Last active
January 30, 2016 06:38
-
-
Save uxjw/e246e29f9c5d15ff10ba to your computer and use it in GitHub Desktop.
Wordpress .htaccess Protections and Caching
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Options +FollowSymlinks -Indexes | |
RewriteEngine On | |
# Disable the Server Signature | |
ServerSignature Off | |
# BEGIN WordPress | |
# Except for requests for /index.php and for the most-frequently-requested | |
# filetypes that WP cannot generate, rewrite all URL requests which do not | |
# resolve to an existing file or directory to the WordPress script filepath | |
RewriteCond $1 !^(index\.php)?$ | |
RewriteCond $1 !\.(gif|jpe?g|png|ico|css|js)$ | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteRule ^(.+)$ /index.php [L] | |
# END WordPress | |
# Disable PHP in Uploads directory | |
RewriteRule ^wp-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F] | |
## Block unwanted requests, adapted from ithemes security | |
# Protect from spam bots ## | |
<IfModule mod_rewrite.c> | |
RewriteCond %{REQUEST_METHOD} POST | |
RewriteCond %{REQUEST_URI} .wp-comments-post\.php* | |
RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR] | |
RewriteCond %{HTTP_USER_AGENT} ^$ | |
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] | |
</IfModule> | |
## Block Sensitive Files From Browsers ## | |
<files .htaccess> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
</IfModule> | |
</files> | |
<files readme.html> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
</IfModule> | |
</files> | |
<files readme.txt> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
</IfModule> | |
</files> | |
<files install.php> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
</IfModule> | |
</files> | |
<files wp-config.php> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
</IfModule> | |
</files> | |
# Block any attempted XML-RPC requests | |
# This will disable pingbacks/trackbacks, and jetpack | |
<files xmlrpc.php> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
</IfModule> | |
</files> | |
# Protect System Files | |
RewriteRule ^wp-admin/includes/ - [F] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] | |
RewriteRule ^wp-includes/theme-compat/ - [F] | |
## Browser Caching Tweaks, adapted from W3 Total Cache | |
<IfModule mod_mime.c> | |
AddType text/css .css | |
AddType text/x-component .htc | |
AddType application/x-javascript .js | |
AddType application/javascript .js2 | |
AddType text/javascript .js3 | |
AddType text/x-js .js4 | |
AddType text/html .html .htm | |
AddType text/richtext .rtf .rtx | |
AddType image/svg+xml .svg .svgz | |
AddType text/plain .txt | |
AddType text/xsd .xsd | |
AddType text/xsl .xsl | |
AddType text/xml .xml | |
AddType video/asf .asf .asx .wax .wmv .wmx | |
AddType video/avi .avi | |
AddType image/bmp .bmp | |
AddType application/java .class | |
AddType video/divx .divx | |
AddType application/msword .doc .docx | |
AddType application/vnd.ms-fontobject .eot | |
AddType application/x-msdownload .exe | |
AddType image/gif .gif | |
AddType application/x-gzip .gz .gzip | |
AddType image/x-icon .ico | |
AddType image/jpeg .jpg .jpeg .jpe | |
AddType application/json .json | |
AddType application/vnd.ms-access .mdb | |
AddType audio/midi .mid .midi | |
AddType video/quicktime .mov .qt | |
AddType audio/mpeg .mp3 .m4a | |
AddType video/mp4 .mp4 .m4v | |
AddType video/mpeg .mpeg .mpg .mpe | |
AddType application/vnd.ms-project .mpp | |
AddType application/x-font-otf .otf | |
AddType application/vnd.ms-opentype .otf | |
AddType application/vnd.oasis.opendocument.database .odb | |
AddType application/vnd.oasis.opendocument.chart .odc | |
AddType application/vnd.oasis.opendocument.formula .odf | |
AddType application/vnd.oasis.opendocument.graphics .odg | |
AddType application/vnd.oasis.opendocument.presentation .odp | |
AddType application/vnd.oasis.opendocument.spreadsheet .ods | |
AddType application/vnd.oasis.opendocument.text .odt | |
AddType audio/ogg .ogg | |
AddType application/pdf .pdf | |
AddType image/png .png | |
AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx | |
AddType audio/x-realaudio .ra .ram | |
AddType application/x-shockwave-flash .swf | |
AddType application/x-tar .tar | |
AddType image/tiff .tif .tiff | |
AddType application/x-font-ttf .ttf .ttc | |
AddType application/vnd.ms-opentype .ttf .ttc | |
AddType audio/wav .wav | |
AddType audio/wma .wma | |
AddType application/vnd.ms-write .wri | |
AddType application/font-woff .woff | |
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw | |
AddType application/zip .zip | |
</IfModule> | |
<IfModule mod_expires.c> | |
ExpiresActive On | |
ExpiresByType text/css A31536000 | |
ExpiresByType text/x-component A31536000 | |
ExpiresByType application/x-javascript A31536000 | |
ExpiresByType application/javascript A31536000 | |
ExpiresByType text/javascript A31536000 | |
ExpiresByType text/x-js A31536000 | |
ExpiresByType text/html A3600 | |
ExpiresByType text/richtext A3600 | |
ExpiresByType image/svg+xml A3600 | |
ExpiresByType text/plain A3600 | |
ExpiresByType text/xsd A3600 | |
ExpiresByType text/xsl A3600 | |
ExpiresByType text/xml A3600 | |
ExpiresByType video/asf A31536000 | |
ExpiresByType video/avi A31536000 | |
ExpiresByType image/bmp A31536000 | |
ExpiresByType application/java A31536000 | |
ExpiresByType video/divx A31536000 | |
ExpiresByType application/msword A31536000 | |
ExpiresByType application/vnd.ms-fontobject A31536000 | |
ExpiresByType application/x-msdownload A31536000 | |
ExpiresByType image/gif A31536000 | |
ExpiresByType application/x-gzip A31536000 | |
ExpiresByType image/x-icon A31536000 | |
ExpiresByType image/jpeg A31536000 | |
ExpiresByType application/json A31536000 | |
ExpiresByType application/vnd.ms-access A31536000 | |
ExpiresByType audio/midi A31536000 | |
ExpiresByType video/quicktime A31536000 | |
ExpiresByType audio/mpeg A31536000 | |
ExpiresByType video/mp4 A31536000 | |
ExpiresByType video/mpeg A31536000 | |
ExpiresByType application/vnd.ms-project A31536000 | |
ExpiresByType application/x-font-otf A31536000 | |
ExpiresByType application/vnd.ms-opentype A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.database A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.chart A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.formula A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.graphics A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.presentation A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000 | |
ExpiresByType application/vnd.oasis.opendocument.text A31536000 | |
ExpiresByType audio/ogg A31536000 | |
ExpiresByType application/pdf A31536000 | |
ExpiresByType image/png A31536000 | |
ExpiresByType application/vnd.ms-powerpoint A31536000 | |
ExpiresByType audio/x-realaudio A31536000 | |
ExpiresByType image/svg+xml A31536000 | |
ExpiresByType application/x-shockwave-flash A31536000 | |
ExpiresByType application/x-tar A31536000 | |
ExpiresByType image/tiff A31536000 | |
ExpiresByType application/x-font-ttf A31536000 | |
ExpiresByType application/vnd.ms-opentype A31536000 | |
ExpiresByType audio/wav A31536000 | |
ExpiresByType audio/wma A31536000 | |
ExpiresByType application/vnd.ms-write A31536000 | |
ExpiresByType application/font-woff A31536000 | |
ExpiresByType application/vnd.ms-excel A31536000 | |
ExpiresByType application/zip A31536000 | |
</IfModule> | |
# Enable compression | |
<IfModule mod_deflate.c> | |
<IfModule mod_headers.c> | |
Header append Vary User-Agent env=!dont-vary | |
</IfModule> | |
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json | |
<IfModule mod_mime.c> | |
AddOutputFilter DEFLATE js css htm html xml | |
</IfModule> | |
</IfModule> | |
<FilesMatch "\.(css|htc|less|js|js2|js3|js4|CSS|HTC|LESS|JS|JS2|JS3|JS4)$"> | |
FileETag MTime Size | |
<IfModule mod_headers.c> | |
Header set Pragma "public" | |
Header append Cache-Control "public" | |
Header unset Set-Cookie | |
</IfModule> | |
</FilesMatch> | |
<FilesMatch "\.(html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|SVG|SVGZ|TXT|XSD|XSL|XML)$"> | |
FileETag MTime Size | |
<IfModule mod_headers.c> | |
Header set Pragma "public" | |
Header append Cache-Control "public" | |
</IfModule> | |
</FilesMatch> | |
<FilesMatch "\.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|woff|xla|xls|xlsx|xlt|xlw|zip|ASF|ASX|WAX|WMV|WMX|AVI|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|JSON|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|MPP|OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SVG|SVGZ|SWF|TAR|TIF|TIFF|TTF|TTC|WAV|WMA|WRI|WOFF|XLA|XLS|XLSX|XLT|XLW|ZIP)$"> | |
FileETag MTime Size | |
<IfModule mod_headers.c> | |
Header set Pragma "public" | |
Header append Cache-Control "public" | |
Header unset Set-Cookie | |
</IfModule> | |
</FilesMatch> | |
# Handle 404 errors so Wordpress doesn't have to | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteCond %{REQUEST_URI} !(robots\.txt|[a-z0-9_\-]*sitemap[a-z0-9_\-]*\.(xml|xsl|html)(\.gz)?) | |
RewriteCond %{REQUEST_FILENAME} \.(css|htc|less|js|js2|js3|js4|html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|woff|xla|xls|xlsx|xlt|xlw|zip)$ [NC] | |
RewriteRule .* - [L] | |
</IfModule> | |
## Include Bot lists | |
# 6G FIREWALL/BLACKLIST | |
# @ https://perishablepress.com/6g/ | |
# 6G:[QUERY STRINGS] | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{QUERY_STRING} (eval\() [NC,OR] | |
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] | |
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR] | |
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] | |
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] | |
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR] | |
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] | |
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR] | |
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] | |
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR] | |
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC] | |
RewriteRule .* - [F] | |
</IfModule> | |
# 6G:[REQUEST METHOD] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC] | |
RewriteRule .* - [F] | |
</IfModule> | |
# 6G:[REFERRERS] | |
<IfModule mod_rewrite.c> | |
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR] | |
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC] | |
RewriteRule .* - [F] | |
</IfModule> | |
# 6G:[REQUEST STRINGS] | |
<IfModule mod_alias.c> | |
RedirectMatch 403 (?i)([a-z0-9]{2000}) | |
RedirectMatch 403 (?i)(https?|ftp|php):/ | |
RedirectMatch 403 (?i)(base64_encode)(.*)(\() | |
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\. | |
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$ | |
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\") | |
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|) | |
RedirectMatch 403 (?i)/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack) | |
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ) | |
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$ | |
RedirectMatch 403 (?i)/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php | |
</IfModule> | |
# 6G:[USER AGENTS] | |
<IfModule mod_setenvif.c> | |
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot | |
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot | |
<limit GET POST PUT> | |
Order Allow,Deny | |
Allow from All | |
Deny from env=bad_bot | |
</limit> | |
</IfModule> | |
# 6G:[BAD IPS] | |
<Limit GET HEAD OPTIONS POST PUT> | |
Order Allow,Deny | |
Allow from All | |
# uncomment/edit/repeat next line to block IPs | |
# Deny from 123.456.789 | |
</Limit> | |
## Optionally include pieces of http://pastebin.com/5Hw9KZnW |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment