Additional security/performance settings for htaccess

Below is some additional rules for your htaccess file which provides some performance and security measures.

###########################
# Enable Keep-Alive
# https://varvy.com/pagespeed/keep-alive.html
###########################
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>

###########################
# Turn off etags
# http://davidwalsh.name/yslow-htaccess
###########################
Header unset ETag
FileETag None

###########################
# expires headers to your images and other resources.
###########################
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType image/jpg "access plus 1 month" 
ExpiresByType image/jpeg "access plus 1 month" 
ExpiresByType image/gif "access plus 1 month" 
ExpiresByType image/png "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
</IfModule>

###########################
# Protects the htaccess files
###########################
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

###########################
# Disable directory browsing
###########################
Options All -Indexes

######################################
# protect the wp-config.php file
######################################
<files wp-config.php>
Order deny,allow
Deny from all
</files>

######################################
# SQL INJECTION PROTECTION
######################################
Options +FollowSymLinks
RewriteEngine On

# Block attempts to exploit by including '|' or '>' characters
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]

# Block attempts to exploit using 'GLOBALS' variable
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block attempts to exploit using '_REQUEST' variable
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block attempts to exploit using 'php://input', 'data://', or 'expect://'
RewriteCond %{QUERY_STRING} (php://input|data://|expect://) [NC,OR]

# Block common SQL injection attempts
RewriteCond %{QUERY_STRING} (union.*select|select.*from|insert.*into|drop.*table|show.*tables|update.*set|delete.*from) [NC]

# Redirect to 403 Forbidden error page for matched queries
RewriteRule ^(.*)$ - [F,L]
######################################
# END SQL INJECTION PROTECTION
######################################
  • htaccess
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Solving the ERR_BLOCKED_BY_XSS_AUDITOR in Chrome

You are reading this article because you have saved something in wordpress and received an error...

Forcing SSL and WWW in htaccess

Use the following code in the htaccess file for making sure that all pages served up are www and...

301 redirect all traffic from domain A to the root of domain B

If you need to 301 redirect all the traffic from olddomain.com to the index page of newdomain.com...

Fix WordPress 404 Errors on Password Protected Directories

You are reading this article becasue you have applied password protection on the wp-admin...

301 redirect all traffic to new site except for certain folders

If you need to redirect a whole site to a new url except for one or more folders, then the script...