.htaccess Güvenliği

.htaccess

# START SECURITY
# Don't show errors which contain full path diclosure (FPD)
# Use that line only if PHP is installed as a module and not per CGI
# try using a php.ini in that case.
# Change mod_php5.c to mod_php7.c if you are running PHP7
<IfModule mod_php5.c>
  php_flag display_errors Off
</IfModule>

# Don't list directories
<IfModule mod_autoindex.c>
  Options -Indexes
</IfModule>

# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
# If you use that, these tools will not work anymore
<Files xmlrpc.php>
  #Order Deny,Allow
  #Deny from all
</Files>

# If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
<FilesMatch "(repair|wp-mail)\.php">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
# Must be placed in /wp-content/.htaccess
<FilesMatch "\.(log|txt)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Hide WordPress, system & sensitive files
<FilesMatch "(^\.|wp-config(-sample)*\.php)">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Protect some other files
<FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
  Order Deny,Allow
  Deny from all
</FilesMatch>

# Block the include-only files.
# Do not use in Multisite without reading the note in Codex!
# See: https://codex.wordpress.org/Hardening_WordPress#WP-Includes
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  # If you run multisite, comment the next line (see note above)
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Set some security related headers
# See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy: strict-origin-when-cross-origin
  # The line below is an advanced method for a more secure configuration, please see documentation before usage!
  # Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/
  # http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German)
  # Documentation: https://content-security-policy.com/
  # Analysis: https://securityheaders.io/
  Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com; script-src 'self' www.google-analytics.com *.cloudflare.com""
</IfModule>

# Allow WordPress Embed
# https://gist.github.com/sergejmueller/3c4351ec29576fb441fe
<IfModule mod_setenvif.c>
    SetEnvIf Request_URI "/embed/$" IS_embed
    <IfModule mod_headers.c>
    	Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
    </IfModule>
</IfModule>

#Force secure cookies (uncomment for HTTPS)
<IfModule mod_headers.c>
  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>

#Unset headers revealing versions strings
<IfModule mod_headers.c>
  Header unset X-Powered-By
  Header unset X-Pingback
  Header unset SERVER
</IfModule>

# Filter Request Methods
# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]
</IfModule>

# Strict transport security
<IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
</IfModule>

# Hide Apache info
ServerTokens ProductOnly
ServerSignature Off

# END SECURITY

htaccess.secure.md

1. .htaccess içinde HTTP Sıkı Aktarım Güvenliğini (HSTS) etkinleştirin

HTTP Sıkı Aktarım Güvenliği (HSTS) desteği genellikle SEO ve güvenlik tarayıcıları tarafından işaretlenir . Bu ne işe yarıyor? Web tarayıcılarına, web sitenize yalnızca geçerli bir https bağlantısı üzerinden erişilmesini istediğinizi bildirir. Etkinleştirmek için bu satırı htaccess'e ekleyin: Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

2. Dizine erişimleri engelleyin

Engellenmesini istediğiniz tüm dizinlere .htaccess dosyasını aşağıdaki kodu ekleyerek oluşturun. <FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch>

3. Sadece belirli IP adresinden gelen isteklere cevap vermek

<Files <YOUR FILENAME>.php> Order deny,allow Deny from all Allow from <YOUR IP ADDRESS> </Files>

4. Dizinlerin tarayıcıda index'lenmesini (dosyaların listelenmesini) engellemek

Options All -Indexes

5. Resim dosyalarının harici sitelerde kullanılmasına karşı engel koymak (Hotlink Block)

Burada dikkat edilmesi gereken husus sitenizin bağlantısını bir sosyal medya sitesinde de paylaştığınızda ilgili resimlerin hotlink'e karşı blocklanıp default resmi göstereceğidir. Bunun için ayrı istisnalar yazılabilir. RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC] RewriteRule .(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG)$ https://www.yourdomain.com/no-hotlinking.png [R,L]

6. Siteler arası kaynak erişimi isteklerine sınır koymak

Header set Access-Control-Allow-Origin https://www.yourdomain.com

7. HTTP izlemelerini devre dışı bırakmak

RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]