The ultimate .htaccess of WordPress looks like this one.

# BEGIN WordPress
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
# END WordPress

# BEGIN SSL Forwarding
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END SSL Forwarding

# BEGIN CORS Security
<IfModule mod_headers.c>
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js|gif|png|jpe?g|svg|svgz|ico|webp)$">
        Header set Access-Control-Allow-Origin "*"
# END CORS Security

# BEGIN Browser Caching
<IfModule mod_expires.c>
    ExpiresActive on
    ExpiresDefault "access plus 1 month"

    # CSS
    ExpiresByType text/css "access plus 1 year"

    # Data
    ExpiresByType application/atom+xml "access plus 1 hour"
    ExpiresByType application/rdf+xml "access plus 1 hour"
    ExpiresByType application/rss+xml "access plus 1 hour"

    ExpiresByType application/json "access plus 0 seconds"
    ExpiresByType application/ld+json "access plus 0 seconds"
    ExpiresByType application/schema+json "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json "access plus 0 seconds"
    ExpiresByType application/xml "access plus 0 seconds"
    ExpiresByType text/xml "access plus 0 seconds"

    # Favicon (cannot be renamed!) and cursor images
    ExpiresByType image/ "access plus 1 week"
    ExpiresByType image/x-icon "access plus 1 week"

    # HTML
    ExpiresByType text/html "access plus 0 seconds"

    # JavaScript
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType application/x-javascript "access plus 1 year"
    ExpiresByType text/javascript "access plus 1 year"

    # Manifest files
    ExpiresByType application/manifest+json "access plus 1 week"
    ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
    ExpiresByType text/cache-manifest "access plus 0 seconds"

    # Media files
    ExpiresByType audio/ogg "access plus 1 year"
    ExpiresByType image/bmp "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType video/mp4 "access plus 1 year"
    ExpiresByType video/ogg "access plus 1 year"
    ExpiresByType video/webm "access plus 1 year"

    # Web Fonts

    # Embedded OpenType (EOT)
    ExpiresByType application/ "access plus 1 year"
    ExpiresByType font/eot "access plus 1 year"

    # OpenType
    ExpiresByType font/opentype "access plus 1 year"

    # TrueType
    ExpiresByType application/x-font-ttf "access plus 1 year"

    # Web Open Font Format (WOFF) 1.0
    ExpiresByType application/font-woff "access plus 1 year"
    ExpiresByType application/x-font-woff "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"

    # Web Open Font Format (WOFF) 2.0
    ExpiresByType application/font-woff2 "access plus 1 year"

    # Other
    ExpiresByType text/x-cross-domain-policy "access plus 1 week"
# END Browser Caching

# BEGIN Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/vtt
    AddOutputFilterByType DEFLATE text/x-component
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/js
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/x-httpd-php
    AddOutputFilterByType DEFLATE application/x-httpd-fastphp
    AddOutputFilterByType DEFLATE application/atom+xml
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/ld+json
    AddOutputFilterByType DEFLATE application/
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/font-woff2
    AddOutputFilterByType DEFLATE application/x-font-woff
    AddOutputFilterByType DEFLATE application/x-web-app-manifest+json font/woff
    AddOutputFilterByType DEFLATE font/woff
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/x-icon

    # Exception: Images
    SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary

    # Drop problematic browsers
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

    # Make sure proxies don't deliver the wrong content
    Header append Vary User-Agent env=!dont-vary
# END Compression

# BEGIN Caching on Apache
<IfModule mod_headers.c>
    <FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt|woff2|woff)$">
        Header set Cache-Control "max-age=31536000, public"

<IfModule mod_headers.c>
    <FilesMatch "\.(js|css|xml|gz)$">
        Header append Vary Accept-Encoding
# END Caching on Apache

# BEGIN Keep-Alive Header
<IfModule mod_headers.c>
    Header set Connection keep-alive
# END Keep-Alive Header

# BEGIN Disable ETags
<IfModule mod_expires.c>
    <IfModule mod_headers.c>
        Header unset ETag

    FileETag None

<IfModule mod_headers.c>
    <FilesMatch ".(js|css|xml|gz|html|woff|woff2|ttf)$">
        Header append Vary: Accept-Encoding
# END Disable ETags

# BEIGN Protection
<Files install.php>
    Order allow,deny
    Deny from all

<Files wp-config.php>
    Order allow,deny
    Deny from all

<Files readme.html>
    Order allow,deny
    Deny from all
    Satisfy all

<Files liesmich.html>
    Order allow,deny
    Deny from all
    Satisfy all

<Files error_log>
    Order allow,deny
    Deny from all

<FilesMatch "(\.htaccess|\.htpasswd)">
    Order deny,allow
    Deny from all

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

<Files xmlrpc.php>
    Order deny,allow
    Deny from all
# END Protection

Optional Snippets

# BEGIN No-Referrer Header
<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer"
# END No-Referrer Header

# BEGIN X-Frame-Options Header
<IfModule mod_headers.c>
    Header set X-Frame-Options "sameorigin"
# END X-Frame-Options Header

# BEGIN X-XSS-Protection Header
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
# END X-XSS-Protection Header

# BEGIN X-Content-Type-Options Header
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
# END X-Content-Type-Options Header

# BEGIN Strict-Transport-Security Header
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# END Strict-Transport-Security Header

Leave a Reply

Your email address will not be published. Required fields are marked *