Come mettere in sicurezza WordPress via .htaccess
12 Gennaio 2020 / / Commenti disabilitati su Come mettere in sicurezza WordPress via .htaccess
Come mettere in sicurezza WordPress via .htaccess
In questo post una raccolta di stringhe di codice tratte dai Blog dei migliori sviluppatori WordPress e dallo stesso portale di wordprss.org.
E’ sufficiente sostituire tutti il link (telam.og) presenti in alcune stringhe con il link del proprio sito e incollare tutto il contenuto nel proprio file ,htaccess
Se dovesse darvi errore, eliminate una a una le sezioni complete, fino a che funziona, dopo di che individuate il codice specifico incriminato, purtroppo varia molto da server a server.
Per Funzionare è necessario web server Apache e mod Rewrit Attivo.
#--------------------------------------------------------------------------
# Security Basic
#--------------------------------------------------------------------------
# Security Admin for Multisite or dinamic IP Adress
ErrorDocument 401 /path-to-telam.org/index.php?error=404
ErrorDocument 403 /path-to-telam.org/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?telam.org [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>
# Protect wp-admin
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-admin/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .? - [F,NS,L]
</IfModule>
# Protect wp-content
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .? - [F,NS,L]
</IfModule>
# Block direct access to your plugin and theme
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
</IfModule>
# Protect wp-includes
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .? - [F,NS,L]
</IfModule>
# Block Include-Only Files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Block direct access to your wp-include
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/wp-includes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-includes/directory/to/exclude/
RewriteRule wp-includes/(.*\.php)$ - [R=404,L]
</IfModule>
# Block direct access to your uploads
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/wp-content/uploads/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/uploads/directory/to/exclude/
RewriteRule wp-content/uploads/(.*\.php)$ - [R=404,L]
</IfModule>
# Prevent subfolder loading. This goes
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^primary\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.primary\.com$
RewriteRule ^addon\.com\/?(.*)$ "http\:\/\/www\.addon\.com\/$1" [R=301,L]
</IfModule>
# Always use https for secure connections
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.telam.org/$1 [R=301,L]
</IfModule>
# Correct URL Typo Automatically
<ifmodule mod_speling.c>
CheckSpelling On
</ifmodule>
# Add .php to access file, but don't redirect
<IfModule mod_rewrite.c>
Options +FollowSymLinks -MultiViews -indexes
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteCond %{REQUEST_URI} !/$
RewriteRule (.*) $1.php [L]
</IfModule>
#-------------------------------------------------------------------------
# Security Headers
#-------------------------------------------------------------------------
# No-Referrer-Header
<IfModule mod_headers.c>
Header set Referrer-Policy "no-referrer"
</IfModule>
# X-FRAME-OPTIONS-Header
<IfModule mod_headers.c>
Header set X-Frame-Options "sameorigin"
</IfModule>
# X-XSS-PROTECTION-Header
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
# X-Content-Type-Options-Header
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
# Prevent false certificate (experimental)
<IfModule mod_headers.c>
Header set Expect-CT "enforce, max-age=21600"
</IfModule>
# Unset headers revealing versions strings
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset X-Pingback
Header unset SERVER
</IfModule>
# Force secure cookies (uncomment for HTTPS)
<IfModule mod_headers.c>
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
# Blocking based on User-Agent Header
<IfModule mod_headers.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
RewriteRule . - [F,L]
</IfModule>
#---------------------------------------------------------------------------
# User Security
#---------------------------------------------------------------------------
# Block author scans
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
</IfModule>
# Stop Username Enumeration Attacks
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule .* - [R=403,L]
</IfModule>
# Block User list Phishing Requests
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* https://telam.org/? [L,R=302]
</IfModule>
#--------------------------------------------------------------------------
# Security post and spam
#--------------------------------------------------------------------------
# Denies any POST Request using a Proxy Server. Can still access site, but not comment.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Block any POST attempt made to a non-existing wp-comments-post.php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Block any POST request that doesnt have a Content-Length Header
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Block any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Block POST requests by blank user-agents. May prevent a small number of visitors from POSTING
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .? - [F,NS,L]
</IfModule>
# Trackback Spam
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
#--------------------------------------------------------------------------
# Security iniectons and Query
#--------------------------------------------------------------------------
# Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Denies requests that dont contain a HTTP HOST Header
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
RewriteRule .? - [F,NS,L]
</IfModule>
# Block any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Block Nuisance Requests for Non-Existent Files
<IfModule mod_alias.c>
RewriteEngine On
RedirectMatch 403 (?i)\.php\.suspected
RedirectMatch 403 (?i)apple-app-site-association
RedirectMatch 403 (?i)/autodiscover/autodiscover.xml
</IfModule>
# Denies obvious exploit using bogus graphics
<IfModule mod_alias.c>
RewriteEngine On
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .? - [F,NS,L]
</IfModule>
# Remove slash if not directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} /$
RewriteRule (.*)/ $1 [R=301,L]
</IfModule>
# Remove .php; use THE_REQUEST to prevent infinite loops
<IfModule mod_rewrite.c>
Options +FollowSymLinks -MultiViews -indexes
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^GET\ (.*)\.php\ HTTP
RewriteRule (.*)\.php$ $1 [L,R=301]
</IfModule>
# Deny access to l_backuptoster.php / l_backuptoster_backup.php
# (PHP backdoor)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} (^/l_backuptoster.php) [NC]
RewriteRule .? - [F,L]
</ifmodule>
# Block really Long Request
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} .* [NC]
RewriteCond %{THE_REQUEST} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR]
RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC]
RewriteRule .* - [F,L]
</IfModule>
# Deny access to evil robots site rippers offline browsers and other nasty scum
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
</IfModule>
# Protect Your Site Against Script Injections
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>
# File injection protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
</IfModule>
# Block suspicious request methods
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
# Block WP timthumb hack
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]
</IfModule>
# Block suspicious user agents and requests
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
</IfModule>
# Protect against SQL Injection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,22}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|exec|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# Block MySQL injections, RFI, base64, etc.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
</IfModule>
# PHP-CGI Vulnerability
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]
</IfModule>
# Proc/self/environ? no way!
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
#----------------------------------------------------------------------------
# Indexes
#----------------------------------------------------------------------------
# Don't list directories
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# Remove index
<IfModule mod_rewrite.c>
Options +FollowSymLinks -MultiViews -indexes
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} /index(\.php)?[\s?/] [NC]
RewriteRule ^(.*?)index(/|$) /$1 [L,R=301,NC,NE]
</IfModule>
# Remove index and slash if not directory
<IfModule mod_rewrite.c>
Options +FollowSymLinks -MultiViews -indexes
RewriteEngine On
RewriteBase /
RewriteRule (.*)/index$ $1/ [R=302]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} /$
RewriteRule (.*)/ $1 [R=301,L]
</IfModule>
#----------------------------------------------------------------------------
# Security file
#----------------------------------------------------------------------------
# Block access to the install.php
<files install.php>
Order allow,deny
Deny from all
</files>
# Block access to file
<FilesMatch "\.(.php|php.ini|/.[hH][tT][aApP]txt|md|exe|sh|bak|inc|pot|po|mo|log|sql|(.*)\.ttf|(.*)\.bak|xml)$">
Order allow,deny
Deny from all
</FilesMatch>
# Block access to .htaccess
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
# Block access to wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>
# Block access to xmlrpc
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
# Block access to xmlrpc mobile
<IfModule mod_setenvif.c>
<Files xmlrpc.php>
BrowserMatch "Poster" allowed
BrowserMatch "WordPress" allowed
BrowserMatch "Windows Live Writer" allowed
BrowserMatch "wp-iphone" allowed
BrowserMatch "wp-android" allowed
Order Deny,Allow
Deny from All
Allow from env=allowed
</Files>
</IfModule>
# Block access to *.txt
<Files *.txt>
Deny from all
</Files>
# Block access to robot.txt
<Files robots.txt>
Allow from all
</Files>
# Block access to ads.txt
<Files ads.txt>
Allow from all
</Files>
# Block access to error_log
<files error_log>
order allow,deny
deny from all
</files>
# Block access to the readme.html
<files readme.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# Block access to cofiguration file
<Files php.ini>
Order Allow,Deny
Deny from all
</Files>
# Block access to php5 configuration file
<Files php5.ini>
Order Allow,Deny
Deny from all
</Files>
# Block access to php7 configuration file
<Files php7.ini>
Order Allow,Deny
Deny from all
</Files>
# Block Access to .htpasswd
<FilesMatch "(\.htpasswd)">
Order deny,allow
Deny from all
</FilesMatch>
# Disable Image Hotlinking
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?telam.org [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?telam.org [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/g7ptdBB.png [NC,R,L]
</ifmodule>
Posted in Uncategorized
