Here’s some basic recipe stuff to put into the top of .htaccess, above WP Super Cache and WordPress rules. Together, they reduce load on the server by compressing static files before sending them, making browsers cache static files, dying quickly on static files 404 errors, and blocking some common hacker / spammer attacks.

htaccess-extras

# v18 2025-04-07
# prevent listing files in folders
Options -Indexes

# some security rules
<IfModule mod_rewrite.c>
RewriteEngine On

# prevent php execution in uploads
RewriteRule /uploads/.*\.php - [F]

# prevent access to script files that don't exist (short-circuit fail, no WordPress)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule \.php$ - [F]

# login and signup page protection -- thanks to BulletProof Security
# reject spambots, hackerbots & proxies that use a blank user agent
RewriteCond %{REQUEST_URI} /wp-(login|signup)\.php
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule . - [F]

# Rules to help reduce spam -- thanks to iThemes Security (ex. Better WP Security)
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} /wp-comments-post\.php
RewriteCond %{HTTP_REFERER} !^.*com.au.*
RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule . - [F]

# stop all access to the XML RPC API (e.g. pingbacks, but also apps!)
RewriteCond %{REQUEST_URI} /xmlrpc\.php
# uncomment next line to only block bots with no user agent (browser version string)
#RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule . - [F]

# don't allow iterating WordPress users
RewriteCond %{QUERY_STRING} author=[0-9]
# allow back-end access, e.g. export users
RewriteCond %{REQUEST_URI} !^/wp-admin
RewriteRule . - [F]

# common vulnerabilities not permitted, scripts not found in WordPress
RewriteCond %{REQUEST_URI} /(login\.php|register\.php|tiki-register\.php|doku\.php|signup\.php|reg\.asp|Class/Post\.asp|post\.asp|show\.aspx|ogShow\.aspx)$
RewriteRule . - [F]

# spam botnet mounting some sort of attack
# seen on webaware.com.au, webaware.net.au, awri.com.au
# @link http://webmasters.stackexchange.com/q/58871/38641
RewriteCond %{REQUEST_URI} /RK=0/RS=
RewriteRule . - [F]

</IfModule>

# set correct mime types for some files
AddType image/svg+xml .svg
AddType image/webp .webp
AddType application/font-woff .woff
AddType application/x-font-ttf .ttf
AddType application/vnd.ms-fontobject .eot
AddType application/octet-stream .otf
AddType text/x-component .htc

# compress text, javascript, css, xml, fonts:
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain text/css text/javascript text/x-component
AddOutputFilterByType DEFLATE application/xml application/rss+xml application/javascript application/x-javascript application/json
AddOutputFilterByType DEFLATE application/x-font-ttf application/vnd.ms-fontobject image/svg+xml
</IfModule>

# long expiry for javascript, css, images, fonts:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
</IfModule>

# shortcut 404 returns for missing static files
# NB: don't use on multisite!
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule \.(?i:jpg|jpeg|png|webp|gif|ico|swf|bmp|js|css)$ - [NC,R=404,L]
</IfModule>