.htaccess headers rules:
#
FileETag none
#
Header set X-Frame-Options "SAMEORIGIN"
Header unset Accept-Ranges
Header unset ETag
Header unset Pragma
#
BrowserMatch MSIE ie
Header set Imagetoolbar "no" env=ie
Header set X-Content-Type-Options "nosniff" env=ie
Header set X-UA-Compatible "IE=edge" env=ie
Header set X-XSS-Protection "1;mode=block" env=ie
#
BrowserMatch SAFARI safari
Header set X-XSS-Protection "1;mode=block" env=safari
#
BrowserMatch CHROME gc
Header set X-Content-Type-Options "nosniff" env=gc
#
BrowserMatch chromeframe gcf
Header set Imagetoolbar "no" env=gcf
Header set X-Content-Type-Options "nosniff" env=gcf
Header set X-UA-Compatible "IE=edge,chrome=1" env=gcf
Header set X-XSS-Protection "1;mode=block" env=gcfw3-total-cache-config.php
Never cache the following pages:
wp-.*\.php
Cache exception list:
wp-comments-popup.php
wp-links-opml.php
wp-locations.php
wp-login.php
Non-trailing slash pages:
index\.php
humans\.txt
robots\.txt
sitemap\.txt
sitemap\.xml(\.gz)?
sitemap_index\.xml(\.gz)?
Specify page headers:
Accept-Encoding
Accept-Ranges
Connection
Content-Encoding
Content-Length
Content-Type
ETag
Pragma
Server
Transfer-Encoding
Vary
X-Frame-Options
X-CF-Powered-By
Imagetoolbar
X-Content-Type-Options
X-Pingback
X-UA-Compatible
X-XSS-ProtectionW3TC injection protection:
delete /wp-content/w3tc/index.html
delete /wp-content/w3tc/index.php
Put this .htaccess on:
/wp-content-/w3tc/dbcache/
/wp-content-/w3tc/objectcache/
.htaccess to put it:
Order Allow,Deny
Deny From Allfunctions.php
/* Disable Self Pings */
function no_self_ping(&$links){$home=get_option('home');foreach($links as $l => $link)if(0 === strpos($link,$home))unset($links[$l]);}add_action('pre_ping','no_self_ping');
/* Remove WordPress version from header */
remove_action('wp_head','wp_generator');
/* Hide blog URL from WordPress 'phone home' */
function disabler_remove_url($default){global $wp_version;return 'WordPress/'.$wp_version;}add_filter('http_headers_useragent','disabler_remove_url');
// Remove Login Error Message on wp-login.php
add_filter('login_errors',create_function('$a',"return null;"));
/* Block Bad Queries*/
$request_uri_array = apply_filters('request_uri_items', array('eval\(', 'CONCAT', 'UNION\+SELECT', '\(null\)', 'base64_', '\/localhost', '\/pingserver', '\/config\.', '\/wwwroot', '\/makefile', 'crossdomain\.', 'proc\/self\/environ', 'etc\/passwd', '\/https\/', '\/http\/', '\/ftp\/', '\/cgi\/', '\.cgi', '\.exe', '\.sql', '\.ini', '\.dll', '\.asp', '\.jsp', '\/\.bash', '\/\.git', '\/\.svn', '\/\.tar', ' ', '\<', '\>', '\/\=', '\.\.\.', '\+\+\+', '\:\/\/', '\/&&'));
$query_string_array = apply_filters('query_string_items', array('\?', '\[', '\]', '\.\.\/', '127\.0\.0\.1', 'localhost', 'loopback', '\%0A', '\%0D', '\%22', '\%27', '\%3C', '\%3E', '\%00', '\%2e\%2e', 'union', 'input_file', 'execute', 'mosconfig', 'environ', 'path\=\.', 'mod\=\.'));
$user_agent_array = apply_filters('user_agent_items', array('binlar', 'casper', 'cmswor', 'diavol', 'dotbot', 'finder', 'flicky', 'jakarta', 'libwww', 'nutch', 'planet', 'purebot', 'pycurl', 'skygrid', 'sucker', 'turnit', 'vikspi', 'zmeu'));
if (
preg_match( '/' . implode( '|', $request_uri_array ) . '/i', $_SERVER['REQUEST_URI'] ) ||
preg_match( '/' . implode( '|', $query_string_array ) . '/i', $_SERVER['QUERY_STRING'] )
// || preg_match( '/' . implode( '|', $user_agent_array ) . '/i', $_SERVER['HTTP_USER_AGENT'] )
) {
header('HTTP/1.1 403 Forbidden');
header('Status: 403 Forbidden');
header('Connection: Close');
exit;
}If use FeedBurner (plugins) to replace default WordPress Feed, instruct W3TC to no Minify Feed:
w3-total-cache-config.php
HTML minify settings:
Don't minify feeds (checked)Instruct W3TC to no Minify Inline Script to maintain default WordPress behavior:
w3-total-cache-config.php
HTML minify settings:
Inline JS minification (unchecked)Instruct W3TC Don't cache pages for logged in users to reduce server load:
w3-total-cache-config.php
Page Cache General:
Don't cache pages for logged in users (unchecked)