# BULLETPROOF .46.4 >>>>>>> SECURE .HTACCESS # If you edit the line of

1. # BULLETPROOF .46.4 >>>>>>> SECURE .HTACCESS
2.  
3. # If you edit the line of code above you will see error messages on the BPS status page
4. # BPS is reading the version number in the htaccess file to validate checks
5. # If you would like to change what is displayed above you
6. # will need to edit the BPS functions.php file to match your changes
7. # For more info see the BPS Guide at AIT-pro.com
8.  
9. # If you are getting 500 Errors when activating BPS then comment out Options -Indexes
10. Options -Indexes
11.  
12. # Replace hotlinked images with replacement image
13. RewriteEngine on
14. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?MainWpBlog\.com/ [NC]
15. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?AnotherSiteInside\.com/ [NC]
16. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?AnotherSiteInside\.com/ [NC]
17. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.com/ [NC]
18. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?AnotherSiteInside\.com/ [NC]
19. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?SiteInSomeOtherHosting\.com/ [NC]
20. RewriteCond %{HTTP_REFERER} !^http://(.+\.)?NewBlogNeedsInstallation\.com/ [NC]
21. RewriteCond %{HTTP_REFERER} !^$
22. RewriteRule .*\.(jpe?g|gif|bmp|png)$ /hotlink.jpe [L]
23.  
24. # WPSuperCache
25.  
26. # BEGIN WordPress
27. <IfModule mod_rewrite.c>
28. RewriteEngine On
29. RewriteBase /
30. RewriteRule ^index\.php$ - [L]
31. RewriteCond %{REQUEST_FILENAME} !-f
32. RewriteCond %{REQUEST_FILENAME} !-d
33. RewriteRule . /index.php [L]
34. </IfModule>
35. # END WordPress
36.  
37. # If you want to add a custom 403 Forbidden page for your website uncomment the
38. # ErrorDocument line of code below and copy the ait-pro.com example forbidden
39. # HTML page to your correct website folder. See the BPS Help and FAQ page for
40. # detailed instructions on how to do this. If your Theme 404 template is named
41. # 404.php then you can uncomment the 404 line below now. If your 404 template is
42. # named some other file name then change 404.php to the name of your 404 template
43. # name and uncomment the 404 line of code below.
44. # ErrorDocument 403 /forbidden.html
45. ErrorDocument 404 /404.php
46.  
47. # Plugin conflicts will be handled case by case
48. # You can leave the plugin fixes code intact just in case you install one of these plugins
49. # at a later time. Thousands of lines of htaccess code can be read in milliseconds
50. # so leaving the code intact does not slow down your website performance at all.
51. # Thousands of plugins have been tested with BPS and the plugin conflict fixes
52. # contained in this BPS master file are permanent fixes for conflicts found with
53. # these plugins. If you use AutoMagic to create this file then your correct WordPress installation
54. # folder name will be automatically added to the plugin fixes that need a WP folder name.
55. # If you choose to manually edit this file instead of using AutoMagic be sure to add your
56. # WordPress installation folder name to the fixes that require your WordPress folder name.
57. # Your WordPress installation folder name can be found on the System Info page. If you only see
58. # a forward slash then you have a root folder installation and do not need to add a folder name.
59.  
60. # redirect_to= string fix - fixes issues with plugins that use the redirect_to= string
61. RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
62. RewriteRule . - [S=30]
63.  
64. # Login Plugins Password Reset And Redirect Conflicts Fix 1
65. RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
66. RewriteRule . - [S=30]
67.  
68. # Login Plugins Password Reset And Redirect Conflicts Fix 2
69. RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
70. RewriteRule . - [S=30]
71.  
72. # BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect
73. # WordPress 3.0.4 or higher must be installed for this fix to work
74. RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
75. RewriteRule . - [S=30]
76.  
77. # Ozh' Admin Drop Down Menu Display Fix
78. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/ozh-admin-drop-down-menu/ [NC]
79. RewriteRule . - [S=30]
80.  
81. # ComicPress Manager ComicPress Theme Image Fix
82. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/comicpress-manager/ [NC]
83. RewriteRule . - [S=30]
84.  
85. # TimThumb and all other Thumbnailer Images not displaying - Red X instead of Images
86. # If your theme uses an image thumbnailer script file this fix will work to display images correctly
87. # as long as thumb is part of the file name like timthumb.php, thumb.php, thumbs.php or phpthumb.php
88. RewriteCond %{REQUEST_FILENAME} ^(.*)thumb(.*)$ [NC]
89. RewriteRule ^(.*)$ - [S=30]
90.  
91. # YAPB Image Display fix
92. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/yet-another-photoblog/ [NC]
93. RewriteRule . - [S=30]
94.  
95. # WordPress.com Stats Flash SWF Graph Does Not Load Fix
96. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stats/ [NC]
97. RewriteRule . - [S=30]
98.  
99. # Status Updater plugin fix
100. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
101. RewriteRule . - [S=30]
102.  
103. # wp-extplorer login fix
104. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-extplorer/ [NC]
105. RewriteRule . - [S=30]
106.  
107. # Adminer MySQL management tool fix
108. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
109. RewriteRule . - [S=30]
110.  
111. # Peters Custom Anti-Spam Image fix
112. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
113. RewriteRule . - [S=30]
114.  
115. # Stream Video Player - Adding FLV Videos is Blocked By BPS
116. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
117. RewriteRule . - [S=30]
118.  
119. # FeedWordPress - ?update_feedwordpress= String Blocked
120. RewriteCond %{QUERY_STRING} update_feedwordpress=(.*) [NC]
121. RewriteRule . - [S=30]
122.  
123. # XCloner 404 or 403 error when updating settings
124. RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
125. RewriteRule . - [S=30]
126.  
127. # podPress rewrite ?feed=podcast as /feed/podcast
128. # If you are using a custom slug then add the slug name to the rewriterule
129. # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
130. RewriteCond %{QUERY_STRING} feed=podcast [NC]
131. RewriteRule (.*) /feed/podcast/$1? [R=301,L]
132.  
133. # podPress rewrite ?feed=enhancedpodcast as /feed/enhancedpodcast
134. # If you are using a custom slug then add the slug name to the rewriterule
135. # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
136. RewriteCond %{QUERY_STRING} feed=enhancedpodcast [NC]
137. RewriteRule (.*) /feed/enhancedpodcast/$1? [R=301,L]
138.  
139. # podPress rewrite ?feed=torrent as /feed/torrent
140. # If you are using a custom slug then add the slug name to the rewriterule
141. # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
142. RewriteCond %{QUERY_STRING} feed=torrent [NC]
143. RewriteRule (.*) /feed/torrent/$1? [R=301,L]
144.  
145. # podPress rewrite ?feed=premium as /feed/premium
146. # If you are using a custom slug then add the slug name to the rewriterule
147. # RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
148. RewriteCond %{QUERY_STRING} feed=premimum [NC]
149. RewriteRule (.*) /feed/premium/$1? [R=301,L]
150.  
151. # FILTER REQUEST METHODS
152. RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
153. RewriteRule ^(.*)$ - [F,L]
154.  
155. # QUERY STRING EXPLOITS
156. RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
157. RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
158. RewriteCond %{QUERY_STRING} tag\= [NC,OR]
159. RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
160. RewriteCond %{QUERY_STRING} http\: [NC,OR]
161. RewriteCond %{QUERY_STRING} https\: [NC,OR]
162. RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
163. RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
164. RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
165. RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
166. RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
167. RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
168. RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
169. RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
170. RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
171. RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
172. RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
173. RewriteRule ^(.*)$ - [F,L]
174.  
175. # Deny Access to wp-config.php, bb-config.php, /wp-admin/install.php, all .htaccess files
176. # php.ini, php5.ini and the WordPress readme.html installation file.
177. # To allow ONLY yourself access to these files add your current IP address below to the
178. # Allow from line of code and remove the # sign in front of Allow from to uncomment it
179. <FilesMatch "^(wp-config\.php|install\.php|\.htaccess|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
180. Deny from all
181. # Allow from 11.11.11.11
182. </FilesMatch>