8/19/2014 - 2:13 PM

Safer WordPress with these .htaccess additions

Safer WordPress with these .htaccess additions

# Don't show errors which contain full path diclosure (FPD)
# Use that line only if PHP is installed as a module and not per CGI
# try using a php.ini in that case.
# Change mod_php5.c to mod_php7.c if you are running PHP7
<IfModule mod_php5.c>
  php_flag display_errors Off

# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
# If you use that, these tools will not work anymore
<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all

# Don't list directories
<IfModule mod_autoindex.c>
  Options -Indexes

# Protect all readme.txt files from all plugins
<Files readme.txt>
  Order allow,deny
  Deny from all

# Protect wp-config.php and other files
<FilesMatch "(.htaccess|.htpasswd|wp-config.php|wp-login|wp-mail|liesmich.html|readme.html)">
  Order deny,allow
  Deny from all

# Block the include-only files.
# Do not use in Multisite without reading the note in Codex!
# See:
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Set some security related headers
# See: (GERMAN)
<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff 
  Header set X-XSS-Protection "1; mode=block" 
  # The line below is an advanced method for a more secure configuration, please see documentation before usage!
  # Introduction:
  # (German)
  # Documentation:
  # Analysis:
  # Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *;"

# Allow WordPress Embed
<IfModule mod_setenvif.c>
    SetEnvIf Request_URI "/embed/$" IS_embed
    <IfModule mod_headers.c>
    	Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed

#Force secure cookies (uncomment for HTTPS)
<IfModule mod_headers.c>
  #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

#Unset headers revealing versions strings
<IfModule mod_headers.c>
  Header unset X-Powered-By
  Header unset X-Pingback
  Header unset SERVER

# Filter Request Methods
# See:
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule ^(.*)$ - [F,L]