WordPress compilation of a “complete” .htaccess file

I was cleaning up some stuff and making some files generic so I can take them of the shelve when I need them. But I have a .htaccess questions.

Question #1 [Answered by @Kanu]

At the start of the file I have:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Further on I have a snippet that blocks hotlinking:

#Switch on rewrite engine
RewriteEngine on
#Allow empty referrals, in case visitors are using personal firewalls
RewriteCond %{HTTP_REFERER} !^$
#Match request URL. Replace www.yourwebsite.com with your website URL
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?www.yourwebsite.com [NC]
#Match all files with the below list of extensions
RewriteRule .(jpg|jpeg|png|gif)$ - [NC,F,L]

Does it hurt to do

RewriteEngine On

twice or can I skip the second RewriteEnginge? What is the best practice here?

Question #2: [Answered by @Kanu]
Also, do I start with the WP part or do I need to end with it?

There are some more things I do in the htacces like only giving certain IP’s access to the admin, protecting; htaccess|htpasswd|log|ini. Do you have some more advice or pointers, think of security or any other nifty stuff.

Thanks, /Paul

ADDED: 14th of june 2013

Thinking of adding this to stop spammers, idea’s, due I found this on a relative old post.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Canonicalization via HTACCESS for stopping malicious behaviour via bots and evil scripts. Also so that search engines find their way arround. Found this here.

#favicon
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC]
RewriteCond %{REQUEST_URI} /favicon(s)?.?(gif|ico|jpe?g?|png)?$ [NC]
RewriteRule (.*) http://your-domain-name.com/favicon.ico [R=301,L]

#robots.txt
RewriteBase /
RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC]
RewriteCond %{REQUEST_URI} robots.txt [NC]
RewriteRule .* http://your-domain-name.com/robots.txt [R=301,L]

#sitemap
RedirectMatch 301 /sitemap.xml$ http://your-domain-name.com/sitemap.xml
RedirectMatch 301 /sitemap.xml.gz$ http://your-domain-name.com/sitemap.xml.gz

I’ll post the complete .htaccess file here and update any good stuff for use.

# ==================================================================
# WORDPRESS
# ==================================================================

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    RewriteRule ^index.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress

# ==================================================================
# RESTRICT ACCESS IP BASED
# ==================================================================

    order deny,allow
    # enter name here and replace xxx.xxx.x.x with IP
    allow from xxx.xxx.x.x
    # enter name here and replace xxx.xxx.x.x with IP
    allow from xxx.xxx.x.x
    # enter name here and replace xxx.xxx.x.x with IP
    allow from xxx.xxx.x.x
    deny from all

# ==================================================================
# PROTECT FILES, THANKS KANU: http://stackoverflow.com/users/1089399/kanu
# ==================================================================

    #Protect some files from direct access
    <FilesMatch "^(wp-config.php|php.ini|php5.ini|install.php|php.info|readme.html|bb-config.php|.htaccess|.htpasswd|readme.txt|timthumb.php|error_log|error.log|PHP_errors.log|.svn)">
    Deny from all
    </FilesMatch>

# ==================================================================
# DISABLE TRACE TRACK REQUESTS, THANKS KANU: http://stackoverflow.com/users/1089399/kanu
# ==================================================================

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

# ==================================================================
# PREVENT HOTLINKING
# ==================================================================

    #Switch on rewrite engine
    RewriteEngine on
    #Allow empty referrals, in case visitors are using personal firewalls
    RewriteCond %{HTTP_REFERER} !^$
    #Match request URL. Replace www.yourwebsite.com with your website URL
    RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?www.yourwebsite.com [NC]
    #Match all files with the below list of extensions
    RewriteRule .(jpg|jpeg|png|gif)$ - [NC,F,L]

# ==================================================================
# DISABLE DIRECTORY BROWSING
# ==================================================================

    Options All -Indexes

# ==================================================================
# DISABLE SERVER SIGNATURE, THANKS KANU: http://stackoverflow.com/users/1089399/kanu
# ==================================================================   

    ServerSignature Off

# ==================================================================
# DENY SOME KNOWN BAD BOTS, THANKS KANU: http://stackoverflow.com/users/1089399/kanu
# ==================================================================   
    RewriteEngine On 
    RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Bot mailto:craftbot@yahoo.com [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Download Demon [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Express WebPictures [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] 
    RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Image Stripper [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Image Sucker [OR] 
    RewriteCond %{HTTP_USER_AGENT} Indy Library [NC,OR] 
    RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Internet Ninja [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^JOC Web Spider [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Mass Downloader [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^MIDown tool [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Mister PiX [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Net Vampire [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Offline Explorer [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Offline Navigator [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Papa Foto [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Teleport Pro [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Web Image Collector [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Web Sucker [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebGo IS [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Website eXtractor [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Website Quester [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Xaldon WebSpider [OR] 
    RewriteCond %{HTTP_USER_AGENT} ^Zeus 
    RewriteRule ^.* - [F,L]