artes-visuales · September 27, 2017 10:00
diff --git a/.htaccess WordPress b/.htaccess WordPress
 Parametros seguridad de WordPress
diff --git a/01. proc-self-environ b/01. proc-self-environ
 # sin acceso a proc/self/environ
 RewriteCond %{QUERY_STRING} proc/self/environ [OR]
diff --git a/02. mosConfig b/02. mosConfig
 # bloquear cualquier script que trate de establecer un valor mosConfig a través de una URL
 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
diff --git a/03. base64_encode b/03. base64_encode
 # bloquear cualquier script que trate de colocarte código codificado base64_encode a través de una URL
 RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
diff --git a/04. tag <script> b/04. tag <script>
 # bloquea cualquier script que incluya la tag <script> en la URL
 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
diff --git a/05. PHP GLOBALS b/05. PHP GLOBALS
 # bloquea cualquier script que trate de establecer la variable PHP GLOBALS a través de una URL
 RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
diff --git a/06. variable _REQUEST b/06. variable _REQUEST
 # bloquea cualquier script que trate de modificar una variable _REQUEST a través de una URL
 RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
diff --git a/07. 403 Prohibido b/07. 403 Prohibido
 # manda a todas las peticiones bloqueadas a la página principal con un error de 403 Prohibido
 RewriteRule ^(.*)$ index.php [F,L]
diff --git a/08. No explorar carpetas b/08. No explorar carpetas
 #Evitar la exploración de carpetas.
 Options All -Indexes
diff --git a/09. Proteger wp-config b/09. Proteger wp-config
 #Proteger wp-config
 <files wp-config.php>
 order allow,deny
 deny from all
 </files>
diff --git a/10. Activar Specify a cache b/10. Activar Specify a cache
 # Optimizar: Activar Specify a cache validator
 <ifmodule mod_expires.c>
 ExpiresActive On
 ExpiresDefault A3600
 <filesmatch ".(jpg|JPG|gif|GIF|png|css|ico|js)$">
 ExpiresDefault "access plus 1 week"
 </filesmatch>
diff --git a/11. Proteger htaccess b/11. Proteger htaccess
 # Protegiendo el mismo fichero htaccess
 <files .htaccess>
 order allow,deny
 deny from all
 </files>
diff --git a/12. Proteger wp-includes b/12. Proteger wp-includes
 # Proteger wp-includes: block the include-only files.
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
diff --git a/13. Proteger los plugins b/13. Proteger los plugins
 # Proteger los plugins
 <Files ~ "\.(js|css)$">
  order allow,deny
  allow from all
 </Files>
diff --git a/14. Accept-Encoding header b/14. Accept-Encoding header
 # Optimizar info cabeceras: Accept-Encoding header
 <IfModule mod_headers.c>
 <FilesMatch "\.(js|css|xml|gz)$">
 Header append Vary: Accept-Encoding
 </FilesMatch>
 </IfModule>
diff --git a/15. Desactivar ETAG b/15. Desactivar ETAG
 # Optimizar: Desactivar ETAG
 <ifModule mod_headers.c>
 Header unset ETag
 </ifModule>
 FileETag None
diff --git a/16. Enable Keep-Alive b/16. Enable Keep-Alive
 # Optimizar conexiones: Enable Keep-Alive
 <ifModule mod_headers.c>
 Header set Connection keep-alive
 </ifModule>
diff --git a/17. Enable gzip compression b/17. Enable gzip compression
 # Optimizar: Enable gzip compression
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/xml
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/x-javascript
diff --git a/18. Baneo por IP b/18. Baneo por IP
 # Baneo por IP a HP :-)
 <Limit GET POST>
 order allow,deny
  	deny from 100.43.81.9 
 allow from all
 </Limit> 
diff --git a/20. Bloqueo peticiones xmlrpc.php b/20. Bloqueo peticiones xmlrpc.php
 # Bloqueo peticiones xmlrpc.php
 <Files xmlrpc.php>
  order deny,allow
  deny from all
 </Files>
diff --git a/21. BLOQUEO DE ROBOTS MALICIOSOS b/21. BLOQUEO DE ROBOTS MALICIOSOS
 # BLOQUEO DE ROBOTS MALICIOSOS
 <IfModule mod_setenvif.c>
 SetEnvIfNoCase User-Agent ^$ keep_out
 SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder)   keep_out
 SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
 SetEnvIfNoCase User-Agent (libwww|planetwork|pycurl|skygrid)   keep_out
 SetEnvIfNoCase User-Agent (casper|cmsworldmap|diavol|dotbot) keep_out
 <Limit GET POST PUT>
  Order Allow,Deny
  Allow from all
  Deny from env=keep_out
 </Limit>
 </IfModule>
diff --git a/22. BLOQUEO DE SPAM AUTOMATIZADOS b/22. BLOQUEO DE SPAM AUTOMATIZADOS
 # BLOQUEO DE SPAM AUTOMATIZADOS
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_REFERER} !.*misitio.com.* [NC]
 RewriteCond %{REQUEST_URI} /wp\-comments\-post\.php [NC]
 RewriteRule .* - [F,NC,L]
 </IfModule>
diff --git a/23. PROTECCION HOTLINK b/23. PROTECCION HOTLINK
 # PROTECCION HOTLINK
 <IfModule mod_rewrite.c>
   RewriteEngine on
   RewriteCond %{HTTP_REFERER} !^$
   RewriteCond %{REQUEST_FILENAME} -f
   RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?midominio\. [NC]
   RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
 </IfModule>
diff --git a/24. Wordfence Falcon Cache b/24. Wordfence Falcon Cache
 #WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.
 <IfModule mod_deflate.c>
 	AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
 	<IfModule mod_headers.c>
 		Header append Vary User-Agent env=!dont-vary
 	</IfModule>
 	<IfModule mod_mime.c>
 		AddOutputFilter DEFLATE js css htm html xml
 	</IfModule>
 </IfModule>
 <IfModule mod_mime.c>
 	AddType text/html .html_gzip
 	AddEncoding gzip .html_gzip
 	AddType text/xml .xml_gzip
 	AddEncoding gzip .xml_gzip
 </IfModule>
 <IfModule mod_setenvif.c>
 	SetEnvIfNoCase Request_URI \.html_gzip$ no-gzip
 	SetEnvIfNoCase Request_URI \.xml_gzip$ no-gzip
 </IfModule>
 <IfModule mod_headers.c>
 	Header set Vary "Accept-Encoding, Cookie"
 </IfModule>
 <IfModule mod_rewrite.c>
 	#Prevents garbled chars in cached files if there is no default charset.
 	AddDefaultCharset utf-8

 	#Cache rules:
 	RewriteEngine On
 	RewriteBase /
 	RewriteCond %{HTTPS} on
 	RewriteRule .* - [E=WRDFNC_HTTPS:_https]
 	RewriteCond %{HTTP:Accept-Encoding} gzip
 	RewriteRule .* - [E=WRDFNC_ENC:_gzip]
 	RewriteCond %{REQUEST_METHOD} !=POST
 	RewriteCond %{HTTPS} off
 	RewriteCond %{QUERY_STRING} ^(?:\d+=\d+)?$
 	RewriteCond %{REQUEST_URI} (?:\/|\.html)$ [NC]
 	
 	RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|wf_logout|wordpress_logged_in|wptouch_switch_toggle|wpmp_switcher) [NC]
 	
 	RewriteCond %{REQUEST_URI} \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$
 	RewriteCond "%{DOCUMENT_ROOT}/wp-content/wfcache/%{HTTP_HOST}_%1/%2~%3~%4~%5~%6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" -f
 	RewriteRule \/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)\/*([^\/]*)(.*)$ "/wp-content/wfcache/%{HTTP_HOST}_$1/$2~$3~$4~$5~$6_wfcache%{ENV:WRDFNC_HTTPS}.html%{ENV:WRDFNC_ENC}" [L]
 </IfModule>
 #Do not remove this line. Disable Web caching in Wordfence to remove this data - WFCACHECODE
diff --git a/25. Firewall 6G b/25. Firewall 6G
 # @ https://perishablepress.com/6g/

 # 6G:[QUERY STRINGS]
 <IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
  RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
  RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
  RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
  RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
  RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
  RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
  RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
  RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
  RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
  RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
  RewriteRule .* - [F]
 </IfModule>

 # 6G:[REQUEST METHOD]
 <IfModule mod_rewrite.c>
  RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
  RewriteRule .* - [F]
 </IfModule>

 # 6G:[REFERRERS]
 <IfModule mod_rewrite.c>
  RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
  RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
  RewriteRule .* - [F]
 </IfModule>

 # 6G:[REQUEST STRINGS]
 <IfModule mod_alias.c>
  RedirectMatch 403 (?i)([a-z0-9]{2000})
  RedirectMatch 403 (?i)(https?|ftp|php):/
  RedirectMatch 403 (?i)(base64_encode)(.*)(\()
  RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
  RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
  RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
  RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
  RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
  RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
  RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
  RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
 </IfModule>

 # 6G:[USER AGENTS]
 <IfModule mod_setenvif.c>
  SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
  SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
  
  # Apache < 2.3
  <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
  </IfModule>

  # Apache >= 2.3
  <IfModule mod_authz_core.c>
    <RequireAll>
      Require all Granted
      Require not env bad_bot
    </RequireAll>
  </IfModule>
 </IfModule>

 # 6G:[BAD IPS]
 <Limit GET HEAD OPTIONS POST PUT>
  Order Allow,Deny
  Allow from All
  # uncomment/edit/repeat next line to block IPs
  # Deny from 123.456.789
 </Limit>
	# sin acceso a proc/self/environ
	RewriteCond %{QUERY_STRING} proc/self/environ [OR]
	# bloquear cualquier script que trate de establecer un valor mosConfig a través de una URL
	RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=\|\%3D) [OR]
	# bloquear cualquier script que trate de colocarte código codificado base64_encode a través de una URL
	RewriteCond %{QUERY_STRING} base64_encode.(.) [OR]
	# bloquea cualquier script que incluya la tag <script> en la URL
	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3E) [NC,OR]
	# bloquea cualquier script que trate de establecer la variable PHP GLOBALS a través de una URL
	RewriteCond %{QUERY_STRING} GLOBALS(=\|[\|\%[0-9A-Z]{0,2}) [OR]
	# bloquea cualquier script que trate de modificar una variable _REQUEST a través de una URL
	RewriteCond %{QUERY_STRING} _REQUEST(=\|[\|\%[0-9A-Z]{0,2})
	# manda a todas las peticiones bloqueadas a la página principal con un error de 403 Prohibido
	RewriteRule ^(.*)$ index.php [F,L]
	#Proteger wp-config
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>
	# Optimizar: Activar Specify a cache validator
	<ifmodule mod_expires.c>
	ExpiresActive On
	ExpiresDefault A3600
	<filesmatch ".(jpg\|JPG\|gif\|GIF\|png\|css\|ico\|js)$">
	ExpiresDefault "access plus 1 week"
	</filesmatch>
	# Protegiendo el mismo fichero htaccess
	<files .htaccess>
	order allow,deny
	deny from all
	</files>