######################################################################## | |
# OPTIMAL .htaccess FILE FOR SPEED AND SECURITY @Version 2.0.1 - 08/2020 | |
# ---------------------------------------------------------------------- | |
# @Author: Andreas Hecht | |
# @Author URI: https://seoagentur-hamburg.com | |
# License: GNU General Public License v2 or later | |
# License URI: http://www.gnu.org/licenses/gpl-2.0.html | |
######################################################################## | |
# ---------------------------------------------------------------------- | |
# Rewrite from HTTP to HTTPS - if you want to use it, comment it out | |
# ---------------------------------------------------------------------- | |
#<IfModule mod_rewrite.c> | |
#RewriteEngine On | |
#RewriteCond %{HTTPS} !=on | |
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
#</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Activate CORS | |
# ---------------------------------------------------------------------- | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js|gif|png|jpe?g|svg|svgz|ico|webp)$"> | |
Header set Access-Control-Allow-Origin "*" | |
</FilesMatch> | |
</IfModule> | |
# ----------------------------------------------------------------------- | |
# | 404 Fix: Block Nuisance Requests for Non-Existent Files - New in 2018 | |
# https://perishablepress.com/block-nuisance-requests - @Update 2019 | |
# ----------------------------------------------------------------------- | |
<IfModule mod_alias.c> | |
RedirectMatch 403 (?i)\.php\.suspected | |
RedirectMatch 403 (?i)apple-app-site-association | |
RedirectMatch 403 (?i)/autodiscover/autodiscover.xml | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Compressing and Caching - Version 2020 | | |
# ---------------------------------------------------------------------- | |
# Serve resources with far-future expires headers. | |
# | |
# (!) If you don't control versioning with filename-based | |
# cache busting, you should consider lowering the cache times | |
# to something like one week. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_expires.html | |
<IfModule mod_expires.c> | |
ExpiresActive on | |
ExpiresDefault "access plus 1 month" | |
# CSS | |
ExpiresByType text/css "access plus 1 year" | |
# Data interchange | |
ExpiresByType application/atom+xml "access plus 1 hour" | |
ExpiresByType application/rdf+xml "access plus 1 hour" | |
ExpiresByType application/rss+xml "access plus 1 hour" | |
ExpiresByType application/json "access plus 0 seconds" | |
ExpiresByType application/ld+json "access plus 0 seconds" | |
ExpiresByType application/schema+json "access plus 0 seconds" | |
ExpiresByType application/vnd.geo+json "access plus 0 seconds" | |
ExpiresByType application/xml "access plus 0 seconds" | |
ExpiresByType text/xml "access plus 0 seconds" | |
# Favicon (cannot be renamed!) and cursor images | |
ExpiresByType image/vnd.microsoft.icon "access plus 1 week" | |
ExpiresByType image/x-icon "access plus 1 week" | |
# HTML - No Caching | |
ExpiresByType text/html "access plus 0 seconds" | |
# JavaScript | |
ExpiresByType application/javascript "access plus 1 year" | |
ExpiresByType application/x-javascript "access plus 1 year" | |
ExpiresByType text/javascript "access plus 1 year" | |
# Manifest files | |
ExpiresByType application/manifest+json "access plus 1 week" | |
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" | |
ExpiresByType text/cache-manifest "access plus 0 seconds" | |
# Update 2020: Google recommendation: cache duration increased to 1 year | |
# @see: https://web.dev/uses-long-cache-ttl/ | |
# Media files | |
ExpiresByType audio/ogg "access plus 1 year" | |
ExpiresByType image/bmp "access plus 1 year" | |
ExpiresByType image/gif "access plus 1 year" | |
ExpiresByType image/jpeg "access plus 1 year" | |
ExpiresByType image/png "access plus 1 year" | |
ExpiresByType image/svg+xml "access plus 1 year" | |
ExpiresByType image/webp "access plus 1 year" | |
ExpiresByType video/mp4 "access plus 1 year" | |
ExpiresByType video/ogg "access plus 1 year" | |
ExpiresByType video/webm "access plus 1 year" | |
# Web fonts | |
# Embedded OpenType (EOT) | |
ExpiresByType application/vnd.ms-fontobject "access plus 1 year" | |
ExpiresByType font/eot "access plus 1 year" | |
# OpenType | |
ExpiresByType font/opentype "access plus 1 year" | |
# TrueType | |
ExpiresByType application/x-font-ttf "access plus 1 year" | |
# Web Open Font Format (WOFF) 1.0 | |
ExpiresByType application/font-woff "access plus 1 year" | |
ExpiresByType application/x-font-woff "access plus 1 year" | |
ExpiresByType font/woff "access plus 1 year" | |
# Web Open Font Format (WOFF) 2.0 | |
ExpiresByType application/font-woff2 "access plus 1 year" | |
# Other | |
ExpiresByType text/x-cross-domain-policy "access plus 1 week" | |
</IfModule> | |
<IfModule mod_deflate.c> | |
# Insert filters / compress text, html, javascript, css, xml: | |
AddOutputFilterByType DEFLATE text/plain | |
AddOutputFilterByType DEFLATE text/html | |
AddOutputFilterByType DEFLATE text/xml | |
AddOutputFilterByType DEFLATE text/css | |
AddOutputFilterByType DEFLATE text/vtt | |
AddOutputFilterByType DEFLATE text/x-component | |
AddOutputFilterByType DEFLATE application/xml | |
AddOutputFilterByType DEFLATE application/xhtml+xml | |
AddOutputFilterByType DEFLATE application/rss+xml | |
AddOutputFilterByType DEFLATE application/js | |
AddOutputFilterByType DEFLATE application/javascript | |
AddOutputFilterByType DEFLATE application/x-javascript | |
AddOutputFilterByType DEFLATE application/x-httpd-php | |
AddOutputFilterByType DEFLATE application/x-httpd-fastphp | |
AddOutputFilterByType DEFLATE application/atom+xml | |
AddOutputFilterByType DEFLATE application/json | |
AddOutputFilterByType DEFLATE application/ld+json | |
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject | |
AddOutputFilterByType DEFLATE application/x-font-ttf | |
AddOutputFilterByType DEFLATE application/font-woff2 | |
AddOutputFilterByType DEFLATE application/x-font-woff | |
AddOutputFilterByType DEFLATE application/x-web-app-manifest+json font/woff | |
AddOutputFilterByType DEFLATE font/woff | |
AddOutputFilterByType DEFLATE font/opentype | |
AddOutputFilterByType DEFLATE image/svg+xml | |
AddOutputFilterByType DEFLATE image/x-icon | |
# Exception: Images | |
SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary | |
# Drop problematic browsers | |
BrowserMatch ^Mozilla/4 gzip-only-text/html | |
BrowserMatch ^Mozilla/4\.0[678] no-gzip | |
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html | |
# Make sure proxies don't deliver the wrong content | |
Header append Vary User-Agent env=!dont-vary | |
</IfModule> | |
#Alternative caching using Apache's "mod_headers", if it's installed. | |
#Caching of common files - ENABLED | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt|woff2|woff)$"> | |
Header set Cache-Control "max-age=31536000, public" | |
</FilesMatch> | |
</IfModule> | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(js|css|xml|gz)$"> | |
Header append Vary Accept-Encoding | |
</FilesMatch> | |
</IfModule> | |
# Set Keep Alive Header | |
<IfModule mod_headers.c> | |
Header set Connection keep-alive | |
</IfModule> | |
# If your server don't support ETags deactivate with "None" (and remove header) | |
<IfModule mod_expires.c> | |
<IfModule mod_headers.c> | |
Header unset ETag | |
</IfModule> | |
FileETag None | |
</IfModule> | |
<IfModule mod_headers.c> | |
<FilesMatch ".(js|css|xml|gz|html|woff|woff2|ttf)$"> | |
Header append Vary: Accept-Encoding | |
</FilesMatch> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | 7G Firewall for Security - Do not change this part @Update 2020 | |
# ---------------------------------------------------------------------- | |
# 7G FIREWALL v1.3 20200903 | |
# @ https://perishablepress.com/7g-firewall/ | |
# 7G:[CORE] | |
ServerSignature Off | |
Options -Indexes | |
RewriteEngine On | |
RewriteBase / | |
# 7G:[QUERY STRING] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR] | |
RewriteCond %{QUERY_STRING} (/|%2f)(:|%3a)(/|%2f) [NC,OR] | |
RewriteCond %{QUERY_STRING} (/|%2f)(\*|%2a)(\*|%2a)(/|%2f) [NC,OR] | |
RewriteCond %{QUERY_STRING} (`|<|>|\^|\|\\|0x00|%00|%0d%0a) [NC,OR] | |
RewriteCond %{QUERY_STRING} (cmd|command)(=|%3d)(chdir|mkdir)(.*)(x20) [NC,OR] | |
RewriteCond %{QUERY_STRING} (ckfinder|fullclick|ckfinder|fckeditor) [NC,OR] | |
RewriteCond %{QUERY_STRING} (globals|mosconfig([a-z_]{1,22})|request)(=|\[) [NC,OR] | |
RewriteCond %{QUERY_STRING} (/|%2f)((wp-)?config)((\.|%2e)inc)?((\.|%2e)php) [NC,OR] | |
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumbs?)?)((\.|%2e)php) [NC,OR] | |
RewriteCond %{QUERY_STRING} (absolute_|base|root_)(dir|path)(=|%3d)(ftp|https?) [NC,OR] | |
RewriteCond %{QUERY_STRING} (localhost|loopback|127(\.|%2e)0(\.|%2e)0(\.|%2e)1) [NC,OR] | |
RewriteCond %{QUERY_STRING} (s)?(ftp|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215)) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\.|20)(get|the)(_|%5f)(permalink|posts_page_url)(\(|%28) [NC,OR] | |
RewriteCond %{QUERY_STRING} ((boot|win)((\.|%2e)ini)|etc(/|%2f)passwd|self(/|%2f)environ) [NC,OR] | |
RewriteCond %{QUERY_STRING} (((/|%2f){3,3})|((\.|%2e){3,3})|((\.|%2e){2,2})(/|%2f|%u2215)) [NC,OR] | |
RewriteCond %{QUERY_STRING} (benchmark|char|exec|fopen|function|html)(.*)(\(|%28)(.*)(\)|%29) [NC,OR] | |
RewriteCond %{QUERY_STRING} (php)([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}) [NC,OR] | |
RewriteCond %{QUERY_STRING} (e|%65|%45)(v|%76|%56)(a|%61|%31)(l|%6c|%4c)(.*)(\(|%28)(.*)(\)|%29) [NC,OR] | |
RewriteCond %{QUERY_STRING} (/|%2f)(=|%3d|$&|_mm|cgi(\.|-)|inurl(:|%3a)(/|%2f)|(mod|path)(=|%3d)(\.|%2e)) [NC,OR] | |
RewriteCond %{QUERY_STRING} (<|%3c)(.*)(e|%65|%45)(m|%6d|%4d)(b|%62|%42)(e|%65|%45)(d|%64|%44)(.*)(>|%3e) [NC,OR] | |
RewriteCond %{QUERY_STRING} (<|%3c)(.*)(i|%69|%49)(f|%66|%46)(r|%72|%52)(a|%61|%41)(m|%6d|%4d)(e|%65|%45)(.*)(>|%3e) [NC,OR] | |
RewriteCond %{QUERY_STRING} (<|%3c)(.*)(o|%4f|%6f)(b|%62|%42)(j|%4a|%6a)(e|%65|%45)(c|%63|%43)(t|%74|%54)(.*)(>|%3e) [NC,OR] | |
RewriteCond %{QUERY_STRING} (<|%3c)(.*)(s|%73|%53)(c|%63|%43)(r|%72|%52)(i|%69|%49)(p|%70|%50)(t|%74|%54)(.*)(>|%3e) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\+|%2b|%20)(d|%64|%44)(e|%65|%45)(l|%6c|%4c)(e|%65|%45)(t|%74|%54)(e|%65|%45)(\+|%2b|%20) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\+|%2b|%20)(i|%69|%49)(n|%6e|%4e)(s|%73|%53)(e|%65|%45)(r|%72|%52)(t|%74|%54)(\+|%2b|%20) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\+|%2b|%20)(s|%73|%53)(e|%65|%45)(l|%6c|%4c)(e|%65|%45)(c|%63|%43)(t|%74|%54)(\+|%2b|%20) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\+|%2b|%20)(u|%75|%55)(p|%70|%50)(d|%64|%44)(a|%61|%41)(t|%74|%54)(e|%65|%45)(\+|%2b|%20) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\\x00|(\"|%22|\'|%27)?0(\"|%22|\'|%27)?(=|%3d)(\"|%22|\'|%27)?0|cast(\(|%28)0x|or%201(=|%3d)1) [NC,OR] | |
RewriteCond %{QUERY_STRING} (g|%67|%47)(l|%6c|%4c)(o|%6f|%4f)(b|%62|%42)(a|%61|%41)(l|%6c|%4c)(s|%73|%53)(=|[|%[0-9A-Z]{0,2}) [NC,OR] | |
RewriteCond %{QUERY_STRING} (_|%5f)(r|%72|%52)(e|%65|%45)(q|%71|%51)(u|%75|%55)(e|%65|%45)(s|%73|%53)(t|%74|%54)(=|[|%[0-9A-Z]{2,}) [NC,OR] | |
RewriteCond %{QUERY_STRING} (j|%6a|%4a)(a|%61|%41)(v|%76|%56)(a|%61|%31)(s|%73|%53)(c|%63|%43)(r|%72|%52)(i|%69|%49)(p|%70|%50)(t|%74|%54)(:|%3a)(.*)(;|%3b|\)|%29) [NC,OR] | |
RewriteCond %{QUERY_STRING} (b|%62|%42)(a|%61|%41)(s|%73|%53)(e|%65|%45)(6|%36)(4|%34)(_|%5f)(e|%65|%45|d|%64|%44)(e|%65|%45|n|%6e|%4e)(c|%63|%43)(o|%6f|%4f)(d|%64|%44)(e|%65|%45)(.*)(\()(.*)(\)) [NC,OR] | |
RewriteCond %{QUERY_STRING} (@copy|\$_(files|get|post)|allow_url_(fopen|include)|auto_prepend_file|blexbot|browsersploit|(c99|php)shell|curl(_exec|test)|disable_functions?|document_root|elastix|encodeuricom|exploit|fclose|fgets|file_put_contents|fputs|fsbuff|fsockopen|gethostbyname|grablogin|hmei7|input_file|null|open_basedir|outfile|passthru|phpinfo|popen|proc_open|quickbrute|remoteview|root_path|safe_mode|shell_exec|site((.){0,2})copier|sux0r|trojan|user_func_array|wget|xertive) [NC,OR] | |
RewriteCond %{QUERY_STRING} (;|<|>|\'|\"|\)|%0a|%0d|%22|%27|%3c|%3e|%00)(.*)(/\*|alter|base64|benchmark|cast|char|concat|convert|create|encode|declare|delete|drop|insert|md5|order|request|script|select|set|union|update) [NC,OR] | |
RewriteCond %{QUERY_STRING} ((\+|%2b)(concat|delete|get|select|union)(\+|%2b)) [NC,OR] | |
RewriteCond %{QUERY_STRING} (union)(.*)(select)(.*)(\(|%28) [NC,OR] | |
RewriteCond %{QUERY_STRING} (concat)(.*)(\(|%28) [NC] | |
RewriteRule .* - [F,L] | |
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_QUERY_STRING:%1___%2___%3] | |
</IfModule> | |
# 7G:[REQUEST URI] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{REQUEST_URI} ([a-z0-9]{2000,}) [NC,OR] | |
RewriteCond %{REQUEST_URI} (=?\\(\'|%27)/?)(\.) [NC,OR] | |
RewriteCond %{REQUEST_URI} (\^|`|<|>|%|\\|\{|\}|\|) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(\*|\"|\'|\.|,|&|&?)/?$ [NC,OR] | |
RewriteCond %{REQUEST_URI} (\.)(php)(\()?([0-9]+)(\))?(/)?$ [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(vbulletin|boards|vbforum)(/)? [NC,OR] | |
RewriteCond %{REQUEST_URI} (\.(s?ftp-?)config|(s?ftp-?)config\.) [NC,OR] | |
RewriteCond %{REQUEST_URI} (\{0\}|\"?0\"?=\"?0|\(/\(|\.\.\.|\+\+\+|\\\") [NC,OR] | |
RewriteCond %{REQUEST_URI} (thumbs?(_editor|open)?|tim(thumbs?)?)(\.php) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(fck|ckfinder|fullclick|ckfinder|fckeditor) [NC,OR] | |
RewriteCond %{REQUEST_URI} (\.|20)(get|the)(_)(permalink|posts_page_url)(\() [NC,OR] | |
RewriteCond %{REQUEST_URI} (///|\?\?|/&&|/\*(.*)\*/|/:/|\\\\|0x00|%00|%0d%0a) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/%7e)(root|ftp|bin|nobody|named|guest|logs|sshd)(/) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(etc|var)(/)(hidden|secret|shadow|ninja|passwd|tmp)(/)?$ [NC,OR] | |
RewriteCond %{REQUEST_URI} (s)?(ftp|http|inurl|php)(s)?(:(/|%2f|%u2215)(/|%2f|%u2215)) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(=|\$&?|&?(pws|rk)=0|_mm|_vti_|cgi(\.|-)?|(=|/|;|,)nt\.) [NC,OR] | |
RewriteCond %{REQUEST_URI} (\.)(ds_store|htaccess|htpasswd|init?|mysql-select-db)(/)?$ [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(bin)(/)(cc|chmod|chsh|cpp|echo|id|kill|mail|nasm|perl|ping|ps|python|tclsh)(/)?$ [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(::[0-9999]|%3a%3a[0-9999]|127\.0\.0\.1|localhost|loopback|makefile|pingserver|wwwroot)(/)? [NC,OR] | |
RewriteCond %{REQUEST_URI} (\(null\)|\{\$itemURL\}|cAsT\(0x|echo(.*)kae|etc/passwd|eval\(|self/environ|\+union\+all\+select) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(awstats|(c99|php|web)shell|document_root|error_log|listinfo|muieblack|remoteview|site((.){0,2})copier|sqlpatch|sux0r) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)((php|web)?shell|crossdomain|fileditor|locus7|nstview|php(get|remoteview|writer)|r57|remview|sshphp|storm7|webadmin)(.*)(\.|\() [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(author-panel|bitrix|class|database|(db|mysql)-?admin|filemanager|htdocs|httpdocs|https?|mailman|mailto|msoffice|mysql|_?php-?my-?admin(.*)|tmp|undefined|usage|var|vhosts|webmaster|www)(/) [NC,OR] | |
RewriteCond %{REQUEST_URI} (\.)(7z|ab4|afm|aspx?|bash|ba?k?|bz2|cfg|cfml?|cgi|ctl|dat|db|dll|eml|et2|exe|fec|fla|hg|inc|ini|inv|jsp|log|lqd|mbf|mdb|mmw|mny|old|one|out|passwd|pdb|pl|psd|pst|ptdb|pwd|py|qbb|qdf|rar|rdf|sdb|sql|sh|soa|swf|swl|swp|stx|tar|tax|tgz|tls|tmd|wow|zlib)$ [NC,OR] | |
RewriteCond %{REQUEST_URI} (base64_(en|de)code|benchmark|child_terminate|curl_exec|e?chr|eval|function|fwrite|(f|p)open|html|leak|passthru|p?fsockopen|phpinfo|posix_(kill|mkfifo|setpgid|setsid|setuid)|proc_(close|get_status|nice|open|terminate)|(shell_)?exec|system)(.*)(\()(.*)(\)) [NC,OR] | |
RewriteCond %{REQUEST_URI} (/)(^$|00.temp00|0day|3xp|70bex?|admin_events|bkht|(php|web)?shell|configbak|curltest|db|dompdf|filenetworks|hmei7|index\.php/index\.php/index|jahat|kcrew|keywordspy|mobiquo|mysql|nessus|php-?info|racrew|sql|vuln|webconfig|(wp-)?conf(ig)?(uration)?|xertive)(\.php) [NC] | |
RewriteRule .* - [F,L] | |
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_REQUEST_URI:%1___%2___%3] | |
</IfModule> | |
# 7G:[USER AGENT] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{HTTP_USER_AGENT} ([a-z0-9]{2000,}) [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} (<|%0a|%0d|%27|%3c|%3e|%00|0x00) [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} ((c99|php|web)shell|remoteview|site((.){0,2})copier) [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} (base64_decode|bin/bash|disconnect|eval|lwp-download|unserialize|\\\x22) [NC,OR] | |
RewriteCond %{HTTP_USER_AGENT} (360Spider|acapbot|acoonbot|ahrefs|alexibot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|exabot|extract|eyenetie|feedfinder|flaming|flashget|flicky|foobot|g00g1e|getright|gigabot|go-ahead-got|gozilla|grabnet|grafula|harvest|heritrix|httrack|icarus6j|jetbot|jetcar|jikespider|kmccrew|leechftp|libweb|linkextractor|linkscan|linkwalker|loader|masscan|miner|majestic|mechanize|mj12bot|morfeus|moveoverbot|netmechanic|netspider|nicerspro|nikto|ninja|nutch|octopus|pagegrabber|planetwork|postrank|proximic|purebot|pycurl|python|queryn|queryseeker|radian6|radiation|realdownload|rogerbot|scooter|seekerspider|semalt|siclab|sindice|sistrix|sitebot|siteexplorer|sitesnagger|skygrid|smartdownload|snoopy|sosospider|spankbot|spbot|sqlmap|stackrambler|stripper|sucker|surftbot|sux0r|suzukacz|suzuran|takeout|teleport|telesoft|true_robots|turingos|turnit|vampire|vikspider|voideye|webleacher|webreaper|webstripper|webvac|webviewer|webwhacker|winhttp|wwwoffle|woxbot|xaldon|xxxyy|yamanalab|yioopbot|youda|zeus|zmeu|zune|zyborg) [NC] | |
RewriteRule .* - [F,L] | |
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_USER_AGENT:%1] | |
</IfModule> | |
# 7G:[REMOTE HOST] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{REMOTE_HOST} (163data|amazonaws|colocrossing|crimea|g00g1e|justhost|kanagawa|loopia|masterhost|onlinehome|poneytel|sprintdatacenter|reverse.softlayer|safenet|ttnet|woodpecker|wowrack) [NC] | |
RewriteRule .* - [F,L] | |
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_REMOTE_HOST:%1] | |
</IfModule> | |
# 7G:[HTTP REFERRER] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC,OR] | |
RewriteCond %{HTTP_REFERER} (ambien|blue\spill|cocaine|ejaculat|erectile|erections|hoodia|huronriveracres|impotence|levitra|libido|lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby|ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo) [NC] | |
RewriteRule .* - [F,L] | |
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_HTTP_REFERRER:%1] | |
</IfModule> | |
# 7G:[REQUEST METHOD] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|trace|track) [NC] | |
RewriteRule .* - [F,L] | |
# RewriteRule .* /7G_log.php?log [END,NE,E=7G_REQUEST_METHOD:%1] | |
</IfModule> | |
################################################################# | |
# 7G Addon: Stop Aggressive Scanning for Uploads-Related Targets | |
# https://perishablepress.com/stop-aggressive-scanning-uploads/ | |
################################################################# | |
<IfModule mod_rewrite.c> | |
# RewriteCond %{REQUEST_URI} /php(unit)?/ [NC,OR] | |
# RewriteCond %{REQUEST_URI} \.(aspx?|env|git(ignore)?|phtml|rar|well-known) [NC,OR] | |
# RewriteCond %{REQUEST_URI} /(cms|control_panel|dashboard|home_url=|lr-admin|manager|panel|staff|webadmin) [NC,OR] | |
# RewriteCond %{REQUEST_URI} /(adm(in)?|blog|cache|checkout|controlpanel|ecommerce|export|magento(-1|web)?|market(place)?|mg|onli(n|k)e|orders?|shop|tmplconnector|uxm|web?store)/ [NC,OR] | |
RewriteCond %{REQUEST_URI} (_timthumb_|timthumb.php) [NC,OR] | |
RewriteCond %{REQUEST_URI} /(install|wp-config|xmlrpc)\.php [NC,OR] | |
RewriteCond %{REQUEST_URI} /(uploadify|uploadbg|up__uzegp)\.php [NC,OR] | |
RewriteCond %{REQUEST_URI} /(comm\.js|mysql-date-function|simplebootadmin|vuln\.htm|www\.root\.) [NC,OR] | |
RewriteCond %{REQUEST_URI} /(admin-uploadify|fileupload|jquery-file-upload|upload_file|upload|uploadify|webforms)/ [NC,OR] | |
RewriteCond %{REQUEST_URI} /(ajax_pluginconf|apikey|connector(.minimal)?|eval-stdin|f0x|login|router|setup-config|sssp|vuln|xattacker)\.php [NC] | |
RewriteRule .* - [F,L] | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# Block WordPress files from outside access | |
# ---------------------------------------------------------------------- | |
# No access to the install.php | |
<files install.php> | |
Order allow,deny | |
Deny from all | |
</files> | |
# No access to the wp-config.php | |
<files wp-config.php> | |
Order allow,deny | |
Deny from all | |
</files> | |
# No access to the readme.html | |
<files readme.html> | |
Order Allow,Deny | |
Deny from all | |
Satisfy all | |
</Files> | |
# No access to the liesmich.html for DE Edition | |
<Files liesmich.html> | |
Order Allow,Deny | |
Deny from all | |
Satisfy all | |
</Files> | |
# No error log access | |
<files error_log> | |
Order allow,deny | |
Deny from all | |
</files> | |
#No access to the .htaccess und .htpasswd | |
<FilesMatch "(\.htaccess|\.htpasswd)"> | |
Order deny,allow | |
Deny from all | |
</FilesMatch> | |
# Block access to includes folder | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^wp-admin/includes/ - [F,L] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Blocking the »ReallyLongRequest« Bandit - New in 2018 | |
# https://perishablepress.com/blocking-reallylongrequest-bandit/ | |
# ---------------------------------------------------------------------- | |
<IfModule mod_rewrite.c> | |
RewriteCond %{REQUEST_METHOD} .* [NC] | |
RewriteCond %{THE_REQUEST} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR] | |
RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC] | |
RewriteRule .* - [F,L] | |
</IfModule> | |
# -------------------------------------------------------------------------------------------- | |
# Ultimate hotlink protection - IMPORTANT: Change »?domain\« in line 361 to your domain name | |
# Example: ?andreas-hecht\ ### if you do not use https, change https in line 361 to http | |
# -------------------------------------------------------------------------------------------- | |
#<IfModule mod_rewrite.c> | |
# RewriteEngine on | |
# RewriteCond %{HTTP_REFERER} !^$ | |
# RewriteCond %{REQUEST_FILENAME} -f | |
# RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC] | |
# RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain\. [NC] | |
# RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L] | |
#</ifModule> | |
# ---------------------------------------------------------------------- | |
# Protect your WordPress Login with HTTP Authentification | |
# ---------------------------------------------------------------------- | |
# If you want to use it, comment it out and set your path to .htpasswd | |
#<Files wp-login.php> | |
#AuthName "Admin-Bereich" | |
#AuthType Basic | |
#AuthUserFile /usr/local/www/apache24/your-path/your-domain.com/.htpasswd | |
#require valid-user | |
#</Files> | |
# ---------------------------------------------------------------------- | |
# Switch off the security risk XML-RPC interface completely | |
# ---------------------------------------------------------------------- | |
### @see https://digwp.com/2009/06/xmlrpc-php-security/ | |
<Files xmlrpc.php> | |
Order Deny,Allow | |
Deny from all | |
</Files> | |
# ----------------------------------------------------------------------------- | |
# HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 2020 | |
# ----------------------------------------------------------------------------- | |
### @see https://scotthelme.co.uk/hardening-your-http-response-headers | |
### UPDATE 2020 | |
## No-Referrer-Header | |
<IfModule mod_headers.c> | |
Header set Referrer-Policy "no-referrer" | |
</IfModule> | |
## Strict Origin when cross origin Header | |
#@see https://scotthelme.co.uk/a-new-security-header-referrer-policy/ | |
<IfModule mod_headers.c> | |
Header set Referrer-Policy "strict-origin-when-cross-origin" | |
</IfModule> | |
## X-FRAME-OPTIONS-Header | |
<IfModule mod_headers.c> | |
Header set X-Frame-Options "sameorigin" | |
</IfModule> | |
## X-XSS-PROTECTION-Header | |
<IfModule mod_headers.c> | |
Header set X-XSS-Protection "1; mode=block" | |
</IfModule> | |
## X-Content-Type-Options-Header | |
<IfModule mod_headers.c> | |
Header set X-Content-Type-Options "nosniff" | |
</IfModule> | |
## Strict-Transport-Security-Header - for HTTPS | |
<IfModule mod_headers.c> | |
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" | |
</IfModule> | |
## This prevents that false issued certificates for this website can be used unnoticed. (Experimental) | |
## @see https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02 | |
<IfModule mod_headers.c> | |
Header set Expect-CT "enforce, max-age=21600" | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# The original WordPress Rewrite Rules - Do not change anything here, | |
# except you are using a WordPress Multisite | |
# ---------------------------------------------------------------------- | |
# BEGIN WordPress | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^index\.php$ - [L] | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteRule . /index.php [L] | |
</IfModule> | |
# END WordPress |
This comment has been minimized.
This comment has been minimized.
"Solved" it by changing
to
Not sure whether this is the right way. |
This comment has been minimized.
This comment has been minimized.
Hi. Very nice script. Thanks so much. |
This comment has been minimized.
This comment has been minimized.
Hi, use the following plugins for highspeed: Autoptimize and Cache Enabler. Much better as WP Super Cache and WP-Optimize. |
This comment has been minimized.
This comment has been minimized.
Seeking help from from You: htaccess Guru! We are running a scan on our website using Vega.
Now expanding each one for better clarity
GET /digital-advisory-services/ The Detailed request was GET /digital-advisory-services/ HTTP/1.1 The response it gets was HTTP/1.1 200 OK This clearly tells me that the OS is somehow executing the sleep command. In this case vega for example tried an URL The detailed request was GET /wp-content/plugins/accesspress-social-icons/js/frontend.js?ver=1.7.2 HTTP/1.1 The detailed response received back was HTTP/1.1 200 OK (function ($) { Remediation shows: Will that help you for enhancing your .htaccess. In this case, Vega tries this URL GET /wp-content/themes/Divi/core/2147483648 Full request was GET /wp-content/themes/Divi/core/2147483648 HTTP/1.1 Full response received was HTTP/1.1 404 Not Found The developer should investigate the error and determine if a vulnerability is present. Since a 404 was received, did the request get honored? Full test request sent by Vega was GET /wp-content/plugins/accesspress-social-icons/css/animate.css?ver=/./ HTTP/1.1 Response received was HTTP/1.1 403 Forbidden ForbiddenYou don't have permission to access /wp-content/plugins/accesspress-social-icons/css/animate.css
on this server. It says Remediation shows Should I be worried about this? In this test vega tried this request GET /wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=e"%20or%201%20eq%201%20or%20"a"%20=%20"a Full request was GET /wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?ver=e"%20or%201%20eq%201%20or%20"a"%20=%20"a HTTP/1.1 Full response received was HTTP/1.1 200 OK /********************************************
: Vega says: Vega has detected a different response page fingerprint in relation to an XPath injection request. What is xpath? |
This comment has been minimized.
This comment has been minimized.
According to https://codex.wordpress.org/Hardening_WordPress this rule does not work on multisite: RewriteRule ^wp-includes/[^/]+.php$ - [F,L] |
This comment has been minimized.
This comment has been minimized.
It is true something is injected, but use another way of detecting so will get back on whether or not is is OS playin games.
You should not use that rule one if you, alike me have a multisite, and the last rule should go first. Do you force ssl? And also many people who talk about optimizing by .htaccess completely miss two things which, combined, could be the most important speed optimizing enhancements one could do. Preload DNS lookups is something nobody should not do. And depending on what kind of traffic you run, consider using a CDN. Besides that, optimizing all images. It's evident optimizing images are very important regardless of his filter-module above. Removing commentators avatars is also something one should consider, also depending on how fast you want your site to be. Obviously i assume you have a quality host aswell. Combining css and java and perhaps minifying them is more important. Keeping the http requests on a low too. This .htaccess optimization is very thorough but there are many things, and important points not taken into consideration here. IF you really want to strive to stay below 1-2 seconds you should use a speed testing site and look at which http requests and dns lookups your site makes initially in order to preload/prefetch the lookups especially if those lookups come from plugins loading on start. And optimize those requests. Without doing that the rest will take you half way. Even if you are skilled like few others. Use pingdom do analyse these things. https://tools.pingdom.com PS you could also disable trackbacks if you don't need it. Lower the amount of revisions you save and use scheduled cleanup of database tables etc. You can give me your email if you want me to send the file i made for you. legenden-vip@hotmail.com |
This comment has been minimized.
This comment has been minimized.
Hello
|
This comment has been minimized.
This comment has been minimized.
Thank you for this file !! :) Question: Do you use security plugins? And if so, which ones? |
This comment has been minimized.
This comment has been minimized.
Could you use this "Perfect .htaccess file for highspeed and security" for Joomla websites, naturally removing the WordPress sections? |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
7g Firewall not allowing me to access admin.php and is also preventing some of my plugins to work |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I too am facing the same problem and upon the trials I found that the 7G code is the problem. Once I disabled/removed everything started working fine.
Browser - Firefox 68 also tested the same on Chrome |
This comment has been minimized.
This comment has been minimized.
Hi! Change 7G-Firewall back to 6G. https://gist.github.com/HechtMediaArts/f2ffa095a4bfc5969746ac622c8a06c0 |
This comment has been minimized.
This comment has been minimized.
@HechtMediaArts Moin/ Tach auch Andreas. Fabulous! Security Ninja for WordPress also suggests to deactivate wp-admin/upgrade.php. Is there any reason against
? |
This comment has been minimized.
This comment has been minimized.
.. and what about denying directory listings as per https://stackoverflow.com/questions/5932641/deny-directory-listing-with-htaccess?
|
This comment has been minimized.
This comment has been minimized.
Hello, a slight gain by removing: |
This comment has been minimized.
This comment has been minimized.
thanks for pointing that out. The line in Andreas Hecht (aka HechtMediaArts)'s above .htaccess to search for and remove is without spaces around the /: |
This comment has been minimized.
This comment has been minimized.
I have remarked that
Have a nice night :-) |
This comment has been minimized.
This comment has been minimized.
Oups … LINE 196 : |
This comment has been minimized.
This comment has been minimized.
Disable Code Execution for Uploads directory : Enabling this option will place a .htaccess file in your wp-content/uploads/ directory which prevents any PHP code in your uploads directory from executing. This is an added level of protection against a hacker managing to upload PHP code into your uploads directory. Even if they manage to do that, the code won’t execute if you have this option enabled. The contents of the .htaccess is:
|
This comment has been minimized.
This comment has been minimized.
Thank you @pascalduboin . My wp-content/uploads/.htaccess already contains the following code:
Do you see anything in it that conflicts with your code snippet? Would you add yours in addition, or replace mine with yours? |
This comment has been minimized.
This comment has been minimized.
Not Working with Multisite (BuddyPress), showing 404 error RewriteEngine On add a trailing slash to /wp-adminRewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L] RewriteCond %{REQUEST_FILENAME} -f [OR] |
This comment has been minimized.
This comment has been minimized.
Is this going to work with WP rocket or do I have to kill all the caching parameters before that? |
This comment has been minimized.
This comment has been minimized.
Hello, |
This comment has been minimized.
This comment has been minimized.
Thanks for these code. Is there a way to also hide /wp-content/ and wp-content/* from the url? if so, would that block the images from showing under under /wp-content/uploads/? and what will it show instead? |
This comment has been minimized.
This comment has been minimized.
better not to do it, wp-content is not only uploads but plugins and etc |
This comment has been minimized.
This comment has been minimized.
Technically I don't want to show any wp_* at all. My goal is to prevent visitors from knowing this is a WordPress site, at least in first glance. What is the best path to achieving this?
|
This comment has been minimized.
This comment has been minimized.
You can protect your Wordpress with Security plugins like All In One WP Security (it has a lot of features that add extra htaccess rules, hide access to system files, protect your wp-admin and etc) , but you can't hide the fact that it's WP entirely, your site won't work if you close access to wp_ directories, because WP itself work with it. |
This comment has been minimized.
This comment has been minimized.
yes, there is: after a WP update:
|
This comment has been minimized.
Hi @HechtMediaArts,
When using the htaccess here
I've narrowed down to htaccess issue after using the previous htaccess.
Is there a way to fix this?