# ===================================== # BASIC SECURITY HARDENING # ===================================== # Protect wp-config Require all denied # Protect .htaccess Require all denied # Disable directory browsing Options -Indexes # Block access to sensitive files Require all denied # ===================================== # DISABLE PHP EXECUTION IN UPLOADS & INCLUDES # ===================================== # This is crucial to stop the "Chinese Shop" malware RewriteEngine On # Block PHP execution in uploads (user files) RewriteRule ^wp-content/uploads/.*\.php$ - [F,L] # Block PHP execution in wp-includes (except necessary files) RewriteRule ^wp-includes/(?!css|js|images)/.*\.php$ - [F,L] # Block access to xmlrpc.php (used for brute force attacks) RewriteRule ^xmlrpc\.php$ - [F,L] # ===================================== # BLOCK COMMON EXPLOITS # ===================================== RewriteEngine On # Block base64 injections RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] # Block script injections RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] # Block GLOBALS & _REQUEST RewriteCond %{QUERY_STRING} GLOBALS(=|\[) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[) RewriteRule .* - [F,L] # ===================================== # WORDPRESS CORE RULES # ===================================== RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # ===================================== # BROWSER CACHING (Performance) # ===================================== ExpiresActive On ExpiresByType image/jpg "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType text/css "access plus 1 month" ExpiresByType application/pdf "access plus 1 month" ExpiresByType text/javascript "access plus 1 month" ExpiresByType application/javascript "access plus 1 month" ExpiresByType application/x-javascript "access plus 1 month" ExpiresByType image/x-icon "access plus 1 year" # BEGIN WordPress # Les directives (lignes) entre « BEGIN WordPress » et « END WordPress » sont générées # dynamiquement, et doivent être modifiées uniquement via les filtres WordPress. # Toute modification des directives situées entre ces marqueurs sera surchargée. RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress # Wordfence WAF Require all denied Order deny,allow Deny from