htaccess

So, would you mind if I copy here what I implemented and get your recommendation for the ones to keep?

Hi Wfalaa,

Thank you very much for your response. This did not really worked for me.

Either I did this by changing things in htaccess or after the last update it happened, I don’t know, but here is the error log while WP Rocket is pre-loading the cache. These errors stop when I deactivate Wordfence. Depending on the number of pages, these errors can show either 5 times or 250.

http://www.domain.com [warn] [pid number] fcgid_bridge.c(number): (32)Broken pipe: [client ip number] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
http://www.domain.com [warn] [pid number] fcgid_bridge.c(number): (32)Broken pipe: [client ip number] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function
It also sometimes say connection reset by peer
Auto index is another issue with an error message: No matching DirectoryIndex (index.html,index.shtml,index.cgi,index.php,index.php3,index.phtml,index.htm,home.html,welcome.html) found, and server-generated directory index forbidden by Options directive

Here are the manual ones I added:

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

# Deny access to all .htaccess files
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

# Fix Index Issue
IndexIgnore *

# Disable directory browsing
Options -Indexes

## Protect from spam bots ##
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.domain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

# libwww block
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ – [F,L]
# END libwww block

# disable hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
# END disable hotlinking

## Restrict WordPress Login Pages to Your Own IPs ##
<Files wp-login.php>
order deny,allow
deny from all
allow from 192.168.1.1
allow from 192.168.1.2
</Files>
<Files login>
order deny,allow
deny from all
allow from 192.168.1.1
allow from 192.168.1.1
</Files>

Thank you so much again Wfalaa.

I also see 404 errors for the following urls: What would be the proper way to ban those immediately?

​/license.php
/administrator
/admin​/content​/sitetree
​/panel
​/bitrix​/admin
​/manager
​/admin.php
​/user
/register/user
/git/

and many more.. Is there a safe list I can use for “Immediately block these IPs accessing non existing urls”

thank you so much again.
My question was rather about adding the right wildcards for these bots that are also searching files in /wp-content/plugins/theme-etc/bla bla