Htaccess wordpress config with conveniece, security and chaching in mind

.htaccess

# Secure HTACCESS wordpress config - https://gist.github.com/JohannesDeml/f714e47d6c6ea885f45f70bd34d927f8

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# BEGIN HTTP security settings
Header set Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Header set Content-Security-Policy "default-src 'none'; img-src https://* data:; font-src https://* data:; connect-src 'self'; frame-src https://* 'unsafe-inline'; manifest-src 'self'; object-src 'self'; script-src  https://* 'unsafe-inline' 'unsafe-eval'; style-src https://* 'unsafe-inline'; worker-src 'self'; block-all-mixed-content; upgrade-insecure-requests; base-uri 'self'; form-action https://* 'unsafe-inline';"
Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none';
Header set Referrer-Policy: same-origin
Header set X-XSS-Protection: "1; mode=block"
# END HTTP security settings

# BEGIN Caching - Source: https://gist.github.com/solancer/a51cf728a119a16f4c6ce494864a2d47
<IfModule mod_expires.c>

    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"

  # CSS
    ExpiresByType text/css                              "access plus 1 year"

  # Data interchange
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!) and cursor images
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML
    ExpiresByType text/html                             "access plus 0 seconds"

  # JavaScript
    ExpiresByType application/javascript                "access plus 1 year"
    ExpiresByType application/x-javascript              "access plus 1 year"
    ExpiresByType text/javascript                       "access plus 1 year"

  # Manifest files
    ExpiresByType application/manifest+json             "access plus 1 year"

    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"

  # Media files
    ExpiresByType audio/ogg                             "access plus 1 month"
    ExpiresByType image/bmp                             "access plus 1 month"
    ExpiresByType image/gif                             "access plus 1 month"
    ExpiresByType image/jpeg                            "access plus 1 month"
    ExpiresByType image/png                             "access plus 1 month"
    ExpiresByType image/svg+xml                         "access plus 1 month"
    ExpiresByType image/webp                            "access plus 1 month"
    ExpiresByType video/mp4                             "access plus 1 month"
    ExpiresByType video/ogg                             "access plus 1 month"
    ExpiresByType video/webm                            "access plus 1 month"

  # Web fonts

    # Embedded OpenType (EOT)
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
    ExpiresByType font/eot                              "access plus 1 month"

    # OpenType
    ExpiresByType font/opentype                         "access plus 1 month"

    # TrueType
    ExpiresByType application/x-font-ttf                "access plus 1 month"

    # Web Open Font Format (WOFF) 1.0
    ExpiresByType application/font-woff                 "access plus 1 month"
    ExpiresByType application/x-font-woff               "access plus 1 month"
    ExpiresByType font/woff                             "access plus 1 month"

    # Web Open Font Format (WOFF) 2.0
    ExpiresByType application/font-woff2                "access plus 1 month"

  # Other
    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"

</IfModule>
# END Caching

README.md

Htacces for wordpress

• Supports caching through mod_expires (See https://gist.github.com/solancer/a51cf728a119a16f4c6ce494864a2d47)
• Working Content Security Policy that does not break wordpress functionality and supports embedding of external iframes (e.g. Youtube)

Installation

• Open an ftp client (e.g. cyberduck) and connect to your server
• Enable Show hidden Files (View-> Show hidden Files Ctrl+Shift+R)
• Overwirte the htaccess file that is in the root directory of your wordpress installation

Environment

• Wordpress 5.3 on greengeeks with php 7.2