WordPress Security and Google’s guide from webmaster tools.
Put the Rewrite rules in your .htaccess or httpd.conf
WordPress default Rewrite Rule:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
Protect the wp-config.php file:
<Files wp-config.php>
Deny from all
</Files>
Protect your .htaccess and .htpasswd, allow only for matched extension:
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Protect wp-content directory:
<Directory "/var/www/html/WordPress/wp-content">
Order Allow,Deny
Deny from all
<Files ~ "\.(gif|jpe?g|png|bmp|css|js|xml|ico|lock)$">
Allow from all
</Files>
</Directory>
Block out any script that includes a <script> tag in URL:
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
Block out any script trying to set a PHP GLOBALS variable via URL:
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
Block out any script trying to modify a _REQUEST variable via URL:
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
Send all blocked request to homepage with 403 Forbidden error:
RewriteRule ^(.*)$ index.php [F,L]
Prevent Hot Linking:
SetEnvIfNoCase Referer "^http://www.confignotes.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.confignotes.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://confignotes.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://confignotes.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>
Google Webmaster’s guide for website optimization
Enabling Compression:
SetOutputFilter DEFLATE
Enabling gzip compression:
<IfModule mod_deflate.cc>
<IfModule mod_filter.cc>
AddOutputFilterByType DEFLATE text/plain text/html application/x-httpd-php-source
AddOutputFilterByType DEFLATE text/xml application/xml application/xhtml+xml application/xml-dtd
AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml image/svg+xml
AddOutputFilterByType DEFLATE text/css text/javascript application/javascript application/x-javascript
AddOutputFilterByType DEFLATE font/truetype application/x-font-ttf font/opentype application/x-font-otf
</IfModulec>
</IfModulec>
Setup Expires:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 2 week"
ExpiresByType text/css "access plus 2 week"
ExpiresByType text/plain "access plus 1 week"
ExpiresByType image/gif "access plus 2 week"
ExpiresByType image/png "access plus 2 week"
ExpiresByType image/jpeg "access plus 2 week"
ExpiresByType application/x-javascript "access plus 2 week"
ExpiresByType application/javascript "access plus 2 week"
ExpiresByType application/x-icon "access plus 1 month"
</IfModule>