Deprecated: Function create_function() is deprecated in /var/www/html/blog/wp-content/plugins/add-to-any-subscribe/add-to-any-subscribe.php on line 178
Apache Archives | Developer Notes

Tagged: Apache

All in one .htaccess For the wordpress

All in one .htaccess file for the wordpress,

which is utilised for the security restrictions and caching management for the apache webserver.

  • Compressing the static files
  • setting up the cache headers for optimisation
  • Disable Image hotlinking for security
  • Removing directory Browsing fore security

<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE “application/atom+xml” \
“application/javascript” \
“application/json” \
“application/ld+json” \
“application/manifest+json” \
“application/rdf+xml” \
“application/rss+xml” \
“application/schema+json” \
“application/vnd.geo+json” \
“application/” \
“application/x-font” \
“application/x-font-opentype” \
“application/x-font-otf” \
“application/x-font-truetype” \
“application/x-font-ttf” \
“application/x-javascript” \
“application/x-web-app-manifest+json” \
“application/xhtml+xml” \
“application/xml” \
“font/eot” \
“font/otf” \
“font/ttf” \
“font/opentype” \
“image/bmp” \
“image/svg+xml” \
“image/” \
“image/x-icon” \
“text/cache-manifest” \
“text/css” \
“text/html” \
“text/javascript” \
“text/plain” \
“text/vcard” \
“text/vnd.rim.location.xloc” \
“text/vtt” \
“text/x-component” \
“text/x-cross-domain-policy” \
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css “access 1 month”
ExpiresByType text/html “access 1 month”
ExpiresByType image/gif “access 1 year”
ExpiresByType image/png “access 1 year”
ExpiresByType image/jpg “access 1 year”
ExpiresByType image/jpeg “access 1 year”
ExpiresByType image/x-icon “access 1 year”
ExpiresByType image/svg+xml “access plus 1 month”
ExpiresByType audio/ogg “access plus 1 year”
ExpiresByType video/mp4 “access plus 1 year”
ExpiresByType video/ogg “access plus 1 year”
ExpiresByType video/webm “access plus 1 year”
ExpiresByType application/atom+xml “access plus 1 hour”
ExpiresByType application/rss+xml “access plus 1 hour”
ExpiresByType application/pdf “access 1 month”
ExpiresByType application/javascript “access 1 month”
ExpiresByType text/x-javascript “access 1 month”
ExpiresByType text/x-component “access plus 1 month”
ExpiresByType application/x-shockwave-flash “access 1 month”
ExpiresByType font/opentype “access plus 1 month”
ExpiresByType application/ “access plus 1 month”
ExpiresByType application/x-font-ttf “access plus 1 month”
ExpiresByType application/font-woff “access plus 1 month”
ExpiresByType application/font-woff2 “access plus 1 month”
ExpiresDefault “access 1 month”
# TN – BEGIN Cache-Control Headers
<ifModule mod_headers.c>
<filesMatch “\.(ico|jpe?g|png|gif|swf)$”>
Header set Cache-Control “public”
<filesMatch “\.(css)$”>
Header set Cache-Control “public”
<filesMatch “\.(js)$”>
Header set Cache-Control “private”
<filesMatch “\.(x?html?|php)$”>
Header set Cache-Control “private, must-revalidate”

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?<> [NC] # please replace <> with your domain like or any
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
# Redirecting to index
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
<files xmlrpc.php>
order allow,deny
deny from all

# disable directory browsing
Options All -Indexes
<files wp-config.php>
order allow,deny
deny from all
<IfModule pagespeed_module>
ModPagespeed on
ModPagespeedEnableFilters rewrite_css,combine_css
ModPagespeedEnableFilters recompress_images
ModPagespeedEnableFilters convert_png_to_jpeg,convert_jpeg_to_webp
ModPagespeedEnableFilters collapse_whitespace,remove_comments

Apache Web Server Basic Security fixes and Optimisation: –

If you are utilising the apache web server HTTP for your website hosting and you maintain that server, then you must consider the following points,

  • Turn on LOGS and installing mod_log_config. You can check the list of modules by this command : apache2ctl -M
  • Implement Firewall MOD_SECURITY module is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.
  • Implement mod_evasive module
  • Disable Extra  module which are not utilized to improve performance
  • Cross check  Directory Indexing. apache2.conf | httpd.conf | <vhost>.conf | .htaccess
    Options -Indexes
  • Setup following variables in apache2.conf or httpd.conf
    SET HTTP Limits
    • KeepAlive=on
    • KeepAliveTimeout
    • LimitRequestBody
    • LimitRequestFields
    • LimitRequestFieldSize
    • LimitRequestLine
    • LimitXMLRequestBody
    • MaxClients
    • MaxKeepAliveRequests
    • MaxRequestWorkers
    • RequestReadTimeout
    • TimeOut
  • Disable server signature . Add these lines in apache2.conf |  <vhost>.conf | .htaccess
    ServerSignature Off
    ServerTokens Prod
server signature
  • If web-server language is PHP,  By Default PHP version is available in response header, Remove PHP version from header from php.ini
    • expose_php = Off
  • Add these headers  to prevent XSS

X-Frame-Options: SAMEORIGIN 
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8