WordPress Security using .htaccess

WordPress Security and Google’s guide from webmaster tools.
Put the Rewrite rules in your .htaccess or httpd.conf

WordPress default Rewrite Rule:

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]

Protect the wp-config.php file:

<Files wp-config.php>
   Deny from all

Protect your .htaccess and .htpasswd, allow only for matched extension:

<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
   Order Allow,Deny
   Deny from all

Protect wp-content directory:

<Directory "/var/www/html/WordPress/wp-content">
    Order Allow,Deny
    Deny from all
    <Files ~ "\.(gif|jpe?g|png|bmp|css|js|xml|ico|lock)$">
        Allow from all

Block out any script that includes a <script> tag in URL:

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Block out any script trying to set a PHP GLOBALS variable via URL:

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

Block out any script trying to modify a _REQUEST variable via URL:

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

Send all blocked request to homepage with 403 Forbidden error:

RewriteRule ^(.*)$ index.php [F,L]

Prevent Hot Linking:

SetEnvIfNoCase Referer "^http://www.confignotes.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.confignotes.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://confignotes.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://confignotes.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
    Order Allow,Deny
    Allow from env=locally_linked


Google Webmaster’s guide for website optimization

Enabling Compression:

SetOutputFilter DEFLATE

Enabling gzip compression:

<IfModule mod_deflate.cc>
    <IfModule mod_filter.cc>
        AddOutputFilterByType DEFLATE text/plain text/html application/x-httpd-php-source
        AddOutputFilterByType DEFLATE text/xml application/xml application/xhtml+xml application/xml-dtd
        AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml image/svg+xml
        AddOutputFilterByType DEFLATE text/css text/javascript application/javascript application/x-javascript
        AddOutputFilterByType DEFLATE font/truetype application/x-font-ttf font/opentype application/x-font-otf

Setup Expires:

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 2 week"
    ExpiresByType text/css "access plus 2 week"
    ExpiresByType text/plain "access plus 1 week"
    ExpiresByType image/gif "access plus 2 week"
    ExpiresByType image/png "access plus 2 week"
    ExpiresByType image/jpeg "access plus 2 week"
    ExpiresByType application/x-javascript "access plus 2 week"
    ExpiresByType application/javascript "access plus 2 week"
    ExpiresByType application/x-icon "access plus 1 month"

Published by

Ferdy Mañago

Portland, Oregon