This is the original .htaccess on my local computer
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^[_0-9a-zA-Z-]+/(.*.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule>
# END WordPress
This is the new setting for online site on server. Please help me out as I know nothing about these .htaccess code. Which part do I have to take it off and which part should I keep in order to make the site running again just like on local but of course including well-protected security line of code as well?
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
#RewriteRule .(gif|jpg)$ â [F]
RewriteRule .(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# disable directory browsing
Options All -Indexes
<Files ~ â^.*.([Hh][Tt][Aa])â>
order allow,deny
deny from all
satisfy all
</Files>
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
# Protect the .htaccess
<files .htaccess="">
order allow,deny
deny from all
</files>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^[_0-9a-zA-Z-]+/(.*.php)$ $1 [L]
RewriteRule . index.php [L]
</IfModule>
# END WordPress
amtik is correct in looking at the code that needs to be addressed.
That code was originally only designed to be used in wp-includes and wp-content not in the root of your WordPress install, but even then it will still break themes and plugins. Plus it would be better written like so:
But it would need to go in an .htaccess file in your wp-includes and wp-content directories. I would suggest you just remove it completely and see if your site works. Then create new .htaccess files with the above content for your wp-includes and wp-content directories and see if anything breaks. There’s a good likelihood that something will break it just depends if the user’s browser needs something from those directories.
just saw that this post is from 3 years ago, so, maybe it’ll be useful to somebody:(
First i assume that u dont activate Multisite or did WordPress MU because if so u dont need:
u have a problems with ur code :
Rewrite rules like
RewriteEngineneed to be inside tagsu have this code wrong
delete
add below
Allow from allu dont need to limit htaccess it’s already the default so remove those lines (also .htaccess dont need
=""):and
also if u still want the above to work u need to use it like this:
instead of blocking the includes
block the entire wp-admin folder create htaccess file in the wp-admin folder with this code:
now u said “Cannot login to WordPress site after changing .htaccess for security purposes”
that because those lines are missed placed (in 2 above)
UPDATED :- ( Code Updated )
Replace this
with
See the yourblog.com – used to allow only your domain to access those files
The above code don’t do anything. By default everyone can access those files, if you deny it, No one will have access to those files even your own domain. If you are looking for a code to block hotlinking to images as well as JS / CSS files then use the code given at end.
To block CSS, JS and Image files from hot-linking use follwing code
If you are looking to block hotlinking to your images as well as the css/js files then use following code.
NOTICE – You are using this code already to block hot-linking to only image files-jpg/gif. Replcae that with given code so that it also works with JS and CSS.