Bảo mật WP bằng htaccess

1. ########## Begin - Rewrite rules to block out some common exploits
2. ## If you experience problems on your site block out the operations listed below
3. ## This attempts to block the most common type of exploit `attempts` to Joomla!
4. #
5. # Block out any script trying to set a mosConfig value through the URL
6. RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
7. # Block out any script trying to base64_encode crap to send via URL
8. RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
9. # Block out any script that includes a <sc ript> tag in URL
10. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
11. # Block out any script trying to set a PHP GLOBALS variable via URL
12. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
13. # Block out any script trying to modify a _REQUEST variable via URL
14. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
15. # Send all blocked request to homepage with 403 Forbidden error!
16. RewriteRule ^(.*)$ index.php [F,L]
17. #
18. ########## End - Rewrite rules to block out some common exploits
19. <files wp-config.php>
20. order allow,deny
21. deny from all
22. </files>
23. <files ~ "^.*\.([Hh][Tt][Aa])">
24. order allow,deny
25. deny from all
26. satisfy all
27. </files>
28. # Turn off Index wp-includes
29. Options -Indexes
30. # Block WordPress xmlrpc.php requests
31. <Files xmlrpc.php>
32. order deny,allow
33. deny from all
34. </Files>
35. # Blocks some XSS attacks
36. <IfModule mod_rewrite.c>
37. RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
38. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
39. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
40. RewriteRule .* index.php [F,L]
41. </IfModule>
42. # Blocks all wp-includes folders and files
43. <IfModule mod_rewrite.c>
44. RewriteEngine On
45. RewriteBase /
46. RewriteRule ^wp-admin/includes/ - [F,L]
47. RewriteRule !^wp-includes/ - [S=3]
48. RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
49. RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
50. RewriteRule ^wp-includes/theme-compat/ - [F,L]
51. </IfModule>
52. # Restricts access to PHP files from plugin and theme directories
53. RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
54. RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
55. RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
56. RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
57. RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
58. RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
59. # BEGIN block author scans
60. RewriteEngine On
61. RewriteBase /
62. RewriteCond %{QUERY_STRING} (author=\d+) [NC]
63. RewriteRule .* - [F]
64. # END block author scans
65. #disable hotlinking of images with forbidden or custom image option
66. RewriteEngine on
67. RewriteCond %{HTTP_REFERER} !^$
68. RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?<your website> [NC]
69. RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
70. RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
71. # Custom page
72. ErrorDocument 404 /404.html
73. ErrorDocument 403 /403.html
74. ErrorDocument 500 /500.html
75. ErrorDocument 501 /501.html
76. # deny access to evil robots site rippers offline browsers and other nasty scum
77. RewriteBase /
78. RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
79. RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
80. RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
81. RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
82. RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
83. RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
84. RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
85. RewriteCond %{HTTP_USER_AGENT} ^Zeus
86. RewriteRule ^.* - [F,L]
87.  
88. <Files *.php>
89. Order allow,deny
90. Deny from all
91. </Files>