Come mettere in sicurezza WordPress via .htaccess
In questo post una raccolta di stringhe di codice tratte dai Blog dei migliori sviluppatori WordPress e dallo stesso portale di wordprss.org.
E’ sufficiente sostituire tutti il link (telam.og) presenti in alcune stringhe con il link del proprio sito e incollare tutto il contenuto nel proprio file ,htaccess
Se dovesse darvi errore, eliminate una a una le sezioni complete, fino a che funziona, dopo di che individuate il codice specifico incriminato, purtroppo varia molto da server a server.
Per Funzionare è necessario web server Apache e mod Rewrit Attivo.
#-------------------------------------------------------------------------- # Security Basic #-------------------------------------------------------------------------- # Security Admin for Multisite or dinamic IP Adress ErrorDocument 401 /path-to-telam.org/index.php?error=404 ErrorDocument 403 /path-to-telam.org/index.php?error=404 <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_REFERER} !^http://(.*)?telam.org [NC] RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteRule ^(.*)$ - [F] </IfModule> # Protect wp-admin <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-admin/.*$ [NC] RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$ RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$ RewriteRule .? - [F,NS,L] </IfModule> # Protect wp-content <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC] RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$ RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$ RewriteRule .? - [F,NS,L] </IfModule> # Block direct access to your plugin and theme <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L] RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L] </IfModule> # Protect wp-includes <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC] RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC] RewriteCond %{REQUEST_FILENAME} ^.+\.php$ RewriteRule .? - [F,NS,L] </IfModule> # Block Include-Only Files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # Block direct access to your wp-include <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} !^/wp-includes/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-includes/directory/to/exclude/ RewriteRule wp-includes/(.*\.php)$ - [R=404,L] </IfModule> # Block direct access to your uploads <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} !^/wp-content/uploads/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/uploads/directory/to/exclude/ RewriteRule wp-content/uploads/(.*\.php)$ - [R=404,L] </IfModule> # Prevent subfolder loading. This goes <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{HTTP_HOST} ^primary\.com$ [OR] RewriteCond %{HTTP_HOST} ^www\.primary\.com$ RewriteRule ^addon\.com\/?(.*)$ "http\:\/\/www\.addon\.com\/$1" [R=301,L] </IfModule> # Always use https for secure connections <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.telam.org/$1 [R=301,L] </IfModule> # Correct URL Typo Automatically <ifmodule mod_speling.c> CheckSpelling On </ifmodule> # Add .php to access file, but don't redirect <IfModule mod_rewrite.c> Options +FollowSymLinks -MultiViews -indexes RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME}.php -f RewriteCond %{REQUEST_URI} !/$ RewriteRule (.*) $1.php [L] </IfModule> #------------------------------------------------------------------------- # Security Headers #------------------------------------------------------------------------- # No-Referrer-Header <IfModule mod_headers.c> Header set Referrer-Policy "no-referrer" </IfModule> # X-FRAME-OPTIONS-Header <IfModule mod_headers.c> Header set X-Frame-Options "sameorigin" </IfModule> # X-XSS-PROTECTION-Header <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule> # X-Content-Type-Options-Header <IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff" </IfModule> # Prevent false certificate (experimental) <IfModule mod_headers.c> Header set Expect-CT "enforce, max-age=21600" </IfModule> # Unset headers revealing versions strings <IfModule mod_headers.c> Header unset X-Powered-By Header unset X-Pingback Header unset SERVER </IfModule> # Force secure cookies (uncomment for HTTPS) <IfModule mod_headers.c> #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure </IfModule> # Blocking based on User-Agent Header <IfModule mod_headers.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC] RewriteRule . - [F,L] </IfModule> #--------------------------------------------------------------------------- # User Security #--------------------------------------------------------------------------- # Block author scans <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} (author=\d+) [NC] RewriteRule .* - [F] </IfModule> # Stop Username Enumeration Attacks <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} author=\d RewriteRule .* - [R=403,L] </IfModule> # Block User list Phishing Requests <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} ^author=([0-9]*) RewriteRule .* https://telam.org/? [L,R=302] </IfModule> #-------------------------------------------------------------------------- # Security post and spam #-------------------------------------------------------------------------- # Denies any POST Request using a Proxy Server. Can still access site, but not comment. <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .? - [F,NS,L] </IfModule> # Block any POST attempt made to a non-existing wp-comments-post.php <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC] RewriteRule .? - [F,NS,L] </IfModule> # Block any POST request that doesnt have a Content-Length Header <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:Content-Length} ^$ RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .? - [F,NS,L] </IfModule> # Block any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC] RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .? - [F,NS,L] </IfModule> # Block POST requests by blank user-agents. May prevent a small number of visitors from POSTING <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .? - [F,NS,L] </IfModule> # Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC] RewriteCond %{HTTP_REFERER} ^-?$ RewriteRule .? - [F,NS,L] </IfModule> # Trackback Spam <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC] RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC] RewriteRule .? - [F,NS,L] </IfModule> #-------------------------------------------------------------------------- # Security iniectons and Query #-------------------------------------------------------------------------- # Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC] RewriteRule .? - [F,NS,L] </IfModule> # Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC] RewriteRule .? - [F,NS,L] </IfModule> # Denies requests that dont contain a HTTP HOST Header <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteCond %{HTTP_HOST} ^$ RewriteRule .? - [F,NS,L] </IfModule> # Block any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403] <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC] RewriteRule .? - [F,NS,L] </IfModule> # Block Nuisance Requests for Non-Existent Files <IfModule mod_alias.c> RewriteEngine On RedirectMatch 403 (?i)\.php\.suspected RedirectMatch 403 (?i)apple-app-site-association RedirectMatch 403 (?i)/autodiscover/autodiscover.xml </IfModule> # Denies obvious exploit using bogus graphics <IfModule mod_alias.c> RewriteEngine On RewriteCond %{HTTP:Content-Disposition} \.php [NC] RewriteCond %{HTTP:Content-Type} image/.+ [NC] RewriteRule .? - [F,NS,L] </IfModule> # Remove slash if not directory <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} /$ RewriteRule (.*)/ $1 [R=301,L] </IfModule> # Remove .php; use THE_REQUEST to prevent infinite loops <IfModule mod_rewrite.c> Options +FollowSymLinks -MultiViews -indexes RewriteEngine On RewriteBase / RewriteCond %{THE_REQUEST} ^GET\ (.*)\.php\ HTTP RewriteRule (.*)\.php$ $1 [L,R=301] </IfModule> # Deny access to l_backuptoster.php / l_backuptoster_backup.php # (PHP backdoor) <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} (^/l_backuptoster.php) [NC] RewriteRule .? - [F,L] </ifmodule> # Block really Long Request <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} .* [NC] RewriteCond %{THE_REQUEST} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR] RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC] RewriteRule .* - [F,L] </IfModule> # Deny access to evil robots site rippers offline browsers and other nasty scum <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR] RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR] RewriteCond %{HTTP_USER_AGENT} ^attach [OR] RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR] RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR] RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] </IfModule> # Protect Your Site Against Script Injections <IfModule mod_rewrite.c> Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] </IfModule> # File injection protection <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} GET RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* - [F] </IfModule> # Block suspicious request methods <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> # Block WP timthumb hack <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC] RewriteRule . - [S=1] </IfModule> # Block suspicious user agents and requests <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR] </IfModule> # Protect against SQL Injection <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} (eval\() [NC,OR] RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,22}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|exec|insert|md5|select|union) [NC] RewriteRule .* - [F] </IfModule> # Block MySQL injections, RFI, base64, etc. <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] </IfModule> # PHP-CGI Vulnerability <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR] </IfModule> # Proc/self/environ? no way! <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> #---------------------------------------------------------------------------- # Indexes #---------------------------------------------------------------------------- # Don't list directories <IfModule mod_autoindex.c> Options -Indexes </IfModule> # Remove index <IfModule mod_rewrite.c> Options +FollowSymLinks -MultiViews -indexes RewriteEngine On RewriteBase / RewriteCond %{THE_REQUEST} /index(\.php)?[\s?/] [NC] RewriteRule ^(.*?)index(/|$) /$1 [L,R=301,NC,NE] </IfModule> # Remove index and slash if not directory <IfModule mod_rewrite.c> Options +FollowSymLinks -MultiViews -indexes RewriteEngine On RewriteBase / RewriteRule (.*)/index$ $1/ [R=302] RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} /$ RewriteRule (.*)/ $1 [R=301,L] </IfModule> #---------------------------------------------------------------------------- # Security file #---------------------------------------------------------------------------- # Block access to the install.php <files install.php> Order allow,deny Deny from all </files> # Block access to file <FilesMatch "\.(.php|php.ini|/.[hH][tT][aApP]txt|md|exe|sh|bak|inc|pot|po|mo|log|sql|(.*)\.ttf|(.*)\.bak|xml)$"> Order allow,deny Deny from all </FilesMatch> # Block access to .htaccess <files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files> # Block access to wp-config <files wp-config.php> order allow,deny deny from all </files> # Block access to xmlrpc <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> # Block access to xmlrpc mobile <IfModule mod_setenvif.c> <Files xmlrpc.php> BrowserMatch "Poster" allowed BrowserMatch "WordPress" allowed BrowserMatch "Windows Live Writer" allowed BrowserMatch "wp-iphone" allowed BrowserMatch "wp-android" allowed Order Deny,Allow Deny from All Allow from env=allowed </Files> </IfModule> # Block access to *.txt <Files *.txt> Deny from all </Files> # Block access to robot.txt <Files robots.txt> Allow from all </Files> # Block access to ads.txt <Files ads.txt> Allow from all </Files> # Block access to error_log <files error_log> order allow,deny deny from all </files> # Block access to the readme.html <files readme.html> Order Allow,Deny Deny from all Satisfy all </Files> # Block access to cofiguration file <Files php.ini> Order Allow,Deny Deny from all </Files> # Block access to php5 configuration file <Files php5.ini> Order Allow,Deny Deny from all </Files> # Block access to php7 configuration file <Files php7.ini> Order Allow,Deny Deny from all </Files> # Block Access to .htpasswd <FilesMatch "(\.htpasswd)"> Order deny,allow Deny from all </FilesMatch> # Disable Image Hotlinking <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?telam.org [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?telam.org [NC] RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/g7ptdBB.png [NC,R,L] </ifmodule>