10/14/2015 - 8:10 PM

.htaccess for WordPress with security in mind

.htaccess for WordPress with security in mind

# Make sure these directives are either above the "BEGIN WordPress"
# line or below the "END WordPress" line. Also, make sure you test
# your site if you use any of the suggestions below. These rules
# are very specific to running WordPress so if you also serve some other
# static or PHP files under the directory where these rules will live
# you may find they won't work. TEST TEST TEST.

# disable directory browsing
Options All -Indexes

# prevent direct access to wp-config.php
<files wp-config.php>
order allow,deny
deny from all

# block access to all php files under /wp-content and further
RedirectMatch 403 ^.*/wp-content/.*\.php$

# Block the include-only files.
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# prevent comment posting if referrer is blank
# replace with your actual domain name
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

# deny access to all dot (hidden) files (eg .htaccess)
<Files ~ "^\..*">
order allow,deny
deny from all
satisfy all