danielmcclure · June 20, 2024 07:47
diff --git a/.htaccess b/.htaccess
 # BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 # END WordPress

 # Protect Important WP and Server Files
 <FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
 Order deny,allow
 Deny from all
 </FilesMatch>

 # Disable Index Browsing
 Options All -Indexes

 # Prevent Script Injections 
 Options +FollowSymLinks
 RewriteEngine On
 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
 RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
 RewriteRule ^(.*)$ index.php [F,L]

 # Protect WP Includes Directory 
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>

 # Prevent Username Enumeration
 RewriteCond %{QUERY_STRING} author=d
 RewriteRule ^ /? [L,R=301]

 ####
 # The following settings require customisation to work - remove if unsure. 
 ####


 # Block Bots from WP Admin
 ErrorDocument 401 /index.php?error=404
 ErrorDocument 403 /index.php?error=404

 <IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{HTTP_REFERER} !^http://(.*)?YOURDOMAIN.com [NC]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteRule ^(.*)$ - [F]
 </IfModule>

 # Prevent Remote PHP Execution 
 <Directory "UPLOADS-PATH/var/www/wp-content/uploads/">
 <Files "*.php">
 Order Deny,Allow
 Deny from All
 </Files>
	# BEGIN WordPress
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</IfModule>
	# END WordPress

	# Protect Important WP and Server Files
	<FilesMatch "^.(error_log\|wp-config\.php\|php.ini\|\.[hH][tT][aApP].)$">
	Order deny,allow
	Deny from all
	</FilesMatch>

	# Disable Index Browsing
	Options All -Indexes

	# Prevent Script Injections
	Options +FollowSymLinks
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=\|[\|%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=\|[\|%[0-9A-Z]{0,2})
	RewriteRule ^(.*)$ index.php [F,L]

	# Protect WP Includes Directory
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Prevent Username Enumeration
	RewriteCond %{QUERY_STRING} author=d
	RewriteRule ^ /? [L,R=301]

	####
	# The following settings require customisation to work - remove if unsure.
	####


	# Block Bots from WP Admin
	ErrorDocument 401 /index.php?error=404
	ErrorDocument 403 /index.php?error=404

	<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{HTTP_REFERER} !^http://(.*)?YOURDOMAIN.com [NC]
	RewriteCond %{REQUEST_URI} ^(.)?wp-login\.php(.)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
	RewriteRule ^(.*)$ - [F]
	</IfModule>

	# Prevent Remote PHP Execution
	<Directory "UPLOADS-PATH/var/www/wp-content/uploads/">
	<Files "*.php">
	Order Deny,Allow
	Deny from All
	</Files>