# BEGIN iThemes Security - Do not modify or remove this line # iThemes Security Config Details: 2 # Ban Hosts - Security > Settings > Banned Users Require all granted Require not env DenyAccess Require not ip 121.121.19.242 Require not ip 175.136.232.202 Require not ip 176.102.37.57 Require not ip 186.137.140.11 Require not ip 211.24.123.107 Require not ip 91.207.7.54 Require not ip 91.208.16.3 Require not ip 91.93.128.180 Require not ip 176.106.1.173 Require not ip 184.154.248.106 Require not ip 69.175.59.186 Require not ip 184.154.249.74 Require not ip 82.146.36.221 Require not ip 96.127.149.82 Require not ip 107.6.137.74 Require not ip 108.163.224.114 Order allow,deny Allow from all Deny from env=DenyAccess Deny from 121.121.19.242 Deny from 175.136.232.202 Deny from 176.102.37.57 Deny from 186.137.140.11 Deny from 211.24.123.107 Deny from 91.207.7.54 Deny from 91.208.16.3 Deny from 91.93.128.180 Deny from 176.106.1.173 Deny from 184.154.248.106 Deny from 69.175.59.186 Deny from 184.154.249.74 Deny from 82.146.36.221 Deny from 96.127.149.82 Deny from 107.6.137.74 Deny from 108.163.224.114 # Protect System Files - Security > Settings > System Tweaks > System Files Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all # Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC Require all denied Order allow,deny Deny from all RewriteEngine On # Protect System Files - Security > Settings > System Tweaks > System Files RewriteRule ^wp-admin/includes/ - [F] RewriteRule !^wp-includes/ - [S=3] RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php RewriteRule ^wp-includes/[^/]+\.php$ - [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F] RewriteRule ^wp-includes/theme-compat/ - [F] # Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads RewriteRule ^mope\-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F] # Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING} !^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$ RewriteRule ^.* - [F] # Reduce Comment Spam - Security > Settings > System Tweaks > Comment Spam RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} /wp-comments-post\.php$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_REFERER} !^https?://(([^/]+\.)?mope\.es|jetpack\.wordpress\.com/jetpack-comment)(/|$) [NC] RewriteRule ^.* - [F] # END iThemes Security - Do not modify or remove this line # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress