Htaccess File

hbradleyiii/wp_bare_theme/master/.htaccess

GET, HTTP_REFERER, POST, PUT, QUERY_STRING, REMOTE_ADDR, REQUEST_FILENAME, REQUEST_METHOD, REQUEST_URI
# BEGIN PERISHABLEPRESS BLACKLIST/FIREWALL
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval() [NC,OR]
    RewriteCond %{QUERY_STRING} (127.0.0.1) [NC,OR]
    RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode)(.*)(() [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|[|%) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
    RewriteCond %{QUERY_STRING} (\|...|../|~|`|<|>||) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?).php [NC,OR]
    RewriteCond %{QUERY_STRING} ('|")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
    RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
    RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
    RedirectMatch 403 (?i)([a-z0-9]{2000})
    RedirectMatch 403 (?i)(https?|ftp|php):/
    RedirectMatch 403 (?i)(base64_encode)(.*)(()
    RedirectMatch 403 (?i)(=\'|=\%27|/\'/?).
    RedirectMatch 403 (?i)/($(&)?|*|"|.|,|&|&?)/?$
    RedirectMatch 403 (?i)({0}|(/(|...|+++|\"\")
    RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|s|{|}|[|]||)
    RedirectMatch 403 (?i)/(=|$&|_mm|cgi-|etc/passwd|muieblack)
    RedirectMatch 403 (?i)(&pws=0|_vti_|(null)|{$itemURL}|echo(.*)kae|etc/passwd|eval(|self/environ)
    RedirectMatch 403 (?i).(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
    RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell).php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot

    # Apache < 2.3
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Allow from all
        Deny from env=bad_bot
    </IfModule>

    # Apache >= 2.3
    <IfModule mod_authz_core.c>
        <RequireAll>
            Require all Granted
            Require not env bad_bot
        </RequireAll>
    </IfModule>
</IfModule>

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
    Order Allow,Deny
    Allow from All
    # uncomment/edit/repeat next line to block IPs
    # Deny from 123.456.789
</Limit>
# END PERISHABLEPRESS BLACKLIST/FIREWALL

# BEGIN Hardened WordPress

# Disable directory browsing
Options All -Indexes

# Block the include-only files.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    RewriteRule !^wp-content/ - [S=2]
    RewriteRule ^wp-content/.+.css.php$ - [S=1]
    RewriteRule ^wp-content/.+.php$ - [F,L]
</IfModule>

<files wp-config.php>
    order allow,deny
    deny from all
</files>

<files ~ "^.*.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
</files>

# Prevents verifying google domain ownership with html file
<files ~ "^.*google.*.html$">
    order allow,deny
    deny from all
    satisfy all
</files>

# Deflects POST requests to wp-login.php and wp-comments-post.php that have no referrer
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login).php*
    RewriteCond %{HTTP_REFERER} ^$
    # Send them back to where they came from:
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

# Prevent user enumeration
# see: http://www.acunetix.com/blog/articles/wordpress-username-enumeration-using-http-fuzzer/
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} author=d
    RewriteRule ^ /? [L,R=301]
</IfModule>

# END Hardened WordPress

# BEGIN WordPress
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

# END WordPress
Exit mobile version