# Make sure these directives are either above the "BEGIN WordPress"
# line or below the "END WordPress" line. Also, make sure you test
# your site if you use any of the suggestions below. These rules
# are very specific to running WordPress so if you also serve some other
# static or PHP files under the directory where these rules will live
# you may find they won't work. TEST TEST TEST.
# disable directory browsing
Options All -Indexes
# prevent direct access to wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# block access to all php files under /wp-content and further
RedirectMatch 403 ^.*/wp-content/.*\.php$
# Block the include-only files.
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# prevent comment posting if referrer is blank
# replace yoursite.com with your actual domain name
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yoursite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# deny access to all dot (hidden) files (eg .htaccess)
<Files ~ "^\..*">
order allow,deny
deny from all
satisfy all
</Files>