ezequiel9 · December 3, 2020 03:37 · Aug 21, 2019 · Dec 1, 2017 · Dec 1, 2017 · Dec 1, 2017
diff --git a/.htaccess b/.htaccess
@@ -38,7 +38,7 @@
 </FilesMatch>
 
 # Protect some other files
-<FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
+<FilesMatch "(liesmich.html|readme.html|license.txt|(.*)\.ttf|(.*)\.bak)">
   Order Deny,Allow
   Deny from all
 </FilesMatch>

diff --git a/.htaccess b/.htaccess
@@ -20,32 +20,32 @@
 
 # If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
 <FilesMatch "(repair|wp-mail)\.php">
-    Order deny,allow
+    Order Deny,Allow
     Deny from all
 </FilesMatch>
 
 # Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. 
 # Must be placed in /wp-content/.htaccess
 <FilesMatch "\.(log|txt)$">
-    Order allow,deny
+    Order Allow,Deny
     Deny from all
 </FilesMatch>
 
 # Hide WordPress, system & sensitive files
 <FilesMatch "(^\.|wp-config(-sample)*\.php)">
-    Order deny,allow
+    Order Deny,Allow
     Deny from all
 </FilesMatch>
 
 # Protect some other files
 <FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
-  Order deny,allow
+  Order Deny,Allow
   Deny from all
 </FilesMatch>
 
 # Block the include-only files.
 # Do not use in Multisite without reading the note in Codex!
-# See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
+# See: https://codex.wordpress.org/Hardening_WordPress#WP-Includes
 <IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /

diff --git a/.htaccess b/.htaccess
@@ -20,21 +20,21 @@
 
 # If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
 <FilesMatch "(repair|wp-mail)\.php">
-    order deny,allow
-    deny from all
+    Order deny,allow
+    Deny from all
 </FilesMatch>
 
 # Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. 
 # Must be placed in /wp-content/.htaccess
 <FilesMatch "\.(log|txt)$">
-    order allow,deny
-    deny from all
+    Order allow,deny
+    Deny from all
 </FilesMatch>
 
 # Hide WordPress, system & sensitive files
 <FilesMatch "(^\.|wp-config(-sample)*\.php)">
-    order deny,allow
-    deny from all
+    Order deny,allow
+    Deny from all
 </FilesMatch>
 
 # Protect some other files

diff --git a/.htaccess b/.htaccess
@@ -6,26 +6,39 @@
   php_flag display_errors Off
 </IfModule>
 
+# Don't list directories
+<IfModule mod_autoindex.c>
+  Options -Indexes
+</IfModule>
+
 # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
 # If you use that, these tools will not work anymore
 <Files xmlrpc.php>
   Order Deny,Allow
   Deny from all
 </Files>
 
-# Don't list directories
-<IfModule mod_autoindex.c>
-  Options -Indexes
-</IfModule>
+# If you don't use the Database Optimizing and Post-by-Email features, turn off the access too:
+<FilesMatch "(repair|wp-mail)\.php">
+    order deny,allow
+    deny from all
+</FilesMatch>
 
-# Protect all readme.txt files from all plugins
-<Files readme.txt>
-  Order allow,deny
-  Deny from all
-</Files>
+# Prevent browser and search engines to request .log (e.g. WP DEBUG LOG) and .txt (e.g. plugins readme) files. 
+# Must be placed in /wp-content/.htaccess
+<FilesMatch "\.(log|txt)$">
+    order allow,deny
+    deny from all
+</FilesMatch>
+
+# Hide WordPress, system & sensitive files
+<FilesMatch "(^\.|wp-config(-sample)*\.php)">
+    order deny,allow
+    deny from all
+</FilesMatch>
 
-# Protect wp-config.php and other files
-<FilesMatch "(.htaccess|.htpasswd|wp-config.php|wp-mail|liesmich.html|readme.html)">
+# Protect some other files
+<FilesMatch "(liesmich.html|readme.html|(.*)\.ttf|(.*)\.bak)">
   Order deny,allow
   Deny from all
 </FilesMatch>
@@ -38,6 +51,7 @@
   RewriteBase /
   RewriteRule ^wp-admin/includes/ - [F,L]
   RewriteRule !^wp-includes/ - [S=3]
+  # If you run multisite, comment the next line (see note above)
   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
   RewriteRule ^wp-includes/theme-compat/ - [F,L]

diff --git a/.htaccess b/.htaccess
@@ -25,7 +25,7 @@
 </Files>
 
 # Protect wp-config.php and other files
-<FilesMatch "(.htaccess|.htpasswd|wp-config.php|wp-login|wp-mail|liesmich.html|readme.html)">
+<FilesMatch "(.htaccess|.htpasswd|wp-config.php|wp-mail|liesmich.html|readme.html)">
   Order deny,allow
   Deny from all
 </FilesMatch>

diff --git a/.htaccess b/.htaccess
@@ -25,7 +25,7 @@
 </Files>
 
 # Protect wp-config.php and other files
-<FilesMatch "(.htaccess|.htpasswd|wp-config.php|liesmich.html|readme.html)">
+<FilesMatch "(.htaccess|.htpasswd|wp-config.php|wp-login|wp-mail|liesmich.html|readme.html)">
   Order deny,allow
   Deny from all
 </FilesMatch>

diff --git a/.htaccess b/.htaccess
@@ -48,7 +48,12 @@
 <IfModule mod_headers.c>
   Header set X-Content-Type-Options nosniff 
   Header set X-XSS-Protection "1; mode=block" 
-  Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
+  # The line below is an advanced method for a more secure configuration, please see documentation before usage!
+  # Introduction: https://scotthelme.co.uk/content-security-policy-an-introduction/
+  # http://www.heise.de/security/artikel/XSS-Bremse-Content-Security-Policy-1888522.html (German)
+  # Documentation: https://content-security-policy.com/
+  # Analysis: https://securityheaders.io/
+  # Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
 </IfModule>
 
 # Allow WordPress Embed

diff --git a/.htaccess b/.htaccess
@@ -15,7 +15,7 @@
 
 # Don't list directories
 <IfModule mod_autoindex.c>
-  Option -Indexes
+  Options -Indexes
 </IfModule>
 
 # Protect all readme.txt files from all plugins

diff --git a/.htaccess b/.htaccess
@@ -70,4 +70,12 @@
   Header unset X-Powered-By
   Header unset X-Pingback
   Header unset SERVER
+</IfModule>
+
+# Filter Request Methods
+# See: https://perishablepress.com/disable-trace-and-track-for-better-security/
+<IfModule mod_rewrite.c>
+  RewriteEngine on
+  RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
+  RewriteRule ^(.*)$ - [F,L]
 </IfModule>
diff --git a/.htaccess b/.htaccess
@@ -46,12 +46,20 @@
 # Set some security related headers
 # See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
 <IfModule mod_headers.c>
-  Header set X-Frame-Options SAMEORIGIN 
   Header set X-Content-Type-Options nosniff 
   Header set X-XSS-Protection "1; mode=block" 
   Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
 </IfModule>
 
+# Allow WordPress Embed
+# https://gist.github.com/sergejmueller/3c4351ec29576fb441fe
+<IfModule mod_setenvif.c>
+    SetEnvIf Request_URI "/embed/$" IS_embed
+    <IfModule mod_headers.c>
+    	Header set X-Frame-Options SAMEORIGIN env=!REDIRECT_IS_embed
+    </IfModule>
+</IfModule>
+
 #Force secure cookies (uncomment for HTTPS)
 <IfModule mod_headers.c>
   #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
@@ -62,11 +70,4 @@
   Header unset X-Powered-By
   Header unset X-Pingback
   Header unset SERVER
-</IfModule>
-
-# Disable PHP execution in /uploads
-<IfModule mod_rewrite.c> 
-  RewriteEngine On 
-  RewriteBase / 
-  RewriteRule ^(wp-content/uploads/.+.php)$ $1 [H=text/plain] 
-</IfModule> 
+</IfModule>
diff --git a/.htaccess b/.htaccess
@@ -7,20 +7,21 @@
 </IfModule>
 
 # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
+# If you use that, these tools will not work anymore
 <Files xmlrpc.php>
   Order Deny,Allow
   Deny from all
 </Files>
 
 # Don't list directories
 <IfModule mod_autoindex.c>
-	Option -Indexes
+  Option -Indexes
 </IfModule>
 
 # Protect all readme.txt files from all plugins
 <Files readme.txt>
-    Order allow,deny
-    Deny from all
+  Order allow,deny
+  Deny from all
 </Files>
 
 # Protect wp-config.php and other files

diff --git a/.htaccess b/.htaccess
@@ -1,11 +1,12 @@
 # Don't show errors which contain full path diclosure (FPD)
-# See: http://cup.wpcoder.de/fpd-vulnerability-wordpress/ (GERMAN)
 # Use that line only if PHP is installed as a module and not per CGI
 # try using a php.ini in that case.
-php_flag display_errors Off
+# Change mod_php5.c to mod_php7.c if you are running PHP7
+<IfModule mod_php5.c>
+  php_flag display_errors Off
+</IfModule>
 
 # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
-# See: http://cup.wpcoder.de/wordpress-xmlrpc-schutz/ (GERMAN)
 <Files xmlrpc.php>
   Order Deny,Allow
   Deny from all

diff --git a/.htaccess b/.htaccess
@@ -1,6 +1,7 @@
 # Don't show errors which contain full path diclosure (FPD)
 # See: http://cup.wpcoder.de/fpd-vulnerability-wordpress/ (GERMAN)
 # Use that line only if PHP is installed as a module and not per CGI
+# try using a php.ini in that case.
 php_flag display_errors Off
 
 # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)

diff --git a/.htaccess b/.htaccess
@@ -1,5 +1,6 @@
 # Don't show errors which contain full path diclosure (FPD)
 # See: http://cup.wpcoder.de/fpd-vulnerability-wordpress/ (GERMAN)
+# Use that line only if PHP is installed as a module and not per CGI
 php_flag display_errors Off
 
 # Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)

diff --git a/.htaccess b/.htaccess
@@ -1,8 +1,8 @@
-# Don't show errors
+# Don't show errors which contain full path diclosure (FPD)
 # See: http://cup.wpcoder.de/fpd-vulnerability-wordpress/ (GERMAN)
 php_flag display_errors Off
 
-# Protect XMLRPC
+# Protect XMLRPC (needed for Apps, Offline-Blogging-Tools, Pingback, etc.)
 # See: http://cup.wpcoder.de/wordpress-xmlrpc-schutz/ (GERMAN)
 <Files xmlrpc.php>
   Order Deny,Allow
@@ -30,29 +30,35 @@ php_flag display_errors Off
 # Do not use in Multisite without reading the note in Codex!
 # See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
 <IfModule mod_rewrite.c>
-RewriteEngine On
-RewriteBase /
-RewriteRule ^wp-admin/includes/ - [F,L]
-RewriteRule !^wp-includes/ - [S=3]
-RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
-RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
-RewriteRule ^wp-includes/theme-compat/ - [F,L]
+  RewriteEngine On
+  RewriteBase /
+  RewriteRule ^wp-admin/includes/ - [F,L]
+  RewriteRule !^wp-includes/ - [S=3]
+  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
+  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
+  RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>
 
 # Set some security related headers
 # See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
-Header set X-Frame-Options SAMEORIGIN 
-Header set X-Content-Type-Options nosniff 
-Header set X-XSS-Protection "1; mode=block" 
-Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
+<IfModule mod_headers.c>
+  Header set X-Frame-Options SAMEORIGIN 
+  Header set X-Content-Type-Options nosniff 
+  Header set X-XSS-Protection "1; mode=block" 
+  Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
+</IfModule>
 
 #Force secure cookies (uncomment for HTTPS)
-#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+<IfModule mod_headers.c>
+  #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+</IfModule>
 
 #Unset headers revealing versions strings
-Header unset X-Powered-By
-Header unset X-Pingback
-Header unset SERVER
+<IfModule mod_headers.c>
+  Header unset X-Powered-By
+  Header unset X-Pingback
+  Header unset SERVER
+</IfModule>
 
 # Disable PHP execution in /uploads
 <IfModule mod_rewrite.c> 

diff --git a/.htaccess b/.htaccess
@@ -22,12 +22,12 @@ php_flag display_errors Off
 
 # Protect wp-config.php and other files
 <FilesMatch "(.htaccess|.htpasswd|wp-config.php|liesmich.html|readme.html)">
-  order deny,allow
-  deny from all
+  Order deny,allow
+  Deny from all
 </FilesMatch>
 
 # Block the include-only files.
-# Do not use in Multisite withour reading the note in Codex!
+# Do not use in Multisite without reading the note in Codex!
 # See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
 <IfModule mod_rewrite.c>
 RewriteEngine On

diff --git a/.htaccess b/.htaccess
@@ -49,9 +49,10 @@ Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: htt
 #Force secure cookies (uncomment for HTTPS)
 #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 
-#Unset insecure headers
+#Unset headers revealing versions strings
 Header unset X-Powered-By
 Header unset X-Pingback
+Header unset SERVER
 
 # Disable PHP execution in /uploads
 <IfModule mod_rewrite.c> 

diff --git a/.htaccess b/.htaccess
@@ -46,6 +46,13 @@ Header set X-Content-Type-Options nosniff
 Header set X-XSS-Protection "1; mode=block" 
 Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
 
+#Force secure cookies (uncomment for HTTPS)
+#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+
+#Unset insecure headers
+Header unset X-Powered-By
+Header unset X-Pingback
+
 # Disable PHP execution in /uploads
 <IfModule mod_rewrite.c> 
   RewriteEngine On 

diff --git a/.htaccess b/.htaccess
@@ -44,4 +44,11 @@ RewriteRule ^wp-includes/theme-compat/ - [F,L]
 Header set X-Frame-Options SAMEORIGIN 
 Header set X-Content-Type-Options nosniff 
 Header set X-XSS-Protection "1; mode=block" 
-Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
+Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
+
+# Disable PHP execution in /uploads
+<IfModule mod_rewrite.c> 
+  RewriteEngine On 
+  RewriteBase / 
+  RewriteRule ^(wp-content/uploads/.+.php)$ $1 [H=text/plain] 
+</IfModule> 
diff --git a/.htaccess b/.htaccess
@@ -37,4 +37,11 @@ RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
-</IfModule>
+</IfModule>
+
+# Set some security related headers
+# See: http://de.slideshare.net/walterebert/die-htaccessrichtignutzenwchh2014 (GERMAN)
+Header set X-Frame-Options SAMEORIGIN 
+Header set X-Content-Type-Options nosniff 
+Header set X-XSS-Protection "1; mode=block" 
+Header set Content-Security-Policy "default-src 'self'; img-src 'self' http: https: *.gravatar.com;"
diff --git a/.htaccess b/.htaccess
@@ -27,6 +27,7 @@ php_flag display_errors Off
 </FilesMatch>
 
 # Block the include-only files.
+# Do not use in Multisite withour reading the note in Codex!
 # See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
 <IfModule mod_rewrite.c>
 RewriteEngine On

diff --git a/.htaccess b/.htaccess
@@ -24,4 +24,16 @@ php_flag display_errors Off
 <FilesMatch "(.htaccess|.htpasswd|wp-config.php|liesmich.html|readme.html)">
   order deny,allow
   deny from all
-</FilesMatch>
+</FilesMatch>
+
+# Block the include-only files.
+# See: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteBase /
+RewriteRule ^wp-admin/includes/ - [F,L]
+RewriteRule !^wp-includes/ - [S=3]
+RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
+RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
+RewriteRule ^wp-includes/theme-compat/ - [F,L]
+</IfModule>
diff --git a/.htaccess b/.htaccess
@@ -2,15 +2,13 @@
 # See: http://cup.wpcoder.de/fpd-vulnerability-wordpress/ (GERMAN)
 php_flag display_errors Off
 
-
 # Protect XMLRPC
 # See: http://cup.wpcoder.de/wordpress-xmlrpc-schutz/ (GERMAN)
 <Files xmlrpc.php>
   Order Deny,Allow
   Deny from all
 </Files>
 
-
 # Don't list directories
 <IfModule mod_autoindex.c>
 	Option -Indexes

diff --git a/.htaccess b/.htaccess
@@ -14,4 +14,16 @@ php_flag display_errors Off
 # Don't list directories
 <IfModule mod_autoindex.c>
 	Option -Indexes
-</IfModule>
+</IfModule>
+
+# Protect all readme.txt files from all plugins
+<Files readme.txt>
+    Order allow,deny
+    Deny from all
+</Files>
+
+# Protect wp-config.php and other files
+<FilesMatch "(.htaccess|.htpasswd|wp-config.php|liesmich.html|readme.html)">
+  order deny,allow
+  deny from all
+</FilesMatch>
diff --git a/gistfile1.txt → .htaccess b/gistfile1.txt → .htaccess
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,17 @@
+# Don't show errors
+# See: http://cup.wpcoder.de/fpd-vulnerability-wordpress/ (GERMAN)
+php_flag display_errors Off
+
+
+# Protect XMLRPC
+# See: http://cup.wpcoder.de/wordpress-xmlrpc-schutz/ (GERMAN)
+<Files xmlrpc.php>
+  Order Deny,Allow
+  Deny from all
+</Files>
+
+
+# Don't list directories
+<IfModule mod_autoindex.c>
+	Option -Indexes
+</IfModule>
No results found