}|\"?0\"?=\"?0|\(/\(|\.\.\.|\+\+\+|\\\") [NC,OR] | |
| RewriteCond %{REQUEST_URI} (thumbs?(_editor|open)?|tim(thumbs?)?)(\.php) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\.|20)(get|the)(_)(permalink|posts_page_url)(\() [NC,OR] | |
| RewriteCond %{REQUEST_URI} (///|\?\?|/&&|/\*(.*)\*/|/:/|\\\\|0x00|%00|%0d%0a) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/%7e)(root|ftp|bin|nobody|named|guest|logs|sshd)(/) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(etc|var)(/)(hidden|secret|shadow|ninja|passwd|tmp)(/)?$ [NC,OR] | |
| RewriteCond %{REQUEST_URI} (s)?(ftp|http|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215)) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(=|\$&?|&?(pws|rk)=0|_mm|_vti_|cgi(\.|-)?|(=|/|;|,)nt\.) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\.)(ds_store|htaccess|htpasswd|init?|mysql-select-db)(/)?$ [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(bin)(/)(cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)(/)?$ [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(::[0-9999]|%3a%3a[0-9999]|127\.0\.0\.1|localhost|loopback|makefile|pingserver|wwwroot)(/)? [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\(null\)|\{\$itemURL\}|cAsT\(0x|echo(.*)kae|etc/passwd|eval\(|self/environ|\+union\+all\+select) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)?j((\s)+)?a((\s)+)?v((\s)+)?a((\s)+)?s((\s)+)?c((\s)+)?r((\s)+)?i((\s)+)?p((\s)+)?t((\s)+)?(%3a|:) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(awstats|(c99|php|web)shell|document_root|error_log|listinfo|muieblack|remoteview|site((.){0,2})copier|sqlpatch|sux0r) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)((php|web)?shell|crossdomain|fileditor|locus7|nstview|php(get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin)(.*)(\.|\() [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(author-panel|bitrix|class|database|(db|mysql)-?admin|filemanager|htdocs|httpdocs|https?|mailman|mailto|msoffice|mysql|_?php-my-admin(.*)|tmp|undefined|usage|var|vhosts|webmaster|www)(/) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (base64_(en|de)code|benchmark|child_terminate|curl_exec|e?chr|eval|function|fwrite|(f|p)open|html|leak|passthru|p?fsockopen|phpinfo|posix_(kill|mkfifo|setpgid|setsid|setuid)|proc_(close|get_status|nice|open|terminate)|(shell_)?exec|system)(.*)(\()(.*)(\)) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (/)(^$|00.temp00|0day|3index|3xp|70bex?|admin_events|bkht|(php|web)?shell|c99|config(\.)?bak|curltest|db|dompdf|filenetworks|hmei7|index\.php/index\.php/index|jahat|kcrew|keywordspy|libsoft|marg|mobiquo|mysql|nessus|php-?info|racrew|sql|vuln|(web-?|wp-)?(conf\b|config(uration)?)|xertive)(\.php) [NC,OR] | |
| RewriteCond %{REQUEST_URI} (\.)(7z|ab4|ace|afm|ashx|aspx?|bash|ba?k?|bin|bz2|cfg|cfml?|cgi|conf\b|config|ctl|dat|db|dist|dll|eml|engine|env|et2|exe|fec|fla|git|hg|inc|ini|inv|jsp|log|lqd|make|mbf|mdb|mmw|mny|module|old|one|orig|out|passwd|pdb|phtml|pl|profile|psd|pst|ptdb|pwd|py|qbb|qdf|rar|rdf|save|sdb|sql|sh|soa|svn|swf|swl|swo|swp|stx|tar|tax|tgz|theme|tls|tmd|wow|xtmpl|ya?ml|zlib)$ [NC] | |
| RewriteRule .* - [F,L] | |
| # RewriteRule .* /7G_log.php?log [END,NE,E=7G_REQUEST_URI:%1___%2___%3] | |
| </IfModule> | |
| # 7G:[USER AGENT] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{HTTP_USER_AGENT} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (<|%0a|%0d|%27|%3c|%3e|%00|0x00) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (ahrefs|alexibot|majestic|mj12bot|rogerbot) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ((c99|php|web)shell|remoteview|site((.){0,2})copier) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (econtext|eolasbot|eventures|liebaofast|nominet|oppo\sa33) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (base64_decode|bin/bash|disconnect|eval|lwp-download|unserialize|\\\x22) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} (acapbot|acoonbot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|masscan|miner|mechanize|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|petalbot|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|scooter|seekerspider|semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg) [NC] | |
| RewriteRule .* - [F,L] | |
| # RewriteRule .* /7G_log.php?log [END,NE,E=7G_USER_AGENT:%1] | |
| </IfModule> | |
| # 7G:[REMOTE HOST] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{REMOTE_HOST} (163data|amazonaws|colocrossing|crimea|g00g1e|justhost|kanagawa|loopia|masterhost|onlinehome|poneytel|sprintdatacenter|reverse.softlayer|safenet|ttnet|woodpecker|wowrack) [NC] | |
| RewriteRule .* - [F,L] | |
| # RewriteRule .* /7G_log.php?log [END,NE,E=7G_REMOTE_HOST:%1] | |
| </IfModule> | |
| # 7G:[HTTP REFERRER] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC,OR] | |
| RewriteCond %{HTTP_REFERER} (order(\s|%20)by(\s|%20)1--) [NC,OR] | |
| RewriteCond %{HTTP_REFERER} (blue\spill|cocaine|ejaculat|erectile|erections|hoodia|huronriveracres|impotence|levitra|libido|lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby|ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo) [NC] | |
| RewriteRule .* - [F,L] | |
| # RewriteRule .* /7G_log.php?log [END,NE,E=7G_HTTP_REFERRER:%1] | |
| </IfModule> | |
| # 7G:[REQUEST METHOD] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|trace|track) [NC] | |
| RewriteRule .* - [F,L] | |
| # RewriteRule .* /7G_log.php?log [END,NE,E=7G_REQUEST_METHOD:%1] | |
| </IfModule> | |
| ################################################################# | |
| # 7G Addon: Stop Aggressive Scanning for Uploads-Related Targets | |
| # https://perishablepress.com/stop-aggressive-scanning-uploads/ | |
| ################################################################# | |
| <IfModule mod_rewrite.c> | |
| # RewriteCond %{REQUEST_URI} /php(unit)?/ [NC,OR] | |
| # RewriteCond %{REQUEST_URI} \.(aspx?|env|git(ignore)?|phtml|rar|well-known) [NC,OR] | |
| # RewriteCond %{REQUEST_URI} /(cms|control_panel|dashboard|home_url=|lr-admin|manager|panel|staff|webadmin) [NC,OR] | |
| # RewriteCond %{REQUEST_URI} /(adm(in)?|blog|cache|checkout|controlpanel|ecommerce|export|magento(-1|web)?|market(place)?|mg|onli(n|k)e|orders?|shop|tmplconnector|uxm|web?store)/ [NC,OR] | |
| RewriteCond %{REQUEST_URI} (_timthumb_|timthumb.php) [NC,OR] | |
| RewriteCond %{REQUEST_URI} /(install|wp-config|xmlrpc)\.php [NC,OR] | |
| RewriteCond %{REQUEST_URI} /(uploadify|uploadbg|up__uzegp)\.php [NC,OR] | |
| RewriteCond %{REQUEST_URI} /(comm\.js|mysql-date-function|simplebootadmin|vuln\.htm|www\.root\.) [NC,OR] | |
| RewriteCond %{REQUEST_URI} /(admin-uploadify|fileupload|jquery-file-upload|upload_file|upload|uploadify|webforms)/ [NC,OR] | |
| RewriteCond %{REQUEST_URI} /(ajax_pluginconf|apikey|connector(.minimal)?|eval-stdin|f0x|login|router|setup-config|sssp|vuln|xattacker)\.php [NC] | |
| RewriteRule .* - [F,L] | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # Block WordPress files from outside access | |
| # ---------------------------------------------------------------------- | |
| # No access to the install.php | |
| <files install.php> | |
| Order allow,deny | |
| Deny from all | |
| </files> | |
| # No access to the wp-config.php | |
| <files wp-config.php> | |
| Order allow,deny | |
| Deny from all | |
| </files> | |
| # No access to the readme.html | |
| <files readme.html> | |
| Order Allow,Deny | |
| Deny from all | |
| Satisfy all | |
| </Files> | |
| # No access to the liesmich.html for DE Edition | |
| <Files liesmich.html> | |
| Order Allow,Deny | |
| Deny from all | |
| Satisfy all | |
| </Files> | |
| # No error log access | |
| <files error_log> | |
| Order allow,deny | |
| Deny from all | |
| </files> | |
| #No access to the .htaccess und .htpasswd | |
| <FilesMatch "(\.htaccess|\.htpasswd)"> | |
| Order deny,allow | |
| Deny from all | |
| </FilesMatch> | |
| # Block access to includes folder | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F,L] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
| RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # | Blocking the »ReallyLongRequest« Bandit - New in 2018 | |
| # https://perishablepress.com/blocking-reallylongrequest-bandit/ | |
| # ---------------------------------------------------------------------- | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{REQUEST_METHOD} .* [NC] | |
| RewriteCond %{THE_REQUEST} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC] | |
| RewriteRule .* - [F,L] | |
| </IfModule> | |
| # -------------------------------------------------------------------------------------------- | |
| # Ultimate hotlink protection - IMPORTANT: Change »?domain\« in line 361 to your domain name | |
| # Example: ?andreas-hecht\ ### if you do not use https, change https in line 361 to http | |
| # -------------------------------------------------------------------------------------------- | |
| #<IfModule mod_rewrite.c> | |
| # RewriteEngine on | |
| # RewriteCond %{HTTP_REFERER} !^$ | |
| # RewriteCond %{REQUEST_FILENAME} -f | |
| # RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC] | |
| # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain\. [NC] | |
| # RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L] | |
| #</ifModule> | |
| # ---------------------------------------------------------------------- | |
| # Protect your WordPress Login with HTTP Authentification | |
| # ---------------------------------------------------------------------- | |
| # If you want to use it, comment it out and set your path to .htpasswd | |
| #<Files wp-login.php> | |
| #AuthName "Admin-Bereich" | |
| #AuthType Basic | |
| #AuthUserFile /usr/local/www/apache24/your-path/your-domain.com/.htpasswd | |
| #require valid-user | |
| #</Files> | |
| # ---------------------------------------------------------------------- | |
| # Switch off the security risk XML-RPC interface completely | |
| # ---------------------------------------------------------------------- | |
| ### @see https://digwp.com/2009/06/xmlrpc-php-security/ | |
| <Files xmlrpc.php> | |
| Order Deny,Allow | |
| Deny from all | |
| </Files> | |
| # ----------------------------------------------------------------------------- | |
| # HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 05/2022 | |
| # ----------------------------------------------------------------------------- | |
| ### @see https://scotthelme.co.uk/hardening-your-http-response-headers | |
| ### UPDATE 2022 | |
| ## No-Referrer-Header | |
| <IfModule mod_headers.c> | |
| Header set Referrer-Policy "no-referrer" | |
| </IfModule> | |
| ## Strict Origin when cross origin Header | |
| #@see https://scotthelme.co.uk/a-new-security-header-referrer-policy/ | |
| <IfModule mod_headers.c> | |
| Header set Referrer-Policy "strict-origin-when-cross-origin" | |
| </IfModule> | |
| ## X-FRAME-OPTIONS-Header | |
| <IfModule mod_headers.c> | |
| Header set X-Frame-Options "sameorigin" | |
| </IfModule> | |
| ## X-XSS-PROTECTION-Header | |
| <IfModule mod_headers.c> | |
| Header set X-XSS-Protection "1; mode=block" | |
| </IfModule> | |
| ## X-Content-Type-Options-Header | |
| <IfModule mod_headers.c> | |
| Header set X-Content-Type-Options "nosniff" | |
| </IfModule> | |
| ## Strict-Transport-Security-Header - for HTTPS | |
| <IfModule mod_headers.c> | |
| Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | |
| </IfModule> | |
| ## This prevents that false issued certificates for this website can be used unnoticed. (Experimental) | |
| ## @see https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02 | |
| <IfModule mod_headers.c> | |
| Header set Expect-CT "enforce, max-age=21600" | |
| </IfModule> | |
| # Upgrade Insecure Requests to prevent mixed content | |
| <ifModule mod_headers.c> | |
| Header always set Content-Security-Policy "upgrade-insecure-requests" | |
| </IfModule> | |
| # Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser. | |
| ## Tutorial: https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md | |
| <IfModule mod_headers.c> | |
| Header always set Permissions-Policy "geolocation=(), midi=(),sync-xhr=(),accelerometer=(), gyroscope=(), magnetometer=(), camera=(), fullscreen=(self)" | |
| </IfModule> | |
| # ---------------------------------------------------------------------- | |
| # The original WordPress Rewrite Rules - Do not change anything here, | |
| # except you are using a WordPress Multisite | |
| # ---------------------------------------------------------------------- | |
| # BEGIN WordPress | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^index\.php$ - [L] | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteRule . /index.php [L] | |
| </IfModule> | |
| # END WordPress |
I too am facing the same problem and upon the trials I found that the 7G code is the problem. Once I disabled/removed everything started working fine.
The error that I was getting were:
- The resource from "http://.../wp-content/plugins/autoptimize/clas…ternal/php/persist-admin-notices-dismissal/dismiss-notice.js" was blocked due to MIME type ("text/html") mismatch (X-Content-Type-Options: nosniff).
admin.php - The resource from "http://.../wp-admin/load-scripts.php?c=0&load%…media-audiovideo,mce-view,imgareaselect,image-edit&ver=5.2.2" was blocked due to MIME type ("text/html") mismatch (X-Content-Type-Options: nosniff).
- The resource from "http://.../wp-content/plugins/autoptimize/clas…ternal/php/persist-admin-notices-dismissal/dismiss-notice.js" was blocked due to MIME type ("text/html") mismatch (X-Content-Type-Options: nosniff).
Browser - Firefox 68 also tested the same on Chrome
Hi!
Change 7G-Firewall back to 6G. https://gist.github.com/HechtMediaArts/f2ffa095a4bfc5969746ac622c8a06c0
@HechtMediaArts Moin/ Tach auch Andreas. Fabulous!
Security Ninja for WordPress also suggests to deactivate wp-admin/upgrade.php. Is there any reason against
# No access to the upgrade.php
<files upgrade.php>
Order allow,deny
Deny from all
</files>
?
.. and what about denying directory listings as per https://stackoverflow.com/questions/5932641/deny-directory-listing-with-htaccess?
# Deny directory listings (several approaches)
Options -Indexes
IndexIgnore *
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
</IfModule>
# END Deny directory listings
Hello, a slight gain by removing:
AddOutputFilterByType DEFLATE application / font-woff2
Is not necessary because the files in WOFF2 are already compressed
Have a nice Day
Hello, a slight gain by removing:
AddOutputFilterByType DEFLATE application / font-woff2
Is not necessary because the files in WOFF2 are already compressed
Have a nice Day
thanks for pointing that out. The line in Andreas Hecht (aka HechtMediaArts)'s above .htaccess to search for and remove is without spaces around the /:
AddOutputFilterByType DEFLATE application/font-woff2
I have remarked that
line 150
#### addOutputFilterByType DEFLATE application/x-web-app-manifest+json font/woff
addOutputFilterByType DEFLATE application/x-web-app-manifest+json
line 157
#### SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary
SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg|webp)$ no-gzip dont-vary
line 171
#### <FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt)$">
<FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt|webp)$">
line 178 and 195/199
#### Header append Vary Accept-Encoding
Header append Vary: Accept-Encoding
>>>> Repetition with the same directive on line 197
line 196
############# <FilesMatch ".(js|css|xml|gz|html|woff|woff2|ttf)$">
<FilesMatch ".\(js|css|xml|gz|html|woff|woff2|ttf)$">
VARIATIONS
----------------
<Files xmlrpc.php>
order deny,allow
deny from all
# but access for jetpack services
Allow from 192.0.64.0/18
# </Files>
Have a nice night :-)
Oups …
LINE 196 :
<FilesMatch ".(js|css|xml|gz|html|woff|woff2|ttf)$">
Disable Code Execution for Uploads directory : Enabling this option will place a .htaccess file in your wp-content/uploads/ directory which prevents any PHP code in your uploads directory from executing. This is an added level of protection against a hacker managing to upload PHP code into your uploads directory. Even if they manage to do that, the code won’t execute if you have this option enabled. The contents of the .htaccess is:
# Code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
Thank you @pascalduboin . My wp-content/uploads/.htaccess already contains the following code:
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
Do you see anything in it that conflicts with your code snippet? Would you add yours in addition, or replace mine with yours?
Not Working with Multisite (BuddyPress), showing 404 error
Added Network code at the end, but getting 404 for all pages
RewriteEngine On
RewriteBase /networkname/
RewriteRule ^index.php$ - [L]
add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(..php)$ $2 [L]
RewriteRule . index.php [L]
Is this going to work with WP rocket or do I have to kill all the caching parameters before that?
Hello,
Is the code above also works for multisite wordpress?
Thanks for these code. Is there a way to also hide /wp-content/ and wp-content/* from the url? if so, would that block the images from showing under under /wp-content/uploads/?
and what will it show instead?
Thanks for these code. Is there a way to also hide /wp-content/ and wp-content/* from the url? if so, would that block the images from showing under under /wp-content/uploads/?
and what will it show instead?
better not to do it, wp-content is not only uploads but plugins and etc
Options -Indexes is fair enough to close the indexing of all directories
Technically I don't want to show any wp_* at all. My goal is to prevent visitors from knowing this is a WordPress site, at least in first glance. What is the best path to achieving this?
Technically I don't want to show any wp_* at all. My goal is to prevent visitors from knowing this is a WordPress site, at least in first glance. What is the best path to achieving this?
You can protect your Wordpress with Security plugins like All In One WP Security (it has a lot of features that add extra htaccess rules, hide access to system files, protect your wp-admin and etc) , but you can't hide the fact that it's WP entirely, your site won't work if you close access to wp_ directories, because WP itself work with it.
@HechtMediaArts Moin/ Tach auch Andreas. Fabulous!
Security Ninja for WordPress also suggests to deactivate wp-admin/upgrade.php. Is there any reason against
# No access to the upgrade.php <files upgrade.php> Order allow,deny Deny from all </files>
yes, there is: after a WP update:
Forbidden You don't have permission to access this resource
a lot of problems you have there... wordpress 5.5.1, nginx dynamic can't work with that. your htacssas cause me a lot of problems.
recommended you to adjust the file.
@seoagentur-hamburg
thank you
with the updates :) the security Headers is boom, but need little adjustment for Nginx.
Thank you for any time for updating the file for the people, you are a good person :)
Is double line 178-182 and 197-201 mistake or?
@robi052 I think you are right. It can be summarised.
@seoagentur-hamburg Can you please summarise it?
Version 1.5 of the 7G Firewall (https://perishablepress.com/downloads/7G-Changelog.txt) is already available. @seoagentur-hamburg can you please integrate it?
Version 1.5 of the 7G Firewall (https://perishablepress.com/downloads/7G-Changelog.txt) is already available. @seoagentur-hamburg can you please integrate it?
Done.
@seoagentur-hamburg Can you please compare lines 178 - 182 and 197 - 201? Can these be combined?
Version 1.5 of the 7G Firewall (perishablepress.com/downloads/7G-Changelog.txt) is already available. @seoagentur-hamburg can you please integrate it?
Done.
Thanks
After using this code, https://pagespeed.web.dev/ has problem with testing website.
Is something wrong only with my website?
hi there! many thanks for this very useful file!
i would recommend adding support for javascript modules (.mjs files) by adding /changing:
...
AddOutputFilterByType DEFLATE text/javascript
...
<FilesMatch "\.(ico|pdf|flv|swf|js|mjs|css|gif|png|jpg|jpeg|txt|woff2|woff)$">
...
<FilesMatch "\.(js|mjs|css|xml|gz)$">
...
<FilesMatch ".(js|mjs|css|xml|gz|html|woff|woff2|ttf)$">
...
i would recommend adding support for javascript modules (
.mjsfiles) by adding /changing:
Done! Thanks for Proposal.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've the same problem...