Last active
April 22, 2019 09:56
-
-
Save JamiesonRoberts/505e5cca81712a0a6809fda7dc67e2a4 to your computer and use it in GitHub Desktop.
Wordpress 4.7.x Head Cleanup Script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Created by jamiesonroberts | |
| * Date: 2017-04-08 | |
| */ | |
| /** | |
| * Removes security vulnerabilities, extraneous styles and scripts, | |
| * as well as related resource inclusions for Wordpress 4.7.x | |
| * | |
| * All actions have been broken up into their related groupings with comments | |
| * as to what each grouping affects and any specific notes. | |
| */ | |
| function removeHeadLinks() | |
| { | |
| /** | |
| * Disables all RSS based feed links from being output. | |
| * See line 70 for function to completely disable feeds from being accessible. | |
| */ | |
| remove_action('wp_head', 'feed_links_extra', 3); | |
| remove_action('wp_head', 'feed_links', 2); | |
| /** | |
| * Disables RSD and WLM endpoint exposure. | |
| * See attached .htaccess to restrict access to these files | |
| */ | |
| remove_action('wp_head', 'rsd_link'); | |
| remove_action('wp_head', 'wlwmanifest_link'); | |
| /** | |
| * Disables adjacent posts links. | |
| */ | |
| remove_action('wp_head', 'adjacent_posts_rel_link', 10, 0); | |
| /** | |
| * Removes security issue of broadcasting the Wordpress version installed. | |
| */ | |
| remove_action('wp_head', 'wp_generator'); | |
| /** | |
| * Removes REST API and oEmbed link references. Does not stop you from using the RESTful API, | |
| * just removes the broadcasting of it. | |
| */ | |
| remove_action('wp_head', 'rest_output_link_wp_head'); | |
| remove_action('wp_head', 'wp_oembed_add_discovery_links'); | |
| /** | |
| * Removes pre-fetching header for external sources such as the Emoji CDN. | |
| */ | |
| remove_action('wp_head', 'wp_resource_hints', 2); | |
| /** | |
| * Removes all styles and scripts related to inline Emoji detection and conversion. | |
| */ | |
| remove_action('wp_head', 'print_emoji_detection_script', 7); | |
| remove_action('wp_print_styles', 'print_emoji_styles'); | |
| remove_action('admin_print_scripts', 'print_emoji_detection_script'); | |
| remove_action('admin_print_styles', 'print_emoji_styles'); | |
| } | |
| add_action('init', 'removeHeadLinks'); | |
| /** | |
| * Ensures that if the feeds are hidden, they are no longer accessible. | |
| * Code for redirect is courtesy of https://github.com/solarissmoke | |
| * Only thing that has been done to it is conversion from a php class and cleaning up | |
| * the look of the code. | |
| */ | |
| function feedTemplateRedirect() | |
| { | |
| /** | |
| * Only proceed if current query is for a feed. | |
| */ | |
| if (!is_feed()) { | |
| return; | |
| } | |
| if (isset($_GET['feed'])) { | |
| wp_redirect(esc_url_raw(remove_query_arg('feed')), 301); | |
| exit; | |
| } | |
| if (get_query_var('feed') !== 'old') { | |
| set_query_var('feed', ''); | |
| } | |
| redirect_canonical(); | |
| /** | |
| * Still here? redirect_canonical failed to redirect, probably because of a filter. Try the hard way. | |
| */ | |
| global $wp_rewrite; | |
| $structure = (!is_singular() && is_comment_feed()) ? | |
| $wp_rewrite->get_comment_feed_permastruct() : $wp_rewrite->get_feed_permastruct(); | |
| $structure = preg_quote($structure, '#'); | |
| $structure = str_replace('%feed%', '(\w+)?', $structure); | |
| $structure = preg_replace('#/+#', '/', $structure); | |
| $requested_url = (is_ssl() ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; | |
| $new_url = preg_replace('#' . $structure . '/?$#', '', $requested_url); | |
| if ($new_url != $requested_url) { | |
| wp_redirect($new_url, 301); | |
| exit; | |
| } | |
| } | |
| add_action('template_redirect', 'feedTemplateRedirect', 1); | |
| /** | |
| * If Yoast SEO is installed, remove html comments that expose version information. | |
| * Remove function is courtesy of https://github.com/trajche | |
| */ | |
| if (defined('WPSEO_VERSION')) { | |
| add_action('get_header', function () { | |
| ob_start('remove_yoast'); | |
| }); | |
| add_action('wp_head', function () { | |
| ob_end_flush(); | |
| }, 999); | |
| } | |
| function remove_yoast($output) | |
| { | |
| $targets = array( | |
| '<!-- This site is optimized with the Yoast WordPress SEO plugin v' . WPSEO_VERSION . ' - https://yoast.com/wordpress/plugins/seo/ -->', | |
| '<!-- / Yoast WordPress SEO plugin. -->', | |
| '<!-- This site uses the Google Analytics by Yoast plugin v' . GAWP_VERSION . ' - https://yoast.com/wordpress/plugins/google-analytics/ -->', | |
| '<!-- / Google Analytics by Yoast -->' | |
| ); | |
| $output = str_ireplace($targets, '', $output); | |
| $output = trim($output); | |
| $output = preg_replace('/\n?<.*?yoast.*?>/mi', '', $output); | |
| return $output; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Deny/Block xmlrpc.php requests | |
| <files xmlrpc.php> | |
| <IfModule mod_authz_core.c> | |
| Require all denied | |
| </IfModule> | |
| <IfModule !mod_authz_core.c> | |
| Order allow,deny | |
| Deny from all | |
| </IfModule> | |
| </files> | |
| # Deny/Block wlwmanifest.xml requests | |
| <files wlwmanifest.xml> | |
| <IfModule mod_authz_core.c> | |
| Require all denied | |
| </IfModule> | |
| <IfModule !mod_authz_core.c> | |
| Order allow,deny | |
| Deny from all | |
| </IfModule> | |
| </files> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updated with comments as well as RSS feed complete removal and attribution to @solarissmoke