htaccess force SSL for WordPress

by · Published · Updated

This works for me on Apache 2.2 with VirturalHosts. Plus other useful stuff here.

<IfModule mod_rewrite.c>
RewriteEngine On
Options -Indexes
Options +FollowSymLinks
RewriteBase /

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}/$1 [L]

# Deny access by your most hated visitors and bad bots
RewriteCond %{HTTP_USER_AGENT} mechanize [NC,OR]

# Protect against SQL INJECTION
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Basic WORDPRESS rewrite rules
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# original line but causes redirect loops
#RewriteRule . /index.php [L]
# this one solves that problem
RewriteRule ^(?!index\.php) /index.php [L]

# some WORDPRESS hardening rules
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>

# Protect HTACCESS
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

# Protect MYSQL login
<Files wp-config.php>
order allow,deny
deny from all
</Files>

# Prevent POST by network
<LimitExcept GET>
order allow,deny
deny from 1.0.1.0/24
allow from all
</LimitExcept>

1) HTTPS : unclear if the force HTTPS rules are in the exact best placement

2) Prevent POST by network : this allows these networks to browse (GET) ONLY, but nothing else, No POST allowed. This is especially useful to prevent wp-login.php attempts or spam POSTs by country. A NOT heavy-handed approach to managing bad networks.

Tags:

You may also like...