Install and Secure Wordpress .htaccess

1. # Disable Server Signature
2. ServerSignature Off
3.  
4. # Disable Directory Browsing
5. Options All -Indexes
6.  
7. # HTACCESS File Security with Strong pattern matching
8. <Files ~ "^.*\.([Hh][Tt][Aa])">
9. Order allow,deny
10. Deny from all
11. Satisfy all
12. </Files>
13.  
14. # Protect sensitive files from client-side viewing
15. <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|php\.info|bb-config\.php|error_log|error\.log|PHP_errors\.log|\.svn)">
16. Deny from all
17. </FilesMatch>
18.  
19. #Limit File Uploading to 10MB.
20. LimitRequestBody 10240000
21.  
22. #Block Empty User-Agents and Referrers
23. #RewriteCond %{HTTP_REFERER} ^$ [NC]
24. #RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
25.  
26. #RewriteRule ^(.*)\.(ico|gif|jpe?g|jpg|png|bmp|swf)$ - [F,L]
27.  
28. #Filter Request Methods
29. #This filter blocks junk and spam bots from making HEAD requests
30. #This rule also helps prevent CST and XSS attacks
31. RewriteEngine On
32. RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
33. RewriteRule ^(.*)$ - [F,L]
34.  
35. #File injection Protection (rfi and lfi)
36. RewriteCond %{REQUEST_METHOD} GET
37. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
38. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
39. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
40. RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
41. RewriteRule .* - [F]
42.  
43. # SQLi Protection
44. Options +FollowSymLinks
45. RewriteEngine On
46. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
47. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
48. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
49. RewriteRule ^(.*)$ index.php [F,L]
50.  
51. # BEGIN W3TC Browser Cache
52. <IfModule mod_deflate.c>
53.     <IfModule mod_setenvif.c>
54.         BrowserMatch ^Mozilla/4 gzip-only-text/html
55.         BrowserMatch ^Mozilla/4\.0[678] no-gzip
56.         BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
57.         BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
58.     </IfModule>
59.     <IfModule mod_headers.c>
60.         Header append Vary User-Agent env=!dont-vary
61.     </IfModule>
62.     <IfModule mod_filter.c>
63.         AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon
64.     </IfModule>
65. </IfModule>
66. <FilesMatch "\.(css|js|htc|CSS|JS|HTC)$">
67.     FileETag None
68.     <IfModule mod_headers.c>
69.          Header set X-Powered-By "W3 Total Cache/0.9.2.5"
70.     </IfModule>
71. </FilesMatch>
72. <FilesMatch "\.(html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|SVG|SVGZ|TXT|XSD|XSL|XML)$">
73.     FileETag None
74.     <IfModule mod_headers.c>
75.          Header set X-Powered-By "W3 Total Cache/0.9.2.5"
76.     </IfModule>
77. </FilesMatch>
78. <FilesMatch "\.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip|ASF|ASX|WAX|WMV|WMX|AVI|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|MPP|OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SVG|SVGZ|SWF|TAR|TIF|TIFF|TTF|TTC|WAV|WMA|WRI|XLA|XLS|XLSX|XLT|XLW|ZIP)$">
79.     FileETag None
80.     <IfModule mod_headers.c>
81.          Header set X-Powered-By "W3 Total Cache/0.9.2.5"
82.     </IfModule>
83. </FilesMatch>
84. # END W3TC Browser Cache
85.  
86.  
87. #RewriteCond %{HTTP_HOST} ^blog\.yakuza112\.org$ [OR]
88. #RewriteCond %{HTTP_HOST} ^www\.blog\.yakuza112\.org$
89. #RewriteRule ^/?$ "http\:\/\/scenepirat\.to" [R=301,L]
90.  
91.  
92. <IfModule mod_rewrite.c>
93. RewriteEngine On
94.  
95. ###### SSL Admin  ######
96. RewriteRule !^/wp-admin/(.*) - [C]
97. RewriteRule ^/(.*) https://blog.yakuza112.org/$1 [QSA,L]
98.  
99. ###### All SSL  ######
100. #RewriteCond %{SERVER_PORT} 80
101. #RewriteRule ^(.*)$ https://blog.yakuza112.org/$1 [R,L]
102.  
103. ###### User / Pass ######
104. #AuthUserFile /*******/blog/.htpasswd
105. #AuthType Basic
106. #AuthName "123"
107. #Require valid-user
108.  
109. RewriteBase /
110. ###### www2nowww  ######
111. #RewriteCond %{HTTP_HOST} ^/[^\.]+[^/]$
112. #RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
113.  
114. RewriteCond %{HTTP_HOST} ^/[^\.]+[^/]$
115. RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1 [R=301,L]
116.  
117. #RewriteCond %{HTTP_HOST} ^([^.]+)\.blog.yakuza112\.org$ [NC]
118. #RewriteRule ^(.*)$ http://blog.yakuza112.org/$1 [R=301,L]
119.  
120. ###### Add a "/" ######
121. RewriteCond %{REQUEST_URI} ^/[^\.]+[^/]$
122. RewriteRule ^(.*)$ http://%{HTTP_HOST}/$1/ [R=301,L]
123. RewriteCond %{REQUEST_FILENAME} !-f
124. RewriteCond %{REQUEST_FILENAME} !-d
125. RewriteRule . 404.php/ [L]
126.  
127. #RewriteCond %{REQUEST_METHOD} POST
128. #RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
129. #RewriteCond %{HTTP_REFERER} !.*blog.yakuza112.org.* [OR]
130. #RewriteCond %{HTTP_USER_AGENT} ^$
131. #RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
132.  
133. </IfModule>
134.  
135. ###### Disable Directory Listing ######
136. Options -Indexes
137.  
138. ###### Schutz der wp-config.php, etc. ######
139. <FilesMatch "(.htaccess|.htpasswd|wp-config.php|install-helper.php|liesmich.html|readme.html)">
140.   order deny,allow
141.   deny from all
142. </FilesMatch>
143.  
144. php_flag display_errors off
145. #php_flag log_errors off
146. #php_flag register_globals off
147. #php_flag session.use_trans_sid off
148.  
149. <Files 403.shtml>
150. order allow,deny
151. allow from all
152. </Files>
153.  
154. ###### PERISHABLE PRESS 4G BLACKLIST ######
155. ###### ESSENTIALS ######
156.  
157. RewriteEngine on
158. ServerSignature Off
159. Options All -Indexes
160. Options +FollowSymLinks
161. ###### FILTER REQUEST METHODS ######
162.  
163. <IfModule mod_rewrite.c>
164.  RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
165.  RewriteRule ^(.*)$ - [F,L]
166. </IfModule>
167.  
168. ###### BLACKLIST CANDIDATES ######
169. <Limit GET POST PUT>
170.  Order Allow,Deny
171.  Allow from all
172.  Deny from 75.126.85.215   "# blacklist candidate 2008-01-02 = admin-ajax.php attack "
173.  Deny from 128.111.48.138  "# blacklist candidate 2008-02-10 = cryptic character strings "
174.  Deny from 87.248.163.54   "# blacklist candidate 2008-03-09 = block administrative attacks "
175.  Deny from 84.122.143.99   "# blacklist candidate 2008-04-27 = block clam store loser "
176.  Deny from 210.210.119.145 "# blacklist candidate 2008-05-31 = block _vpi.xml attacks "
177.  Deny from 66.74.199.125   "# blacklist candidate 2008-10-19 = block mindless spider running "
178.  Deny from 203.55.231.100  "# 1048 attacks in 60 minutes"
179.  Deny from 24.19.202.10    "# 1629 attacks in 90 minutes"
180. </Limit>
181.  
182. ###### QUERY STRING EXPLOITS ######
183. <IfModule mod_rewrite.c>
184.  RewriteCond %{QUERY_STRING} ../    [NC,OR]
185.  RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
186. #RewriteCond %{QUERY_STRING} tag=     [NC,OR]
187. RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
188.  RewriteCond %{QUERY_STRING} http:    [NC,OR]
189.  RewriteCond %{QUERY_STRING} https:   [NC,OR]
190.  RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
191. # RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
192. # RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
193. RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
194.  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
195.  RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
196.  RewriteRule ^(.*)$ - [F,L]
197. </IfModule>
198.  
199. ###### Datei zum Regeln von IP-Bereichen ######
200. Order deny,allow
201. Allow from all
202. # Sperre folgende IPs
203. #deny from 127.1.1.1