1+ # Block the include-only files.
2+ <IfModule mod_rewrite.c >
3+ RewriteEngine On
4+ RewriteBase /
5+ RewriteRule ^wp-admin/includes/ - [F,L]
6+ RewriteRule !^wp-includes/ - [S=3 ]
7+ RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
8+ RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
9+ RewriteRule ^wp-includes/theme-compat/ - [F,L]
10+ </IfModule >
11+
12+ # Custom php.ini - this needs configuration for each site
13+ #<IfModule mod_suphp.c>
14+ #suPHP_ConfigPath /home/apjp
15+ #<Files php.ini>
16+ #order allow,deny
17+ #deny from all
18+ #</Files>
19+ #</IfModule>
20+
21+ # BEGIN All In One WP Security
22+ #AIOWPS_BASIC_HTACCESS_RULES_START
23+ <Files .htaccess >
24+ order allow,deny
25+ deny from all
26+ </Files >
27+ ServerSignature Off
28+ LimitRequestBody 10240000
29+ <Files wp-config.php >
30+ order allow,deny
31+ deny from all
32+ </Files >
33+ #AIOWPS_BASIC_HTACCESS_RULES_END
34+
35+ #AIOWPS_DISABLE_INDEX_VIEWS_START
36+ Options -Indexes
37+ #AIOWPS_DISABLE_INDEX_VIEWS_END
38+
39+ #AIOWPS_DISABLE_TRACE_TRACK_START
40+ RewriteEngine On
41+ RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
42+ RewriteRule .* - [F]
43+ #AIOWPS_DISABLE_TRACE_TRACK_END
44+
45+ #AIOWPS_FORBID_PROXY_COMMENTS_START
46+ #RewriteCond %{REQUEST_METHOD} =POST
47+ #RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
48+ #RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
49+ #RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
50+ #RewriteRule .* - [F,NS,L]
51+ #AIOWPS_FORBID_PROXY_COMMENTS_END
52+
53+ #AIOWPS_DENY_BAD_QUERY_STRINGS_START
54+ RewriteCond %{QUERY_STRING} tag= [NC,OR ]
55+ RewriteCond %{QUERY_STRING} ftp: [NC,OR ]
56+ RewriteCond %{QUERY_STRING} http: [NC,OR ]
57+ RewriteCond %{QUERY_STRING} https: [NC,OR ]
58+ RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
59+ RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
60+ RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
61+ RewriteRule ^(.*)$ - [F,L]
62+ #AIOWPS_DENY_BAD_QUERY_STRINGS_END
63+
64+ #AIOWPS_ADVANCED_CHAR_STRING_FILTER_START
65+ <IfModule mod_alias.c >
66+ RedirectMatch 403 \,
67+ RedirectMatch 403 \:
68+ RedirectMatch 403 \;
69+ RedirectMatch 403 \=
70+ RedirectMatch 403 \@
71+ RedirectMatch 403 \[
72+ RedirectMatch 403 \]
73+ RedirectMatch 403 \^
74+ RedirectMatch 403 \`
75+ RedirectMatch 403 \{
76+ RedirectMatch 403 \}
77+ RedirectMatch 403 \~
78+ RedirectMatch 403 \"
79+ RedirectMatch 403 \$
80+ RedirectMatch 403 \<
81+ RedirectMatch 403 \>
82+ RedirectMatch 403 \|
83+ RedirectMatch 403 \.\.
84+ RedirectMatch 403 \%0
85+ RedirectMatch 403 \%A
86+ RedirectMatch 403 \%B
87+ RedirectMatch 403 \%C
88+ RedirectMatch 403 \%D
89+ RedirectMatch 403 \%E
90+ RedirectMatch 403 \%F
91+ RedirectMatch 403 \%22
92+ RedirectMatch 403 \%27
93+ RedirectMatch 403 \%28
94+ RedirectMatch 403 \%29
95+ RedirectMatch 403 \%3C
96+ RedirectMatch 403 \%3E
97+ RedirectMatch 403 \%3F
98+ RedirectMatch 403 \%5B
99+ RedirectMatch 403 \%5C
100+ RedirectMatch 403 \%5D
101+ RedirectMatch 403 \%7B
102+ RedirectMatch 403 \%7C
103+ RedirectMatch 403 \%7D
104+ # COMMON PATTERNS
105+ Redirectmatch 403 \_vpi
106+ RedirectMatch 403 \.inc
107+ Redirectmatch 403 xAou6
108+ Redirectmatch 403 db\_name
109+ Redirectmatch 403 select\(
110+ Redirectmatch 403 convert\(
111+ Redirectmatch 403 \/query\/
112+ RedirectMatch 403 ImpEvData
113+ Redirectmatch 403 \.XMLHTTP
114+ Redirectmatch 403 proxydeny
115+ RedirectMatch 403 function\.
116+ Redirectmatch 403 remoteFile
117+ Redirectmatch 403 servername
118+ Redirectmatch 403 \&rptmode\=
119+ Redirectmatch 403 sys\_cpanel
120+ RedirectMatch 403 db\_connect
121+ RedirectMatch 403 doeditconfig
122+ RedirectMatch 403 check\_proxy
123+ Redirectmatch 403 system\_user
124+ Redirectmatch 403 \/\(null\)\/
125+ Redirectmatch 403 clientrequest
126+ Redirectmatch 403 option\_value
127+ RedirectMatch 403 ref\.outcontrol
128+ # SPECIFIC EXPLOITS
129+ RedirectMatch 403 errors\.
130+ RedirectMatch 403 config\.
131+ RedirectMatch 403 include\.
132+ RedirectMatch 403 display\.
133+ RedirectMatch 403 register\.
134+ Redirectmatch 403 password\.
135+ RedirectMatch 403 maincore\.
136+ RedirectMatch 403 authorize\.
137+ Redirectmatch 403 macromates\.
138+ RedirectMatch 403 head\_auth\.
139+ RedirectMatch 403 submit\_links\.
140+ RedirectMatch 403 change\_action\.
141+ Redirectmatch 403 com\_facileforms\/
142+ RedirectMatch 403 admin\_db\_utilities\.
143+ RedirectMatch 403 admin\.webring\.docs\.
144+ Redirectmatch 403 Table\/Latest\/index\.
145+ </IfModule >
146+ #AIOWPS_ADVANCED_CHAR_STRING_FILTER_END
147+
148+ #AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START (may need to reset this http cookie per site)
149+ RewriteEngine On
150+ RewriteCond %{REQUEST_URI} (wp-admin|wp-login)
151+ RewriteCond %{HTTP_COOKIE} !roloperlow= [NC]
152+ RewriteCond %{HTTP_COOKIE} !aiowps_cookie_test_5fuhy5c3fa= [NC]
153+ RewriteRule .* http://127.0.0.1 [L]
154+ #AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_END
155+
156+ #AIOWPS_PREVENT_IMAGE_HOTLINKS_START
157+ <IfModule mod_rewrite.c >
158+ RewriteEngine on
159+ RewriteCond %{HTTP_REFERER} !^$
160+ RewriteCond %{REQUEST_FILENAME} -f
161+ RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
162+ RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.?{%= siteaddress %}\.com [NC ]
163+ RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
164+ </IfModule >
165+ #AIOWPS_PREVENT_IMAGE_HOTLINKS_END
166+
167+ #AIOWPS_BLOCK_SPAMBOTS_START
168+ <IfModule mod_rewrite.c >
169+ RewriteCond %{REQUEST_METHOD} POST
170+ RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
171+ RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.{%= siteaddress %}\.com [NC,OR ]
172+ RewriteCond %{HTTP_USER_AGENT} ^$
173+ RewriteRule .* http://127.0.0.1 [L]
174+ </IfModule >
175+ #AIOWPS_BLOCK_SPAMBOTS_END
176+
177+ #AIOWPS_LOGIN_WHITELIST_START
178+ #<FilesMatch "^(wp-login\.php)">
179+ #Order Allow,Deny
180+ #Allow from {%= siteaddress %}
181+ #Allow from 192.254.186.151
182+ #Allow from 67.86.250.42
183+ #</FilesMatch>
184+ #AIOWPS_LOGIN_WHITELIST_END
185+
186+ #AIOWPS_FIVE_G_BLACKLIST_START
187+ # 5G BLACKLIST/FIREWALL (2013)
188+ # @ http://perishablepress.com/5g-blacklist-2013/
189+
190+ # 5G:[QUERY STRINGS]
191+ <IfModule mod_rewrite.c >
192+ RewriteEngine On
193+ RewriteBase /
194+ RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
195+ RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
196+ RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
197+ RewriteCond %{QUERY_STRING} (\\|\.\./|`|='$|=%27$) [NC,OR]
198+ RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
199+ RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
200+ RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
201+ RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
202+ RewriteRule .* - [F]
203+ </IfModule >
204+
205+ # 5G:[USER AGENTS]
206+ <IfModule mod_setenvif.c >
207+ # SetEnvIfNoCase User-Agent ^$ keep_out
208+ SetEnvIfNoCase User -Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out
209+ <limit GET POST PUT>
210+ Order Allow ,Deny
211+ Allow from all
212+ Deny from env=keep_out
213+ </limit>
214+ </IfModule >
215+
216+ # 5G:[REQUEST STRINGS]
217+ <IfModule mod_alias.c >
218+ RedirectMatch 403 (https?|ftp|php)\://
219+ RedirectMatch 403 /(https?|ima|ucp)/
220+ RedirectMatch 403 /(Permanent|Better)$
221+ RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
222+ RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
223+ RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
224+ RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
225+ RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
226+ RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
227+ RedirectMatch 403 \.well\-known/host\-meta
228+ RedirectMatch 403 /function\.array\-rand
229+ RedirectMatch 403 \)\;\$\(this\)\.html\(
230+ RedirectMatch 403 proc/self/environ
231+ RedirectMatch 403 msnbot\.htm\)\.\_
232+ RedirectMatch 403 /ref\.outcontrol
233+ RedirectMatch 403 com\_cropimage
234+ RedirectMatch 403 indonesia\.htm
235+ RedirectMatch 403 \{\$itemURL\}
236+ RedirectMatch 403 function\(\)
237+ RedirectMatch 403 labels\.rdf
238+ RedirectMatch 403 /playing.php
239+ RedirectMatch 403 muieblackcat
240+ </IfModule >
241+
242+ # 5G:[REQUEST METHOD]
243+ <ifModule mod_rewrite.c>
244+ RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
245+ RewriteRule .* - [F]
246+ </IfModule >
247+
248+ #5G: [HUMANS.TXT]
249+ <IfModule mod_rewrite.c >
250+ RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC]
251+ RewriteRule .* - [F,L]
252+ </IfModule >
253+
254+ #AIOWPS_FIVE_G_BLACKLIST_END
255+
256+ # END All In One WP Security
257+
258+ # BEGIN WordPress
259+ <IfModule mod_rewrite.c >
260+ RewriteEngine On
261+ RewriteBase /
262+ RewriteRule ^index\.php$ - [L]
263+ RewriteCond %{REQUEST_FILENAME} !-f
264+ RewriteCond %{REQUEST_FILENAME} !-d
265+ RewriteRule . /index.php [L]
266+ </IfModule >
267+ # END WordPress
268+
269+ #Enable GZIP Compress
270+ <IfModule mod_deflate.c >
271+ AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
272+ </IfModule >
273+ # END GZIP
274+
275+ #Enable Keep Alive
276+ <ifModule mod_headers.c>
277+ Header set Connection keep-alive
278+ </ifModule>
279+ #End Keep Alive
280+
281+ # BEGIN Expire headers
282+ <ifModule mod_expires.c>
283+ ExpiresActive On
284+ ExpiresDefault "access plus 1 seconds"
285+ ExpiresByType image/x-icon "access plus 2592000 seconds"
286+ ExpiresByType image/jpeg "access plus 2592000 seconds"
287+ ExpiresByType image/png "access plus 2592000 seconds"
288+ ExpiresByType image/gif "access plus 2592000 seconds"
289+ ExpiresByType application/x-shockwave-flash "access plus 2592000 seconds"
290+ ExpiresByType text/css "access plus 604800 seconds"
291+ ExpiresByType text/javascript "access plus 216000 seconds"
292+ ExpiresByType application/javascript "access plus 216000 seconds"
293+ ExpiresByType application/x-javascript "access plus 216000 seconds"
294+ ExpiresByType text/html "access plus 600 seconds"
295+ ExpiresByType application/xhtml+xml "access plus 600 seconds"
296+ </ifModule>
297+ # END Expire headers
298+
299+ # BEGIN Cache-Control Headers
300+ <ifModule mod_headers.c>
301+ <filesMatch "\.(ico|jpe?g|png|gif|swf)$">
302+ Header set Cache-Control "max-age=2592000 , public"
303+ </filesMatch>
304+ <filesMatch "\.(css)$">
305+ Header set Cache-Control "max-age=604800 , public"
306+ </filesMatch>
307+ <filesMatch "\.(js)$">
308+ Header set Cache-Control "max-age=216000 , private"
309+ </filesMatch>
310+ <filesMatch "\.(x?html?|php)$">
311+ Header set Cache-Control "max-age=600 , private, must-revalidate"
312+ </filesMatch>
313+ </ifModule>
314+ # END Cache-Control Headers
315+
316+ # BEGIN Turn ETags Off
317+ <ifModule mod_headers.c>
318+ Header unset ETag
319+ </ifModule>
320+ FileETag None
321+ # END Turn ETags Off
322+
323+ # BEGIN Remove Last-Modified Header
324+ <ifModule mod_headers.c>
325+ Header unset Last-Modified
326+ </ifModule>
327+ # END Remove Last-Modified Header
0 commit comments