Improved security

Riccardo · May 13, 2022, 4:11am

They are a simple collection of htaccess rules collected from the best and even unknown blogs on WP. They work great on my servers and sites, although at first glance it may seem otherwise, they are more effective than any security plugin for WP, at least from my experience. I already know that in some cases some rules might conflict with badly configured serverr. They only work with apache and modrewite. I list them so that those in charge can analyze and test them. I hope it will be useful for the project given the extreme importance of security. It had been made a plugin then abandoned “WP Firewall”. Below are the latest updated rules and my advice is to make it a plugin and not in the core so that you can apply the desired rules at will and disable only some in case they give problems on some servers:

#----------------------------------------------------------------------------

Allow SEO File

#----------------------------------------------------------------------------

Allow access to robot

order deny,allow allow from all

Allow access to ads

order deny,allow allow from all

Allow access to sitemap

order deny,allow allow from all

#--------------------------------------------------------------------------

Security Basic

#--------------------------------------------------------------------------

block direct access to your plugin and theme

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(..php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(..php)$ - [R=404,L]

Block Include-Only Files

RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]

block direct access to your wp-include

RewriteCond %{REQUEST_URI} !^/wp-includes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-includes/directory/to/exclude/
RewriteRule wp-includes/(.*.php)$ - [R=404,L]

block direct access to your uploads

RewriteCond %{REQUEST_URI} !^/wp-content/uploads/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/uploads/directory/to/exclude/
RewriteRule wp-content/uploads/(.*.php)$ - [R=404,L]

#-----------------------------------------------------------------------------------
#security plugin and theme
#-----------------------------------------------------------------------------------

Restricts access to PHP files from plugin and theme directories

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(..php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(..php)$ - [R=404,L]

#-----------------------------------------------------------------------------------
#security index
#-----------------------------------------------------------------------------------

Disable directory browsing

Options All -Indexes

BEGIN block author scans

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

END block author scans

#block user scan
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

Stop Username Enumeration Attacks

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule .* - [R=403,L]

Block User list Phishing Requests

RewriteCond %{QUERY_STRING} ^author=([0-9]*) RewriteRule .* https://classicpress.it/? [L,R=302]

remove slash if not directory

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} /$
RewriteRule (.*)/ $1 [R=301,L]

Don’t list directories

Options -Indexes

remove index

Options +FollowSymLinks -MultiViews -indexes
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} /index(.php)?[\s?/] [NC]
RewriteRule ^(.*?)index(/|$) /$1 [L,R=301,NC,NE]

remove index and slash if not directory

Options +FollowSymLinks -MultiViews -indexes
RewriteEngine On
RewriteBase /
RewriteRule (.)/index$ $1/ [R=302]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} /$
RewriteRule (.)/ $1 [R=301,L]

#-----------------------------------------------------------------------------------
#security bad bot
#-----------------------------------------------------------------------------------

#Block bad hackers
SetEnvIfNoCase User-Agent “^libwww-perl*” block_bad_bots
Deny from env=block_bad_bots

deny access to evil robots site rippers offline browsers and other nasty scum

RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^. - [F,L]

#-----------------------------------------------------------------------------------
#securty cross site scripting
#-----------------------------------------------------------------------------------

Blocks some XSS attacks

RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* index.php [F,L]

#--------------------------------------------------------------------------

Security iniectons and Requests

#--------------------------------------------------------------------------

Protect against SQL Injection

RewriteCond %{QUERY_STRING} (eval\() [NC,OR] RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,22}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|exec|insert|md5|select|union) [NC] RewriteRule .* - [F]

Block Nuisance Requests for Non-Existent Files

RedirectMatch 403 (?i)\.php\.suspected RedirectMatch 403 (?i)apple-app-site-association RedirectMatch 403 (?i)/autodiscover/autodiscover.xml

Block really Long Request

RewriteCond %{REQUEST_METHOD} .* [NC] RewriteCond %{THE_REQUEST} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR] RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC] RewriteRule .* - [F,L]

deny access to evil robots site rippers offline browsers and other nasty scum

RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^. - [F,L]

#-----------------------------------------------------------------------------------
#security spam
#-----------------------------------------------------------------------------------

#block spam comment
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.yourblog.com. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

block comment spam by denying access to no-referrer requests

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.wparena.com. [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://the-site-where-you-want-to-send-spammers.com/$ [R=301,L]

#-----------------------------------------------------------------------------------
#security file injections
#-----------------------------------------------------------------------------------

File injection protection

RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]

#block php file and esecution
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(..php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(..php)$ - [R=404,L]

#----------------------------------------------------------------------------

Security file

#----------------------------------------------------------------------------

Block access to file

<FilesMatch “.(.php|php.ini|/.[hH][tT][aApP]txt|md|exe|sh|bak|inc|pot|po|mo|log|sql|(.).ttf|(.).bak)$”>
order deny,allow
deny from all

No access to the install.php