WordPress Web Root Htaccess File

10/11/2019 - 3:56 PM
WordPress Web Root Htaccess File

# Everyone is redirected to Maintenance page
# RewriteEngine On
# RewriteBase /
# RewriteCond %{REQUEST_URI} !^/maintenance\.html$
# RewriteRule ^(.*)$ http://domain.com/maintenance.html [R=307,L]

# Force HTTPS (No need to touch code within BEGIN WordPress)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

# Leverage Browser Caching
# 1 Month for most static assets
<FilesMatch ".(css|jpg|jpeg|png|gif|js|ico|svg)$">
    Header set Cache-Control "max-age=2592000, public"
</FilesMatch>

# Fix for rendering SVGs
AddType image/svg+xml svg svgz
AddEncoding gzip svgz

# BEGIN GZIP
<ifmodule mod_deflate.c>
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font
    AddOutputFilterByType DEFLATE application/x-font-opentype
    AddOutputFilterByType DEFLATE application/x-font-otf
    AddOutputFilterByType DEFLATE application/x-font-truetype
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/x-icon
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml
</ifmodule>

# PROTECT WP-CONFIG
<Files wp-config.php>
 
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
        Satisfy All
    </IfModule>
 
    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
 
</Files>

# SECURE INSTALL PAGE
<Files install.php>
 
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
        Satisfy All
    </IfModule>
 
    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
 
</Files>

# Block the include-only files.
# https://codex.wordpress.org/Hardening_WordPress#Hardening_Recommendations
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
    RewriteRule !^wp-includes/ - [S=3]
    RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/(?:\ Ballot169)?
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Sectigo\ DCV)?$
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Disable xmlrpc.php
# http://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/
<Files xmlrpc.php>
    order deny,allow
    deny from all
</Files>

# HTTP security headers
<IfModule mod_headers.c>
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
</IfModule>

# Block Comment Spam
# <IfModule mod_rewrite.c>
#     RewriteEngine On
#     RewriteCond %{REQUEST_METHOD} POST
#     RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
#     RewriteCond %{HTTP_REFERER} !example.com [NC]
#     RewriteCond %{REQUEST_URI} /wp-comments-post\.php [NC]
#     RewriteRule .* - [F,L]
# </IfModule>

# Disable directory listing
Options -Indexes

# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Cacher is the code snippet organizer for pro developers

We empower you and your team to get more done, faster

WordPress Web Root Htaccess File
