# REDIRECT ALL PAGES TO ROOT # Emergency? Temporarily redirect all pages to the root # # # RewriteEngine on # RewriteCond %{REQUEST_FILENAME} !-f # RewriteCond %{REQUEST_FILENAME} !-d # RewriteRule .? / [R=302,L] # # 301 REDIRECT ALL .SHTML FILES TO .HTML # # # RewriteEngine on # RewriteRule ^(.*).shtml$ https://www.example.com/$1.html [R=301,L] # # FALLBACK FOR INDEX.PHP # If index.php isn't found then load the file MAINT-index.html from the same directory instead. # Try: https://codepen.io/j_holtslander/pen/KNgbMP # DirectoryIndex index.php index.html MAINT-index.html # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress ######################################################################################################################## # ========================= HTTPS SSL/TLS ============================================================================== ######################################################################################################################## # TEMPORARILY REDIRECT HTTPS to HTTP # Problem with SSL? Uncomment this to enable a temporary (302) redirect to http while keeping the requested path. # # # RewriteEngine On # RewriteCond %{HTTPS} on # RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=302,L] # # FORCE SSL # SSL must actually be turned on for this to work. Cloudflare can also force all requests to SSL. # # # RewriteEngine On # RewriteCond %{HTTPS} !=on # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] # # UPGRADE INSECURE RESOURCE REQUESTS # See: # https://github.com/h5bp/server-configs-apache/pull/83/files # # # Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS # # FORCE CLIENT-SIDE SSL REDIRECTION # See: # https://github.com/h5bp/server-configs-apache/pull/83/files # # # Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" # # CACHE SSL REDIRECTION # See: # https://github.com/h5bp/server-configs-apache/pull/83/files # # (!) Remove the `env=HTTPS` optional directive if you want to force HTTP to HTTPS. # # # Header set Strict-Transport-Security "max-age=86400; includeSubDomains" env=HTTPS # ######################################################################################################################## # ========================= TWEAKS ===================================================================================== ######################################################################################################################## # IF MAINWP IS INSTALLED, HIDE THE FACT. # # BEGIN MainWP RewriteEngine On RewriteBase / RewriteRule ^wp-content/plugins/mainwp-child/(.*)$ /wp-content/plugins/THIS_PLUGIN_DOES_NOT_EXIST [QSA,L] # END MainWP # URL CANONICALIZATION # Both the naked domain and www should resolve to the same URL. # # REDIRECT WWW TO NAKED DOMAIN # # RewriteEngine on # RewriteBase / # RewriteCond %{HTTP_HOST} ^www\.example\.com$ # RewriteRule ^/?$ "https\:\/\/example\.com\/" [R=301,L] # # REDIRECT http://example.com TO https://www.example.com # # # RewriteEngine on # RewriteBase / # RewriteCond %{HTTP_HOST} !^www.example.com$ [NC] # RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301] # # REDIRECT DEV. SUBDOMAIN TO WWW. # # # RewriteEngine on # RewriteBase / # RewriteCond %{HTTP_HOST} ^dev.domain.com$ [NC] # RewriteRule ^(.*)$ https://www.domain.com/$1 [L,R=301] # # REDIRECT DIRECT IP ACCESS TO DOMAIN # Change the URL if someone accesses the website via direct IP address. # # # RewriteEngine On # RewriteBase / # RewriteCond %{HTTP_HOST} ^186\.753\.090\.123$ # RewriteRule ^(.*)$ https://example.com/$1 [L,R=301] # # REDIRECT INCORRECT ROBOTS.TXT REQUESTS TO THE RIGHT PLACE. # Source: https://perishablepress.com/htaccess-cleanup/ # RedirectMatch 301 (? # REDIRECT ROBOTS.TXT REQUESTS TO STAGING SERVER'S VERSION IF NOT PRODUCTION SERVER'S DOMAIN # Serve a different ("Do not index") version of robots.txt only when accessed on a subdomain of "stagingserver.com" # Make sure file "robots-staging.txt" actually exists. # Source: https://serverfault.com/a/884023/396075 # # # RewriteEngine On # RewriteBase / # RewriteCond %{HTTP_HOST} ^(.*)?stagingserver(\.com) # RewriteRule ^robots\.txt$ robots-staging.txt [NS] # # SHOW THE ADMIN’S EMAIL ADDRESS IN APACHE ERROR MESSAGES # #SetEnv SERVER_ADMIN email@isp.com # BLOCK ACCESS TO DIRECTORIES WITHOUT A DEFAULT DOCUMENT # Options -Indexes # FORCE FILES TO DOWNLOAD INSTEAD OF OPENING IN BROWSER # Source: https://css-tricks.com/snippets/htaccess/force-files-to-download-not-open-in-browser/ # # AddType application/octet-stream .csv # AddType application/octet-stream .xls # AddType application/octet-stream .doc # AddType application/octet-stream .avi # AddType application/octet-stream .mpg # AddType application/octet-stream .mov # AddType application/octet-stream .pdf # ALLOW CROSS-ORIGIN REQUESTS. # See: # * https://stackoverflow.com/a/13871027/751570 # * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS # * http://enable-cors.org/ # * http://www.w3.org/TR/cors/ # # # Header set Access-Control-Allow-Origin "*" # # SEND THE CORS HEADER FOR IMAGES WHEN BROWSERS REQUEST IT. # See: # * https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image # * https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html # SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS # CROSS-ORIGIN WEB FONTS # See: https://davidwalsh.name/cdn-fonts # Header set Access-Control-Allow-Origin "*" # CUSTOM ERROR PAGES # See: https://perishablepress.com/custom-http-errors-via-htaccess/ # #ErrorDocument 400 /errors/400.html #ErrorDocument 401 /errors/401.html #ErrorDocument 403 /errors/403.html #ErrorDocument 404 /errors/404.html #ErrorDocument 500 /errors/500.html # PREVENTS OVERZEALOUS 404 ERRORS FROM APACHE # This setting prevents Apache from returning a 404 error as the result # of a rewrite when the directory with the same name does not exist. # See: # * https://httpd.apache.org/docs/current/content-negotiation.html#multiviews # * https://www.infomaniak.com/en/support/faq/605/redirect-and-url-rewrite-issues-multiviews-option-in-htaccess # Options -MultiViews # INCREASE MAXIMUM UPLOAD FILE SIZE (OPTIONAL) # #php_value upload_max_filesize 64M #php_value post_max_size 64M #php_value max_execution_time 300 #php_value max_input_time 300 # ADD SUPPORT FOR SVG AND HTC # See: https://davidwalsh.name/serve-svg-image # AddType image/svg+xml svg svgz AddEncoding gzip svgz AddType text/x-component .htc # ADD SUPPORT FOR AUGMENTED REALITY FILES # See: https://webkit.org/blog/8421/viewing-augmented-reality-assets-in-safari-for-ios/ # # All files ending in .usdz served as USD. AddType model/vnd.usdz+zip usdz # REDIRECT ALL WORDPRESS FEEDS TO FEEDBURNER # # # RedirectMatch 301 /feed/(atom|rdf|rss|rss2)/?$ http://feedburner.com/yourfeed/ # RedirectMatch 301 /comments/feed/(atom|rdf|rss|rss2)/?$ http://feedburner.com/yourfeed/ # # BLOCK ACCESS TO ANY SOURCE FILES # Order allow,deny Deny from all Satisfy All # FORCE INTERNET EXPLORER 8/9/10 TO RENDER PAGES IN THE HIGHEST MODE # Header set X-UA-Compatible "IE=edge" Header unset X-UA-Compatible # CHANGE URL # # Option 1: Add www - http://domain > http://www.domain # # Options +FollowSymlinks #Not supported by some hosting # ## If you wish to redirect to a https:// simply substitute http: with https: # RewriteCond %{HTTP_HOST} !^www\..+$ [NC] # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # ## Redirect away from /index.php to clear path # RewriteCond %{THE_REQUEST} ^.*/index.php # RewriteRule ^(.*)index.php$ http://www.%{HTTP_HOST}%{REQUEST_URI}$1 [R=301,L] # # Option 2: Strip www - http://www.domain > http://domain # # Options +FollowSymlinks #Not supported by some hosting # ## If you wish to redirect to a https:// simply substitute http: with https: # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] # RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] # ## Redirect away from /index.php to clear path # RewriteCond %{THE_REQUEST} ^.*/index.php # RewriteRule ^(.*)index.php$ http://%{HTTP_HOST}%{REQUEST_URI}$1 [R=301,L] # # SERVE RESOURCES WITH THE PROPER MEDIA TYPES (MIME TYPES) # # Data interchange AddType application/atom+xml atom AddType application/json json map topojson AddType application/ld+json jsonld AddType application/rss+xml rss AddType application/vnd.geo+json geojson AddType application/xml rdf xml # JavaScript AddType application/javascript js # Manifest files AddType application/manifest+json webmanifest AddType application/x-web-app-manifest+json webapp AddType text/cache-manifest appcache # Media files AddType audio/mp4 f4a f4b m4a AddType audio/ogg oga ogg opus AddType image/bmp bmp AddType image/svg+xml svg svgz AddType image/webp webp AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv AddType image/x-icon cur ico # Web fonts AddType application/font-woff woff AddType application/font-woff2 woff2 AddType application/vnd.ms-fontobject eot AddType application/x-font-ttf ttc ttf AddType font/opentype otf # Other AddType application/octet-stream safariextz AddType application/x-bb-appworld bbaw AddType application/x-chrome-extension crx AddType application/x-opera-extension oex AddType application/x-xpinstall xpi AddType text/vcard vcard vcf AddType text/vnd.rim.location.xloc xloc AddType text/vtt vtt AddType text/x-component htc # Character encodings as utf-8 # AddDefaultCharset utf-8 AddCharset utf-8 .atom \ .bbaw \ .css \ .geojson \ .js \ .json \ .jsonld \ .manifest \ .rdf \ .rss \ .topojson \ .vtt \ .webapp \ .webmanifest \ .xloc \ .xml ######################################################################################################################## # ======================= PERFORMANCE ================================================================================== ######################################################################################################################## # SUBSTITUTE WEBP IF POSSIBLE # IF VISITOR'S BROWSER SUPPORTS WEBP IMAGES, AND A WEBP IMAGE EXISTS NEXT TO THE JPG, SERVE THE WEBP IMAGE INSTEAD. # Source: https://github.com/vincentorback/WebP-images-with-htaccess # # # SetEnvIf Request_URI "\.(jpe?g|png)$" REQUEST_image # # # RewriteEngine On # RewriteCond %{HTTP_ACCEPT} image/webp # RewriteCond %{DOCUMENT_ROOT}/$1.webp -f # RewriteRule (.+)\.(jpe?g|png)$ $1.webp [T=image/webp] # # # Header append Vary Accept env=REQUEST_image # # # AddType image/webp .webp # # WEBP SUBSTITUTION CODE FOR THE "EWWW IMAGE OPTIMIZER" PLUGIN # Used with: https://en-ca.wordpress.org/plugins/ewww-image-optimizer/ # # # RewriteEngine On # RewriteCond %{HTTP_ACCEPT} image/webp # RewriteCond %{REQUEST_FILENAME} (.*)\.(jpe?g|png)$ # RewriteCond %{REQUEST_FILENAME}\.webp -f # RewriteCond %{QUERY_STRING} !type=original # RewriteRule (.+)\.(jpe?g|png)$ %{REQUEST_FILENAME}.webp [T=image/webp,E=accept:1,L] # # # Header append Vary Accept env=REDIRECT_accept # #AddType image/webp .webp # DISABLE ETAG - http://crunchify.com/how-to-speed-up-wordpress-leveraging-browser-caching-via-htaccess/ # Header unset Pragma FileETag None Header unset ETag # VARY ENCODING - https://www.maxcdn.com/blog/accept-encoding-its-vary-important/ # Header append Vary: Accept-Encoding # COMPRESS WITH GZIP # mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* # USE MOD_DEFLATE IF MOD_PAGESPEED (BELOW) ISN'T INSTALLED # AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary # FORCE COMPRESSION FOR MANGLED `ACCEPT-ENCODING` REQUEST HEADERS # SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding # COMPRESS ALL OUTPUT LABELED WITH ONE OF THE FOLLOWING MEDIA TYPES # TTF Font info from: https://divibooster.com/enable-compression-for-the-divi-theme/ # Addtype font/truetype .ttf AddOutputFilterByType DEFLATE "application/atom+xml" \ "application/javascript" \ "application/json" \ "application/ld+json" \ "application/manifest+json" \ "application/rdf+xml" \ "application/rss+xml" \ "application/schema+json" \ "application/vnd.geo+json" \ "application/vnd.ms-fontobject" \ "application/x-font-ttf" \ "application/x-javascript" \ "application/x-web-app-manifest+json" \ "application/xhtml+xml" \ "application/xml" \ "font/eot" \ "font/opentype" \ "font/truetype" \ "image/bmp" \ "image/svg+xml" \ "image/vnd.microsoft.icon" \ "image/x-icon" \ "text/cache-manifest" \ "text/css" \ "text/html" \ "text/javascript" \ "text/text" \ "text/plain" \ "text/vcard" \ "text/vnd.rim.location.xloc" \ "text/vtt" \ "text/x-component" \ "text/x-cross-domain-policy" \ "text/xml" AddEncoding gzip svgz # USE GOOGLE'S MOD_PAGESPEED IF IT'S INSTALLED ON SERVER (DO NOT USE THIS IF IT IS NOT INSTALLED) # # # ModPagespeed on # ModPagespeedEnableFilters # extend_cache,combine_css,combine_javascript,collapse_whitespace,move_css_to_head #> # BEGIN EXPIRE HEADERS # ExpiresActive on ExpiresDefault "access plus 1 month" # CSS ExpiresByType text/css "access plus 1 year" # Data interchange ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType application/rdf+xml "access plus 1 hour" ExpiresByType application/rss+xml "access plus 1 hour" ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/ld+json "access plus 0 seconds" ExpiresByType application/schema+json "access plus 0 seconds" ExpiresByType application/vnd.geo+json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" # Favicon (cannot be renamed!) and cursor images ExpiresByType image/vnd.microsoft.icon "access plus 1 week" ExpiresByType image/x-icon "access plus 1 week" # HTML ExpiresByType text/html "access plus 1 week" # JavaScript ExpiresByType application/javascript "access plus 1 year" ExpiresByType application/x-javascript "access plus 1 year" ExpiresByType text/javascript "access plus 1 year" # Manifest files ExpiresByType application/manifest+json "access plus 1 week" ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" # Media files ExpiresByType audio/ogg "access plus 6 months" ExpiresByType image/bmp "access plus 6 months" ExpiresByType image/gif "access plus 6 months" ExpiresByType image/jpeg "access plus 6 months" ExpiresByType image/jpg "access plus 6 months" ExpiresByType image/png "access plus 6 months" ExpiresByType image/svg+xml "access plus 6 months" ExpiresByType image/webp "access plus 6 months" ExpiresByType video/mp4 "access plus 6 months" ExpiresByType video/ogg "access plus 6 months" ExpiresByType video/webm "access plus 6 months" # Web fonts # Embedded OpenType (EOT) ExpiresByType application/vnd.ms-fontobject "access plus 6 months" ExpiresByType font/eot "access plus 6 months" # OpenType ExpiresByType font/opentype "access plus 6 months" # TrueType ExpiresByType application/x-font-ttf "access plus 6 months" # Web Open Font Format (WOFF) 1.0 ExpiresByType application/font-woff "access plus 6 months" ExpiresByType application/x-font-woff "access plus 6 months" ExpiresByType font/woff "access plus 6 months" # Web Open Font Format (WOFF) 2.0 ExpiresByType application/font-woff2 "access plus 6 months" # Other ExpiresByType image/svg+xml "access plus 6 months" ExpiresByType text/x-cross-domain-policy "access plus 1 week" # BEGIN CACHE-CONTROL HEADERS # This can conflict with Cloudflare's caching. # # # # Header set Cache-Control "public" # # # Header set Cache-Control "public" # # # Header set Cache-Control "private" # # # Header set Cache-Control "private, must-revalidate" # # # IMPROVING PERFORMANCE WITH CACHE-CONTROL: IMMUTABLE # SEE: https://www.keycdn.com/blog/cache-control-immutable # # # # Header set Cache-Control "public, max-age=31536000, immutable" # # # ENABLE KEEP-ALIVE # Header set Connection keep-alive # DISABLE ETAG # Header unset Pragma Header unset ETag FileETag None ######################################################################################################################## # ======================== SECURITY ==================================================================================== ######################################################################################################################## # DENY EVERYONE ACCESS TO THE WORDPRESS LOGIN FROM ALL EXCEPT KNOWN/SAFE IP ADDRESSES # # order deny,allow # deny from all # allow from # allow from # allow from # # REDIRECT UNAUTHORIZED IP ADDRESSES THAT TRY TO ACCESS WP-ADMIN OR WP-LOGIN # See: https://serverfault.com/a/1005015/396075 # # # RewriteEngine on # RewriteBase / # # # ====== IF YOU WANT INTO THE WORDPRESS ADMIN AREA, THE LOGIN, OR TO VIEW A README... ====== # RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ [OR] # RewriteCond %{REQUEST_URI} ^/wp-admin.* [OR] # RewriteCond %{REQUEST_URI} ^/phpmyadmin.* [OR] # RewriteCond %{REQUEST_URI} ^/adminer.* [OR] # RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] # RewriteCond %{REQUEST_URI} ^(.*)?readme\.html(.*)$ [OR] # RewriteCond %{REQUEST_URI} ^(.*)?readme\.txt(.*)$ # # # ====== AND YOU'RE NOT ON ONE OF THESE IP ADDRESSES... ====== # RewriteCond %{REMOTE_ADDR} !^XX\.XX\.XX\.XXX [NC] # RewriteCond %{REMOTE_ADDR} !^XX\.XX\.XX\.XXX [NC] # RewriteCond %{REMOTE_ADDR} !^XX\.XX\.XX\.XXX [NC] # # # ====== THEN YOU'RE FORBIDDEN AND ARE SERVED AN ERROR PAGE TELLING YOU SO ====== # RewriteRule ^.*$ - [L,F] # ErrorDocument 403 https://youtu.be/cQ_b4_lw0Gg # # REMOVE SERVER SIGNATURE # See: # * https://techjourney.net/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/ # * https://www.unixmen.com/how-to-disable-server-signature-using-htaccess-or-by-editing-apache/ # ServerSignature Off # WHITELIST SPECIFIC IP ADDRESSES - http://stackoverflow.com/a/38703505/751570 # # # Require ip XX.XX.XX.XX YY.YY.YY.YY # # BLACKLIST SPECIFIC IP ADDRESSES - https://httpd.apache.org/docs/2.4/howto/access.html # (OR USE CLOUDFLARE'S FIREWALL, OR ITHEMES SECURITY BANNED USERS LIST) # # # Require all granted # Require not ip XX.XX.XX.XX YY.YY.YY.YY # # DISABLE XML-RPC # See: https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-from-xml-rpc-attacks-on-ubuntu-14-04#method-3-manually-blocking-all-xml-rpc-traffic # See: https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html # Require all denied Order allow,deny Deny from all # STRONG HTACCESS PROTECTION (PROTECTS THIS FILE FROM HACKERS) # order allow,deny deny from all satisfy all # REMOVE THE `X-POWERED-BY` RESPONSE HEADER # Header unset X-Powered-By # RECOGNIZE SSL WHEN SET AT A LOAD BALANCER/PROXY LEVEL (FOR CLOUDFLARE) # #SetEnvIf X-Forwarded-Proto https HTTPS=on # PREVENT WORDPRESS VERSION EXPOSURE IN README.HTML # Deny from all # DISABLE HTTP TRACE RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] # BLOCK ACCESS TO HIDDEN FILES & DIRECTORIES # RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F] # BLOCK ACCESS TO FILES THAT CAN EXPOSE SENSITIVE INFORMATION # # Apache < 2.3 Order allow,deny Deny from all Satisfy All # Apache ≥ 2.3 Require all denied # DISABLE ACCESS TO WORDPRESS WP-CONFIG FILE # order allow,deny deny from all # DISABLE ACCESS TO SFTP-CONFIG.JSON # order allow,deny deny from all # DISABLE ACCESS TO INCLUDES. # RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # PASS THE DEFAULT CHARACTER SET # AddDefaultCharset utf-8 # REDIRECT SPAMMER ATTACKS TO BOGUS SITE # RewriteCond %{QUERY_STRING} q=user/register RewriteRule ^/?$ http://www.nixbla.com/ [R=301,L] RewriteCond %{QUERY_STRING} q=node/add RewriteRule ^/?$ http://www.nixbla.com/ [R=301,L] # DENY NO REFERER REQUESTS - http://www.wprecipes.com/how-to-deny-comment-posting-to-no-referrer-requests # See also: https://codex.wordpress.org/Brute_Force_Attacks # Change yourblog.com to your domain. If you're using Multisite with mapped domains, you'll want to change yourblog.com to (yourblog.com|yourblog.net|yourblog4.com) and so on. # # # RewriteEngine On # RewriteCond %{REQUEST_METHOD} POST # RewriteCond %{REQUEST_URI} .*/(wp-comments-post|wp-login)\.php.* # RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR] # RewriteCond %{HTTP_USER_AGENT} ^$ # RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] # #BLOCK BROWSER ACCESS TO LOG FILES # Order allow,deny Deny from all # STOP WORDPRESS USERNAME ENUMERATION VULNERABILITY - METHOD 1 # # # RewriteEngine On # RewriteCond %{REQUEST_URI} ^/$ # RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) # RewriteRule ^(.*)$ http://[domain.com]/? [L,R=301] # RewriteCond %{QUERY_STRING} author=\d # RewriteRule ^ /? [L,R=301] # # STOP WORDPRESS USERNAME ENUMERATION VULNERABILITY - METHOD 2 # See: https://www.wpbeginner.com/wp-tutorials/how-to-discourage-brute-force-by-blocking-author-scans-in-wordpress/ # RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} (author=\d+) [NC] RewriteRule .* - [F] #WP HARDENING SECURITY HEADERS # Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options: "nosniff" # BLOCK COMMON MALICIOUS BOT QUERIES # RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC,OR] RewriteCond %{QUERY_STRING} (img|thumb|thumb_editor|thumbopen).php [NC,OR] RewriteCond %{QUERY_STRING} fckeditor [NC] RewriteCond %{QUERY_STRING} revslider [NC] RewriteRule .* - [F,L] RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC] RewriteRule .* - [F,L] # BLOCK SPECIFIC SITES FROM STEALING BANDWIDTH BY HOTLINKING TO IMAGES # RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://(www\.)?discussionist\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?sodahead\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?pixshark\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?advanceindiana.blogspot\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?galleryhip\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?freespeechwisconsin\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?memekid\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?3edgesword.blogspot\.ca(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?neogaf\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?locationrebel\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?pixgood\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?pudelekf23.blogspot\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?fstdt\.com(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?zerohedge\.com(/.*)*$ [NC] RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F] # ABUSE HTTP REFERRER BLOCKING - Blocking referrer domains stops traffic originating from the specified domains # RewriteCond %{HTTP_REFERER} 100dollars-seo.com\.com [NC,OR] RewriteCond %{HTTP_REFERER} best-seo-offer\.com [NC,OR] RewriteCond %{HTTP_REFERER} buttons-for-your-website\.com [NC,OR] RewriteCond %{HTTP_REFERER} free-social-buttions\.com [NC,OR] RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR] RewriteCond %{HTTP_REFERER} todaperfeita\.com [NC,OR] RewriteCond %{HTTP_REFERER} www1.free-social-buttons\.com [NC,OR] RewriteCond %{HTTP_REFERER} www2.free-social-buttons\.com [NC,OR] RewriteCond %{HTTP_REFERER} www3.free-social-buttons\.com [NC,OR] RewriteCond %{HTTP_REFERER} www4.free-social-buttons\.com [NC] RewriteRule .* - [F,L] ######################################################################################################################## # ===================== 301 REDIRECTS ================================================================================== ######################################################################################################################## # It's better to use the Redirection plugin for Wordpress than define them here. # Find it at: https://wordpress.org/plugins/redirection/ #redirect 301 /old-page-url.html https://www.domain.ca/new-page-url #redirect 301 /old-page-url.html https://www.domain.ca/new-page-url #redirect 301 /old-page-url.html https://www.domain.ca/new-page-url #redirect 301 /old-page-url.html https://www.domain.ca/new-page-url