-
Notifications
You must be signed in to change notification settings - Fork 0
/
.htaccess
117 lines (99 loc) · 2.89 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Ideal & Simple .htaccess File For WordPress Security crafted by nerds.
# Simply Copy-Paste & Replace default .htaccess file or
# Upload directly into WP installation or via FTP.
# @Author_Name: Kapil Gupta
# Some Code To Hide Important WordPress and Server Files.____
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>
#Code To Disable Index Browsing or Disable Directory Browsing____
Options All -Indexes
# Force from HTTP to HTTPS - I suggest to use https for better security_____
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# Prevent Your Website From Scripts Injections_____
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
# Block WordPress files from outside access_____
# Hide access to the readme.html
<files readme.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# Hide access to the readme.txt
<files readme.txt>
Order allow,deny
Deny from all
</files>
# Hide access to the install.php
<files install.php>
Order allow,deny
Deny from all
</files>
# Hide access to the debug.log
<Files debug.log>
Order allow,deny
Deny from all
</Files>
# Hide access to the wp-config.php
<files wp-config.php>
Order allow,deny
Deny from all
</files>
# Say No To error log access
<files error_log>
Order allow,deny
Deny from all
</files>
#Say No access to the .htaccess und .htpasswd
<FilesMatch "(\.htaccess|\.htpasswd)">
Order deny,allow
Deny from all
</FilesMatch>
# Hide & Protect WP Includes Directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Prevent Username Enumeration
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]
# To Prevent Execution Of PHP In Upload Folder
<Directory "UPLOADS-PATH/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
# WordPress Security Headers
<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule>
# Do Not Change This. Default WordPress Htaccess file.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress