# Everyone is redirected to Maintenance page
# RewriteEngine On
# RewriteBase /
# RewriteCond %{REQUEST_URI} !^/maintenance\.html$
# RewriteRule ^(.*)$ http://domain.com/maintenance.html [R=307,L]
# Force HTTPS (No need to touch code within BEGIN WordPress)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Leverage Browser Caching
# 1 Month for most static assets
<FilesMatch ".(css|jpg|jpeg|png|gif|js|ico|svg)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
# Fix for rendering SVGs
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# BEGIN GZIP
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</ifmodule>
# PROTECT WP-CONFIG
<Files wp-config.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Files>
# SECURE INSTALL PAGE
<Files install.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Files>
# Block the include-only files.
# https://codex.wordpress.org/Hardening_WordPress#Hardening_Recommendations
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
RewriteRule !^wp-includes/ - [S=3]
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Disable xmlrpc.php
# http://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
# HTTP security headers
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
# Block Comment Spam
# <IfModule mod_rewrite.c>
# RewriteEngine On
# RewriteCond %{REQUEST_METHOD} POST
# RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
# RewriteCond %{HTTP_REFERER} !example.com [NC]
# RewriteCond %{REQUEST_URI} /wp-comments-post\.php [NC]
# RewriteRule .* - [F,L]
# </IfModule>
# Disable directory listing
Options -Indexes
# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress