Lista de Códigos htaccess para WordPress
Melhore o desempenho e a segurança do seu site WordPress com essas configurações
Adicione no arquivo .htaccess
Webhost - Redireciona tudo para o diretório root
# Use somente em caso de emergência
#
# RewriteEngine on
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule .? / [R=302,L]
#Webhost - Carrega o arquivo MAINT-index.html caso não encontre o index.php ou index.html
# If index.php isn't found then load the file MAINT-index.html from the same directory instead.
# Try: https://codepen.io/j_holtslander/pen/KNgbMP
#
DirectoryIndex index.php index.html MAINT-index.htmlWebhost - Utiliza o formato UTF-8 em todos os arquivos de texto e listados abaixo
AddDefaultCharset UTF-8
AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
Webhost - Realiza a correção de requisição para o arquivo robots.txt
# Source: https://perishablepress.com/htaccess-cleanup/
RedirectMatch 301 (?<!^)/robots.txt$ /robots.txt
Webhost - Altera o endereço de email do administrador do Apache
SetEnv SERVER_ADMIN email@dominio.tdlWebhost - Remove o FileEtag do servidor
Header unset ETag
Webhost - Remove X-Powered-By entre outros valores para evitar o sniffing
Header always unset X-Powered-By
Header always unset Server
Header always unset X-Pingback
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://dominio.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Feature-Policy "geolocation 'none'; microphone 'none'; camera 'none'"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Webhost - Habilita o deflate nos arquivos
Addtype font/truetype .ttf
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"font/truetype" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/text" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
AddEncoding gzip svgz
Webhost - Habilita o expires nos arquivos
ExpiresActive on
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!) and cursor images
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
# HTML
ExpiresByType text/html "access plus 1 week"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media files
ExpiresByType audio/ogg "access plus 6 months"
ExpiresByType image/bmp "access plus 6 months"
ExpiresByType image/gif "access plus 6 months"
ExpiresByType image/jpeg "access plus 6 months"
ExpiresByType image/jpg "access plus 6 months"
ExpiresByType image/png "access plus 6 months"
ExpiresByType image/svg+xml "access plus 6 months"
ExpiresByType image/webp "access plus 6 months"
ExpiresByType video/mp4 "access plus 6 months"
ExpiresByType video/ogg "access plus 6 months"
ExpiresByType video/webm "access plus 6 months"
# Web fonts
# Embedded OpenType (EOT)
ExpiresByType application/vnd.ms-fontobject "access plus 6 months"
ExpiresByType font/eot "access plus 6 months"
# OpenType
ExpiresByType font/opentype "access plus 6 months"
# TrueType
ExpiresByType application/x-font-ttf "access plus 6 months"
# Web Open Font Format (WOFF) 1.0
ExpiresByType application/font-woff "access plus 6 months"
ExpiresByType application/x-font-woff "access plus 6 months"
ExpiresByType font/woff "access plus 6 months"
# Web Open Font Format (WOFF) 2.0
ExpiresByType application/font-woff2 "access plus 6 months"
# Other
ExpiresByType image/svg+xml "access plus 6 months"
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
Webhost - Habilita o Keep-Alive
Header set Connection keep-alive
Webhost - Remove a assinatura do servidor
# See:
# * https://techjourney.net/improve-apache-web-server-security-use-servertokens-and-serversignature-to-disable-header/
# * https://www.unixmen.com/how-to-disable-server-signature-using-htaccess-or-by-editing-apache/
#
ServerSignature OffWebhost - Filtra os métodos de requisição
RewriteRule ^(TRACE|TRACK) - [F]
Webhost - Filtra strings de requisição suspeitas
Rewrite
O ChatGPT disse:
Cond %{QUERY_STRING} base64 [NC]
RewriteCond %{QUERY_STRING} union [NC]
RewriteCond %{QUERY_STRING} select [NC]
RewriteCond %{QUERY_STRING} insert [NC]
RewriteCond %{QUERY_STRING} drop [NC]
RewriteCond %{QUERY_STRING} update [NC]
RewriteCond %{QUERY_STRING} eval [NC]
RewriteCond %{QUERY_STRING} -- [NC]
RewriteRule ^(.*)$ - [F,L]
Webhost - Protege o arquivo wp-config.php
order allow,deny
deny from all
Webhost - Protege o arquivo .htaccess
order allow,deny
deny from all
WordPress - Configura permissão para .htaccess
# Permissão ao WordPress sobre o arquivo .htaccess
<FilesMatch ".htaccess$">
Order allow,deny
Allow from all
Order allow,deny
Deny from all
WordPress - Previne ataques ao arquivo wp-login.php
# Previne acesso externo ao wp-login.php com base no IP
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx WordPress - Habilita a compressão e melhora o carregamento
# GZIP compression
AddOutputFilterByType DEFLATE application/javascript text/css application/x-javascript text/html # Cache control for WordPress ExpiresActive On ExpiresDefault "access plus 1 year" ExpiresByType text/html "access plus 1 month" ExpiresByType text/css "access plus 1 year" ExpiresByType application/javascript "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/png "access plus 1 year" Friday, May 9, 2025