# Don't show errors which contain full path diclosure (FPD)
# Use that line only if PHP is installed as a module and not per CGI
# try using a php.ini in that case.
# Change mod_php5.c to mod_php7.c if you are running PHP7
<IfModule mod_php5.c>
php_flag display_errors Off
</IfModule>
# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
# If you use that, these tools will not work anymore
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# Don't list directories
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# Protect all readme.txt files from all plugins
<Files readme.txt>
Order allow,deny
Deny from all
</Files>
# Protect wp-config.php and other files
<FilesMatch "(.htaccess|.htpasswd|wp-config.php|wp-login|wp-mail|liesmich.html|readme.html)">
Order deny,allow
Deny from all
</FilesMatch>
# Block the include-only files.
# Do not use in Multisite without reading the note in Codex!
# See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Set some security related headers
# See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
# The line below is an advanced method for a more secure configuration, please see documentation before usage!
# Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/
# http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German)
# Documentation: https://content-security-policy.com/
# Analysis: https://securityheaders.io/
# Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
</IfModule>
# Allow WordPress Embed
# https://gist.github.com/sergejmueller/3c4351ec29576fb441fe
<IfModule mod_setenvif.c>
SetEnvIf Request_URI "/embed/$" IS_embed
<IfModule mod_headers.c>
Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
</IfModule>
</IfModule>
#Force secure cookies (uncomment for HTTPS)
<IfModule mod_headers.c>
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
#Unset headers revealing versions strings
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset X-Pingback
Header unset SERVER
</IfModule>
# Filter Request Methods
# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>