cdsalmons · February 3, 2016 13:34
diff --git a/.htaccess b/.htaccess
 <IfModule mod_headers.c>
        # Use HTTP Strict Transport Security to force client to use secure connections only
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
 </IfModule>

 SSLHonorCipherOrder On
 SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
 #SSLProtocol ALL -TLSv1 -SSLv2
 # CVE-2011-3389
 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

 # BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index.php$ - [L]
 RewriteRule ^login/?$ /wp-login.php [QSA,L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 
 # END WordPress

 #######################
 # Hardening WordPress #
 #######################

 # <files wp-config.php>
 #    Order allow,deny
 #    Deny from all
 # </files>

 # <files readme.html>
 #    Order allow,deny
 #    Deny from all
 # </files>

 # <files license.txt>
 #    Order allow,deny
 #    Deny from all
 # </files>

 <FilesMatch "^(wp-config.php|readme.html|license.txt)">
    Order allow,deny
    Deny from all
    Satisfy All
 </FilesMatch>

 # Block the include-only files.
 <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>

 # Block access to wp-login.php
 # <Files wp-login.php>
 #    Order Deny,Allow
 #    Deny from all
 #    Allow from xx.xx.xx.xx
 # </Files>

 # Block access to the following file types, i.e. filename.type
 <FilesMatch "(^#.*#|.(bak|config|dist|txt|zip|eot|otf|ttc|ttf|woff|inc|phps|ini|log|psd|sh|sql)|~)$">
    Order allow,deny
    Deny from all
    Satisfy All
 </FilesMatch>

 # Disallow directory listing
 <IfModule mod_autoindex.c>
    Options -Indexes
 </IfModule>

 # Block outside domain names from using the POST method
 #<IfModule mod_rewrite.c>
 #    RewriteEngine On
 #    RewriteCond %{REQUEST_METHOD} POST
 #    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login).php*
 #    RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR]
 #    RewriteCond %{HTTP_USER_AGENT} ^$
 #    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
 #</ifModule>

 # Security Headers - X-Content-Type: nosniff
 # https://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
 <IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff
 </IfModule>

 # Security Headers - X-Frame-Options
 # Prevents ClickJacking - Prevents an attacker from iframing your content
 # https://blog.mozilla.org/security/2013/12/12/on-the-x-frame-options-security-header/
 # <IfModule mod_headers.c>
 #  Header always append X-Frame-Options SAMEORIGIN
 # </IfModule>

 # Security Headers - X-XSS-Protection
 # Protects against some types of XSS (cross-site scripting) attacks
 <IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
 </IfModule>

 ############################
 # Performance Optimization #
 ############################

 # Leverage Browser Caching by setting HTTP header expires
 <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType text/x-javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/x-shockwave-flash "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresDefault "access plus 2 days"
 </IfModule>

 # Use UTF-8 encoding
 <FilesMatch "\.(htm|html|css|js|php)$">
 AddDefaultCharset UTF-8
 DefaultLanguage en-US
 </FilesMatch>

 # Force the use of UTF-8 encoding
 <IfModule mod_mime.c>
    AddCharset utf-8 .css .js
 </IfModule>

 # Specify a Vary: Accept-Encoding header
 <IfModule mod_headers.c>
  <FilesMatch ".(js|css|xml|gz)$">
    Header append Vary: Accept-Encoding
  </FilesMatch>
 </IfModule>

 # Use the GZIP Apache module
 <ifModule mod_gzip.c> 
    mod_gzip_on Yes 
    mod_gzip_dechunk Yes 
    mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ 
    mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* 
    mod_gzip_item_include mime ^application/x-javascript.* 
    mod_gzip_item_exclude mime ^image/.* 
    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* 
 </ifModule> 

 # Enable DEFALTE
 <IfModule mod_deflate.c>
    AddOutputFilter DEFLATE js css
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4.0[678] no-gzip
    BrowserMatch bMSIE !no-gzip !gzip-only-text/html
    Header append Vary User-Agent
 </IfModule>

 # Keep alive for persistent connections
 # <IfModule mod_headers.c>
 #    Header set Connection Keep-Alive
 # </IfModule>

 # ==============================================






 # some security rules
 <IfModule mod_rewrite.c>
 RewriteEngine On

 # prevent php execution in uploads
 RewriteRule /uploads/.*\.php - [F]

 # login and signup page protection -- thanks to BulletProof Security
 # reject spambots, hackerbots & proxies that use server protocol HTTP/1.0 or a blank user agent
 RewriteCond %{REQUEST_URI} /wp-(login|signup)\.php
 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
 RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
 RewriteRule . - [F]

 # Rules to help reduce spam
 RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{REQUEST_URI} /wp-comments-post\.php
 #RewriteCond %{HTTP_REFERER} !^.*com.*
 #RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
 #RewriteCond %{HTTP_USER_AGENT} ^$
 RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
 RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
 RewriteRule . - [F]

 # stop all access to the XML RPC API (e.g. pingbacks, but also apps!)
 RewriteCond %{REQUEST_URI} /xmlrpc\.php
 # uncomment next line to block bots with no user agent (browser version string)
 #RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
 RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
 RewriteRule . - [F]

 # common vulnerabilities not permitted, scripts not found in WordPress
 RewriteCond %{REQUEST_URI} /(login\.php|hello\.php|helo\.php|register\.php|tiki-register\.php|doku\.php|signup\.php|reg\.asp|Class/Post\.asp|post\.asp)$
 RewriteRule . - [F]

 # Latest vulnerabilities not permitted
 RewriteCond %{REQUEST_URI} /(helo\.zip|wellsfargo\.zip|sitek\.php|Manix\.php|wp-inc\.php|filez\.zip|ourtime\.zip|wp-app\.php|newfile\.php|other\.php)$
 RewriteRule . - [F]

 # spam botnet mounting some sort of attack
 # @link http://webmasters.stackexchange.com/q/58871/38641
 RewriteCond %{REQUEST_URI} /RK=0/RS=
 RewriteRule . - [F]

 # Stop Crawler Spam
 RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} 100dollars\-seo\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} best\-seo\-solution\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} buttons\-for\-your\-website\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} forum69\.info [NC,OR]
 RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} ranksonic\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} 7makemoneyonline\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} sharebutton\.net [NC,OR]
 RewriteCond %{HTTP_REFERER} sitevaluation\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} dailyrank\.net [NC,OR]
 RewriteCond %{HTTP_REFERER} videos\-for\-your\-business\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} semaltmedia\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} best\-seo\-offer\.com [NC]
 RewriteRule .* - [F]

 # Block attackers by agents
 RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp\.WinHttpRequest\.5.*$
 RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]		
 </IfModule>

 # set correct mime types for some files
 AddType image/svg+xml .svg
 AddType application/font-woff .woff
 AddType application/x-font-ttf .ttf
 AddType application/vnd.ms-fontobject .eot
 AddType application/octet-stream .otf
 AddType text/x-component .htc

 # Secure /uploads/ directory from unwanted file types
 <Files ~ ".*..*">
 Order Allow,Deny
 Deny from all
 </Files>
 <FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff)$">
 Order Deny,Allow
 Allow from all
 </FilesMatch>
	<IfModule mod_headers.c>
	# Use HTTP Strict Transport Security to force client to use secure connections only
	Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
	</IfModule>

	SSLHonorCipherOrder On
	SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
	#SSLProtocol ALL -TLSv1 -SSLv2
	# CVE-2011-3389
	SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown

	# BEGIN WordPress
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index.php$ - [L]
	RewriteRule ^login/?$ /wp-login.php [QSA,L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</IfModule>

	# END WordPress

	#######################
	# Hardening WordPress #
	#######################

	# <files wp-config.php>
	# Order allow,deny
	# Deny from all
	# </files>

	# <files readme.html>
	# Order allow,deny
	# Deny from all
	# </files>

	# <files license.txt>
	# Order allow,deny
	# Deny from all
	# </files>

	<FilesMatch "^(wp-config.php\|readme.html\|license.txt)">
	Order allow,deny
	Deny from all
	Satisfy All
	</FilesMatch>

	# Block the include-only files.
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Block access to wp-login.php
	# <Files wp-login.php>
	# Order Deny,Allow
	# Deny from all
	# Allow from xx.xx.xx.xx
	# </Files>

	# Block access to the following file types, i.e. filename.type
	<FilesMatch "(^#.*#\|.(bak\|config\|dist\|txt\|zip\|eot\|otf\|ttc\|ttf\|woff\|inc\|phps\|ini\|log\|psd\|sh\|sql)\|~)$">
	Order allow,deny
	Deny from all
	Satisfy All
	</FilesMatch>

	# Disallow directory listing
	<IfModule mod_autoindex.c>
	Options -Indexes
	</IfModule>

	# Block outside domain names from using the POST method
	#<IfModule mod_rewrite.c>
	# RewriteEngine On
	# RewriteCond %{REQUEST_METHOD} POST
	# RewriteCond %{REQUEST_URI} .(wp-comments-post\|wp-login).php*
	# RewriteCond %{HTTP_REFERER} !.domain.com. [OR]
	# RewriteCond %{HTTP_USER_AGENT} ^$
	# RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
	#</ifModule>

	# Security Headers - X-Content-Type: nosniff
	# https://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
	<IfModule mod_headers.c>
	Header set X-Content-Type-Options nosniff
	</IfModule>

	# Security Headers - X-Frame-Options
	# Prevents ClickJacking - Prevents an attacker from iframing your content
	# https://blog.mozilla.org/security/2013/12/12/on-the-x-frame-options-security-header/
	# <IfModule mod_headers.c>
	# Header always append X-Frame-Options SAMEORIGIN
	# </IfModule>

	# Security Headers - X-XSS-Protection
	# Protects against some types of XSS (cross-site scripting) attacks
	<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	</IfModule>

	############################
	# Performance Optimization #
	############################

	# Leverage Browser Caching by setting HTTP header expires
	<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresByType image/jpg "access plus 1 year"
	ExpiresByType image/jpeg "access plus 1 year"
	ExpiresByType image/gif "access plus 1 year"
	ExpiresByType image/png "access plus 1 year"
	ExpiresByType text/css "access plus 1 month"
	ExpiresByType application/pdf "access plus 1 month"
	ExpiresByType text/x-javascript "access plus 1 month"
	ExpiresByType application/javascript "access plus 1 month"
	ExpiresByType text/javascript "access plus 1 month"
	ExpiresByType application/x-shockwave-flash "access plus 1 month"
	ExpiresByType image/x-icon "access plus 1 year"
	ExpiresDefault "access plus 2 days"
	</IfModule>

	# Use UTF-8 encoding
	<FilesMatch "\.(htm\|html\|css\|js\|php)$">
	AddDefaultCharset UTF-8
	DefaultLanguage en-US
	</FilesMatch>

	# Force the use of UTF-8 encoding
	<IfModule mod_mime.c>
	AddCharset utf-8 .css .js
	</IfModule>

	# Specify a Vary: Accept-Encoding header
	<IfModule mod_headers.c>
	<FilesMatch ".(js\|css\|xml\|gz)$">
	Header append Vary: Accept-Encoding
	</FilesMatch>
	</IfModule>

	# Use the GZIP Apache module
	<ifModule mod_gzip.c>
	mod_gzip_on Yes
	mod_gzip_dechunk Yes
	mod_gzip_item_include file .(html?\|txt\|css\|js\|php\|pl)$
	mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.*
	mod_gzip_item_include mime ^application/x-javascript.*
	mod_gzip_item_exclude mime ^image/.*
	mod_gzip_item_exclude rspheader ^Content-Encoding:.gzip.
	</ifModule>

	# Enable DEFALTE
	<IfModule mod_deflate.c>
	AddOutputFilter DEFLATE js css
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE application/xml
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/x-javascript
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4.0[678] no-gzip
	BrowserMatch bMSIE !no-gzip !gzip-only-text/html
	Header append Vary User-Agent
	</IfModule>

	# Keep alive for persistent connections
	# <IfModule mod_headers.c>
	# Header set Connection Keep-Alive
	# </IfModule>

	# ==============================================






	# some security rules
	<IfModule mod_rewrite.c>
	RewriteEngine On

	# prevent php execution in uploads
	RewriteRule /uploads/.*\.php - [F]

	# login and signup page protection -- thanks to BulletProof Security
	# reject spambots, hackerbots & proxies that use server protocol HTTP/1.0 or a blank user agent
	RewriteCond %{REQUEST_URI} /wp-(login\|signup)\.php
	RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
	RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
	RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
	RewriteRule . - [F]

	# Rules to help reduce spam
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} /wp-comments-post\.php
	#RewriteCond %{HTTP_REFERER} !^.com.
	#RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
	#RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
	RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
	RewriteRule . - [F]

	# stop all access to the XML RPC API (e.g. pingbacks, but also apps!)
	RewriteCond %{REQUEST_URI} /xmlrpc\.php
	# uncomment next line to block bots with no user agent (browser version string)
	#RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
	RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
	RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
	RewriteRule . - [F]

	# common vulnerabilities not permitted, scripts not found in WordPress
	RewriteCond %{REQUEST_URI} /(login\.php\|hello\.php\|helo\.php\|register\.php\|tiki-register\.php\|doku\.php\|signup\.php\|reg\.asp\|Class/Post\.asp\|post\.asp)$
	RewriteRule . - [F]

	# Latest vulnerabilities not permitted
	RewriteCond %{REQUEST_URI} /(helo\.zip\|wellsfargo\.zip\|sitek\.php\|Manix\.php\|wp-inc\.php\|filez\.zip\|ourtime\.zip\|wp-app\.php\|newfile\.php\|other\.php)$
	RewriteRule . - [F]

	# spam botnet mounting some sort of attack
	# @link http://webmasters.stackexchange.com/q/58871/38641
	RewriteCond %{REQUEST_URI} /RK=0/RS=
	RewriteRule . - [F]

	# Stop Crawler Spam
	RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} 100dollars\-seo\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} best\-seo\-solution\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} buttons\-for\-your\-website\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} forum69\.info [NC,OR]
	RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} ranksonic\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} 7makemoneyonline\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} sharebutton\.net [NC,OR]
	RewriteCond %{HTTP_REFERER} sitevaluation\.org [NC,OR]
	RewriteCond %{HTTP_REFERER} dailyrank\.net [NC,OR]
	RewriteCond %{HTTP_REFERER} videos\-for\-your\-business\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} semaltmedia\.com [NC,OR]
	RewriteCond %{HTTP_REFERER} best\-seo\-offer\.com [NC]
	RewriteRule .* - [F]

	# Block attackers by agents
	RewriteCond %{HTTP_USER_AGENT} ^.WinHttp\.WinHttpRequest\.5.$
	RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
	</IfModule>

	# set correct mime types for some files
	AddType image/svg+xml .svg
	AddType application/font-woff .woff
	AddType application/x-font-ttf .ttf
	AddType application/vnd.ms-fontobject .eot
	AddType application/octet-stream .otf
	AddType text/x-component .htc

	# Secure /uploads/ directory from unwanted file types
	<Files ~ "...">
	Order Allow,Deny
	Deny from all
	</Files>
	<FilesMatch ".(jpg\|jpeg\|jpe\|gif\|png\|tif\|tiff)$">
	Order Deny,Allow
	Allow from all
	</FilesMatch>