WordPress htaccess rules to improve security and performance

Here I would like to share some htaccess rules that will help you to improve your wordpress site security and performance. I recommend you to contact your developer before adding these rules.

To improve security.

# Eliminating HTTP insertions
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* – [F,NS,L]

 

# Secure wp-includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

 

# Protect the .htaccess
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

 

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

 

# Protect xmlrpc.php
<Files xmlrpc.php>
<Limit POST>
Order deny,allow

 

# Prevent Directory Browsing
Options All -Indexes
To improve performance

# compress text, html, javascript, css, xml:
<IfVersion >= 2.4>
FilterDeclare COMPRESS
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘text/html'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘text/css'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘text/plain'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘text/xml'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘text/x-component'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/javascript'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/json'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/xml'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/xhtml+xml'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/rss+xml'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/atom+xml'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/vnd.ms-fontobject'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘image/svg+xml'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘image/x-icon'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘application/x-font-ttf'”
FilterProvider COMPRESS DEFLATE “%{CONTENT_TYPE} = ‘font/opentype'”
FilterChain COMPRESS
FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
</IfVersion>
<IfVersion <= 2.2>
FilterDeclare COMPRESS
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/javascript
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject
FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf
FilterProvider COMPRESS DEFLATE resp=Content-Type $font/opentype
FilterChain COMPRESS
FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
</IfVersion>

 

# Leverage Browser Caching
# 1 YEAR
<FilesMatch “\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$”>
Header set Cache-Control “max-age=31536000, public”
</FilesMatch>

# 1 WEEK
<FilesMatch “\.(jpg|jpeg|png|gif|js|css)$”>
Header set Cache-Control “max-age=604800, public”
</FilesMatch>

# 3 HOUR
<FilesMatch “\.(txt|xml)$”>
Header set Cache-Control “max-age=10800”
</FilesMatch>

# NEVER CACHE – notice the extra directives
<FilesMatch “\.(html|htm|php|cgi|pl)$”>
Header set Cache-Control “max-age=0, private, no-store, no-cache, must-revalidate”
</FilesMatch>

Leave a Reply

Your email address will not be published.