bwonur · February 10, 2020 08:53
diff --git a/.htaccess b/.htaccess
 # START SECURITY
 # Don't show errors which contain full path diclosure (FPD)
 # Use that line only if PHP is installed as a module and not per CGI
 # try using a php.ini in that case.
 # Change mod_php5.c to mod_php7.c if you are running PHP7
 <IfModule mod_php5.c>
  php_flag display_errors Off
 </IfModule>

 # Don't list directories
 <IfModule mod_autoindex.c>
  Options -Indexes
 </IfModule>

 # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
 # If you use that, these tools will not work anymore
 <Files xmlrpc.php>
  #Order Deny,Allow
  #Deny from all
 </Files>

 # If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
 <FilesMatch "(repair|wp-mail)\.php">
    Order Deny,Allow
    Deny from all
 </FilesMatch>

 # Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
 # Must be placed in /wp-content/.htaccess
 <FilesMatch "\.(log|txt)$">
    Order Allow,Deny
    Deny from all
 </FilesMatch>

 # Hide WordPress, system & sensitive files
 <FilesMatch "(^\.|wp-config(-sample)*\.php)">
    Order Deny,Allow
    Deny from all
 </FilesMatch>

 # Protect some other files
 <FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
  Order Deny,Allow
  Deny from all
 </FilesMatch>

 # Block the include-only files.
 # Do not use in Multisite without reading the note in Codex!
 # See: https://codex.wordpress.org/Hardening_WordPress#WP-Includes
 <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  # If you run multisite, comment the next line (see note above)
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>

 # Set some security related headers
 # See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
 <IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy: strict-origin-when-cross-origin
  # The line below is an advanced method for a more secure configuration, please see documentation before usage!
  # Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/
  # http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German)
  # Documentation: https://content-security-policy.com/
  # Analysis: https://securityheaders.io/
  Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com; script-src 'self' www.google-analytics.com *.cloudflare.com""
 </IfModule>

 # Allow WordPress Embed
 # https://gist.github.com/sergejmueller/3c4351ec29576fb441fe
 <IfModule mod_setenvif.c>
    SetEnvIf Request_URI "/embed/$" IS_embed
    <IfModule mod_headers.c>
    	Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
    </IfModule>
 </IfModule>

 #Force secure cookies (uncomment for HTTPS)
 <IfModule mod_headers.c>
  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 </IfModule>

 #Unset headers revealing versions strings
 <IfModule mod_headers.c>
  Header unset X-Powered-By
  Header unset X-Pingback
  Header unset SERVER
 </IfModule>

 # Filter Request Methods
 # See: https://perishablepress.com/disable-trace-and-track-for-better-security/
 <IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
  RewriteRule ^(.*)$ - [F,L]
 </IfModule>

 # Strict transport security
 <IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
 </IfModule>

 # Hide Apache info
 ServerTokens ProductOnly
 ServerSignature Off

 # END SECURITY
diff --git a/htaccess.secure.md b/htaccess.secure.md
	# START SECURITY
	# Don't show errors which contain full path diclosure (FPD)
	# Use that line only if PHP is installed as a module and not per CGI
	# try using a php.ini in that case.
	# Change mod_php5.c to mod_php7.c if you are running PHP7
	<IfModule mod_php5.c>
	php_flag display_errors Off
	</IfModule>

	# Don't list directories
	<IfModule mod_autoindex.c>
	Options -Indexes
	</IfModule>

	# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
	# If you use that, these tools will not work anymore
	<Files xmlrpc.php>
	#Order Deny,Allow
	#Deny from all
	</Files>

	# If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
	<FilesMatch "(repair\|wp-mail)\.php">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files.
	# Must be placed in /wp-content/.htaccess
	<FilesMatch "\.(log\|txt)$">
	Order Allow,Deny
	Deny from all
	</FilesMatch>

	# Hide WordPress, system & sensitive files
	<FilesMatch "(^\.\|wp-config(-sample)*\.php)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	# Protect some other files
	<FilesMatch "(liesmich.html\|readme.html\|(.)\.ttf\|(.)\.bak)">
	Order Deny,Allow
	Deny from all
	</FilesMatch>

	# Block the include-only files.
	# Do not use in Multisite without reading the note in Codex!
	# See: https://codex.wordpress.org/Hardening_WordPress#WP-Includes
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	# If you run multisite, comment the next line (see note above)
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Set some security related headers
	# See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
	<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
	Header set X-XSS-Protection "1; mode=block"
	Header set Referrer-Policy: strict-origin-when-cross-origin
	# The line below is an advanced method for a more secure configuration, please see documentation before usage!
	# Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/
	# http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German)
	# Documentation: https://content-security-policy.com/
	# Analysis: https://securityheaders.io/
	Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: .gravatar.com; script-src 'self' www.google-analytics.com .cloudflare.com""
	</IfModule>

	# Allow WordPress Embed
	# https://gist.github.com/sergejmueller/3c4351ec29576fb441fe
	<IfModule mod_setenvif.c>
	SetEnvIf Request_URI "/embed/$" IS_embed
	<IfModule mod_headers.c>
	Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
	</IfModule>
	</IfModule>

	#Force secure cookies (uncomment for HTTPS)
	<IfModule mod_headers.c>
	Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
	</IfModule>

	#Unset headers revealing versions strings
	<IfModule mod_headers.c>
	Header unset X-Powered-By
	Header unset X-Pingback
	Header unset SERVER
	</IfModule>

	# Filter Request Methods
	# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
	<IfModule mod_rewrite.c>
	RewriteEngine on
	RewriteCond %{REQUEST_METHOD} ^(TRACE\|DELETE\|TRACK) [NC]
	RewriteRule ^(.*)$ - [F,L]
	</IfModule>

	# Strict transport security
	<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
	</IfModule>

	# Hide Apache info
	ServerTokens ProductOnly
	ServerSignature Off

	# END SECURITY