netdesignr · June 16, 2018 20:07
diff --git a/my-personal-wordpress-website-htacess-secure-patch-anti-hack.txt b/my-personal-wordpress-website-htacess-secure-patch-anti-hack.txt
 ## Find and replace ** yourdomain ** and add your desired domain name

 # BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>

 # END WordPress

 #   BULLETPROOF 2.9 SECURE .HTACCESS     

 # PHP/PHP.INI HANDLER/CACHE CODE
 # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
 # Most Hosts do not have/use/require php/php.ini Handler htaccess code

 # TURN OFF YOUR SERVER SIGNATURE
 # Suppresses the footer line server version number and ServerName of the serving virtual host
 ServerSignature Off

 # DO NOT SHOW DIRECTORY LISTING
 # Disallow mod_autoindex from displaying a directory listing
 # If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
 # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
 # and paste it into BPS Custom Code and comment out Options -Indexes 
 # by adding a # sign in front of it.
 # Example: #Options -Indexes
 Options -Indexes

 # DIRECTORY INDEX FORCE INDEX.PHP
 # Use index.php as default directory index file. index.html will be ignored.
 # If a 500 Internal Server Error occurs when activating Root BulletProof Mode 
 # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code 
 # and paste it into BPS Custom Code and comment out DirectoryIndex 
 # by adding a # sign in front of it.
 # Example: #DirectoryIndex index.php index.html /index.php
 DirectoryIndex index.php index.html /index.php

 # BRUTE FORCE LOGIN PAGE PROTECTION
 # PLACEHOLDER ONLY
 # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
 # See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
 # for more information.

 # BPS ERROR LOGGING AND TRACKING
 # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
 # BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and 
 # 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors 
 # that occur on your website. When a hacker attempts to hack your website the hackers IP address, 
 # Host name, Request Method, Referering link, the file name or requested resource, the user agent 
 # of the hacker and the query string used in the hack attempt are logged.
 # All BPS log files are htaccess protected so that only you can view them. 
 # The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
 # The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
 # after you install BPS and have activated BulletProof Mode for your Root folder.
 # If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
 # to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
 # You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
 # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.

 ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
 ErrorDocument 401 default
 ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
 ErrorDocument 404 /404.php
 ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
 ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php

 # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
 # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
 # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
 RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$

 # WP-ADMIN/INCLUDES
 # Use BPS Custom Code to remove this code permanently.
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
 RewriteRule ^wp-includes/theme-compat/ - [F]

 # WP REWRITE LOOP START
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]

 # CUSTOM CODE REQUEST METHODS FILTERED
 # REQUEST METHODS FILTERED
 # If you want to allow HEAD Requests use BPS Custom Code and copy 
 # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code 
 # text box: CUSTOM CODE REQUEST METHODS FILTERED.
 # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
 RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
 RewriteRule ^(.*)$ - [F]
 #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
 #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

 # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
 # To add plugin/theme skip/bypass rules use BPS Custom Code.
 # The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
 # The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
 # If you delete a skip rule, change the other skip rule numbers accordingly.
 # Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
 # If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]

 # CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
 # WPBakery Visual Composer plugin skip/bypass rule
 RewriteCond %{REQUEST_URI} ^/wp-content/plugins/js_composer/ [NC]
 RewriteRule . - [S=13]

 # Adminer MySQL management tool data populate
 RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
 RewriteRule . - [S=12]
 # Comment Spam Pack MU Plugin - CAPTCHA images not displaying 
 RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
 RewriteRule . - [S=11]
 # Peters Custom Anti-Spam display CAPTCHA Image
 RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
 RewriteRule . - [S=10]
 # Status Updater plugin fb connect
 RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
 RewriteRule . - [S=9]
 # Stream Video Player - Adding FLV Videos Blocked
 RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
 RewriteRule . - [S=8]
 # XCloner 404 or 403 error when updating settings
 RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
 RewriteRule . - [S=7]
 # BuddyPress Logout Redirect
 RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
 RewriteRule . - [S=6]
 # redirect_to=
 RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
 RewriteRule . - [S=5]
 # Login Plugins Password Reset And Redirect 1
 RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
 RewriteRule . - [S=4]
 # Login Plugins Password Reset And Redirect 2
 RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
 RewriteRule . - [S=3]

 # CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
 # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
 # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
 # Remote File Inclusion (RFI) security rules
 # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
 RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
 RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
 RewriteRule .* index.php [F]
 # 
 # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
 RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
 # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
 RewriteCond %{HTTP_REFERER} ^.*yourdomain-two.*
 RewriteRule . - [S=1]

 # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
 # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
 # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
 # Good sites such as W3C use it for their W3C-LinkChecker. 
 # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
 # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
 RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
 RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
 RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
 RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
 RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
 RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
 RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
 RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
 RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
 RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
 RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
 RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
 RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
 RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
 RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
 RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
 RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
 RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
 RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
 RewriteCond %{QUERY_STRING} ^.*(<|>|%3c|%3e).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
 RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
 RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
 RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
 RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
 RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
 RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
 RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
 RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
 RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
 RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
 RewriteRule ^(.*)$ - [F]
 # END BPSQSE BPS QUERY STRING EXPLOITS

 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 # WP REWRITE LOOP END

 # DENY BROWSER ACCESS TO THESE FILES 
 # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
 # wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
 # To be able to view these files from a Browser, replace 127.0.0.1 with your actual 
 # current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
 # Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1 
 # Note: The BPS System Info page displays which modules are loaded on your server. 

 <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
 <IfModule mod_authz_core.c>
 Require all denied
 #Require ip 127.0.0.1
 </IfModule>

 <IfModule !mod_authz_core.c>
 <IfModule mod_access_compat.c>
 Order Allow,Deny
 Deny from all
 #Allow from 127.0.0.1
 </IfModule>
 </IfModule>
 </FilesMatch>

 # HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
 # PLACEHOLDER ONLY
 # Use BPS Custom Code to add custom code and save it permanently here.

 Options All -Indexes

 # Block wp-includes folder and files
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
 RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
 </IfModule>

 # Deny access to wp-config.php file
 <files wp-config.php>
 order allow,deny
 deny from all
 </files>

 # Deny access to all .htaccess files
 <files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
 </files>

 # Prevent image hotlinking script. Replace last URL with any image link you want.
 RewriteEngine on
 RewriteCond %{HTTP_REFERER} !^$
 RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com/ [NC]
 RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourodmain.com/ [NC]
 RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]

 # Setup browser caching
 <IfModule mod_expires.c>
 ExpiresActive On
 ExpiresByType image/jpg "access 1 year"
 ExpiresByType image/jpeg "access 1 year"
 ExpiresByType image/gif "access 1 year"
 ExpiresByType image/png "access 1 year"
 ExpiresByType text/css "access 1 month"
 ExpiresByType application/pdf "access 1 month"
 ExpiresByType text/x-javascript "access 1 month"
 ExpiresByType application/x-shockwave-flash "access 1 month"
 ExpiresByType image/x-icon "access 1 year"
 ExpiresDefault "access 2 days"
 </IfModule>

 # BEGIN WP CERBER GROOVE
 # END WP CERBER GROOVE

 # BEGIN DEFLATE COMPRESSION
 <IfModule mod_filter.c>
 AddOutputFilterByType DEFLATE "application/atom+xml" \
 "application/javascript" \
 "application/json" \
 "application/ld+json" \
 "application/manifest+json" \
 "application/rdf+xml" \
 "application/rss+xml" \
 "application/schema+json" \
 "application/vnd.geo+json" \
 "application/vnd.ms-fontobject" \
 "application/x-font-ttf" \
 "application/x-javascript" \
 "application/x-web-app-manifest+json" \
 "application/xhtml+xml" \
 "application/xml" \
 "font/eot" \
 "font/opentype" \
 "image/bmp" \
 "image/svg+xml" \
 "image/vnd.microsoft.icon" \
 "image/x-icon" \
 "text/cache-manifest" \
 "text/css" \
 "text/html" \
 "text/javascript" \
 "text/plain" \
 "text/vcard" \
 "text/vnd.rim.location.xloc" \
 "text/vtt" \
 "text/x-component" \
 "text/x-cross-domain-policy" \
 "text/xml"
 </IfModule>
 # END DEFLATE COMPRESSION

 # BEGIN GZIP COMPRESSION
 <IfModule mod_gzip.c>
 mod_gzip_on Yes
 mod_gzip_dechunk Yes
 mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
 mod_gzip_item_include handler ^cgi-script$
 mod_gzip_item_include mime ^text/.*
 mod_gzip_item_include mime ^application/x-javascript.*
 mod_gzip_item_exclude mime ^image/.*
 mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
 </IfModule>
 # END GZIP COMPRESSION
	## Find and replace yourdomain and add your desired domain name

	# BEGIN WordPress
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</IfModule>

	# END WordPress

	# BULLETPROOF 2.9 SECURE .HTACCESS

	# PHP/PHP.INI HANDLER/CACHE CODE
	# Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
	# Most Hosts do not have/use/require php/php.ini Handler htaccess code

	# TURN OFF YOUR SERVER SIGNATURE
	# Suppresses the footer line server version number and ServerName of the serving virtual host
	ServerSignature Off

	# DO NOT SHOW DIRECTORY LISTING
	# Disallow mod_autoindex from displaying a directory listing
	# If a 500 Internal Server Error occurs when activating Root BulletProof Mode
	# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
	# and paste it into BPS Custom Code and comment out Options -Indexes
	# by adding a # sign in front of it.
	# Example: #Options -Indexes
	Options -Indexes

	# DIRECTORY INDEX FORCE INDEX.PHP
	# Use index.php as default directory index file. index.html will be ignored.
	# If a 500 Internal Server Error occurs when activating Root BulletProof Mode
	# copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
	# and paste it into BPS Custom Code and comment out DirectoryIndex
	# by adding a # sign in front of it.
	# Example: #DirectoryIndex index.php index.html /index.php
	DirectoryIndex index.php index.html /index.php

	# BRUTE FORCE LOGIN PAGE PROTECTION
	# PLACEHOLDER ONLY
	# Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
	# See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
	# for more information.

	# BPS ERROR LOGGING AND TRACKING
	# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
	# BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and
	# 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors
	# that occur on your website. When a hacker attempts to hack your website the hackers IP address,
	# Host name, Request Method, Referering link, the file name or requested resource, the user agent
	# of the hacker and the query string used in the hack attempt are logged.
	# All BPS log files are htaccess protected so that only you can view them.
	# The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
	# The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
	# after you install BPS and have activated BulletProof Mode for your Root folder.
	# If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
	# to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
	# You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
	# NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.

	ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
	ErrorDocument 401 default
	ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
	ErrorDocument 404 /404.php
	ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
	ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php

	# DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
	# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
	# Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
	RedirectMatch 403 \.(htaccess\|htpasswd\|errordocs\|logs)$

	# WP-ADMIN/INCLUDES
	# Use BPS Custom Code to remove this code permanently.
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
	RewriteRule ^wp-includes/theme-compat/ - [F]

	# WP REWRITE LOOP START
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]

	# CUSTOM CODE REQUEST METHODS FILTERED
	# REQUEST METHODS FILTERED
	# If you want to allow HEAD Requests use BPS Custom Code and copy
	# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
	# text box: CUSTOM CODE REQUEST METHODS FILTERED.
	# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
	RewriteCond %{REQUEST_METHOD} ^(TRACE\|DELETE\|TRACK\|DEBUG) [NC]
	RewriteRule ^(.*)$ - [F]
	#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
	#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

	# PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
	# To add plugin/theme skip/bypass rules use BPS Custom Code.
	# The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
	# The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
	# If you delete a skip rule, change the other skip rule numbers accordingly.
	# Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
	# If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]

	# CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
	# WPBakery Visual Composer plugin skip/bypass rule
	RewriteCond %{REQUEST_URI} ^/wp-content/plugins/js_composer/ [NC]
	RewriteRule . - [S=13]

	# Adminer MySQL management tool data populate
	RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
	RewriteRule . - [S=12]
	# Comment Spam Pack MU Plugin - CAPTCHA images not displaying
	RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
	RewriteRule . - [S=11]
	# Peters Custom Anti-Spam display CAPTCHA Image
	RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
	RewriteRule . - [S=10]
	# Status Updater plugin fb connect
	RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
	RewriteRule . - [S=9]
	# Stream Video Player - Adding FLV Videos Blocked
	RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
	RewriteRule . - [S=8]
	# XCloner 404 or 403 error when updating settings
	RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
	RewriteRule . - [S=7]
	# BuddyPress Logout Redirect
	RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
	RewriteRule . - [S=6]
	# redirect_to=
	RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
	RewriteRule . - [S=5]
	# Login Plugins Password Reset And Redirect 1
	RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
	RewriteRule . - [S=4]
	# Login Plugins Password Reset And Redirect 2
	RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
	RewriteRule . - [S=3]

	# CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
	# TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
	# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
	# Remote File Inclusion (RFI) security rules
	# Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
	RewriteCond %{QUERY_STRING} ^.(http\|https\|ftp)(%3A\|:)(%2F\|/)(%2F\|/)(w){0,3}.?(blogger\|picasa\|blogspot\|tsunami\|petapolitik\|photobucket\|imgur\|imageshack\|wordpress\.com\|img\.youtube\|tinypic\.com\|upload\.wikimedia\|kkc\|start-thegame).$ [NC,OR]
	RewriteCond %{THE_REQUEST} ^.(http\|https\|ftp)(%3A\|:)(%2F\|/)(%2F\|/)(w){0,3}.?(blogger\|picasa\|blogspot\|tsunami\|petapolitik\|photobucket\|imgur\|imageshack\|wordpress\.com\|img\.youtube\|tinypic\.com\|upload\.wikimedia\|kkc\|start-thegame).$ [NC]
	RewriteRule .* index.php [F]
	#
	# Example: Whitelist additional misc files: (example\.php\|another-file\.php\|phpthumb\.php\|thumb\.php\|thumbs\.php)
	RewriteCond %{REQUEST_URI} (timthumb\.php\|phpthumb\.php\|thumb\.php\|thumbs\.php) [NC]
	# Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.(YourWebsite.com\|AnotherWebsite.com).
	RewriteCond %{HTTP_REFERER} ^.yourdomain-two.
	RewriteRule . - [S=1]

	# CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
	# BEGIN BPSQSE BPS QUERY STRING EXPLOITS
	# The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
	# Good sites such as W3C use it for their W3C-LinkChecker.
	# Use BPS Custom Code to add or remove user agents temporarily or permanently from the
	# User Agent filters directly below or to modify/edit/change any of the other security code rules below.
	RewriteCond %{HTTP_USER_AGENT} (havij\|libwww-perl\|wget\|python\|nikto\|curl\|scan\|java\|winhttp\|clshttp\|loader) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (%0A\|%0D\|%3C\|%3E\|%00) [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} (;\|<\|>\|'\|"\|\)\|\(\|%0A\|%0D\|%22\|%27\|%28\|%3C\|%3E\|%00).*(libwww-perl\|wget\|python\|nikto\|curl\|scan\|java\|winhttp\|HTTrack\|clshttp\|archiver\|loader\|email\|harvest\|extract\|grab\|miner) [NC,OR]
	RewriteCond %{THE_REQUEST} (\?\|\*\|%2a)+(%20+\|\\s+\|%20+\\s+\|\\s+%20+\|\\s+%20+\\s+)(http\|https)(:/\|/) [NC,OR]
	RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
	RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
	RewriteCond %{THE_REQUEST} (%0A\|%0D\|\\r\|\\n) [NC,OR]
	RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
	RewriteCond %{HTTP_REFERER} (%0A\|%0D\|%3C\|%3E\|%00) [NC,OR]
	RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
	RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http\|https):// [NC,OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
	RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
	RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
	RewriteCond %{QUERY_STRING} (\.\./\|%2e%2e%2f\|%2e%2e/\|\.\.%2f\|%2e\.%2f\|%2e\./\|\.%2e%2f\|\.%2e/) [NC,OR]
	RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
	RewriteCond %{QUERY_STRING} (http\|https)\: [NC,OR]
	RewriteCond %{QUERY_STRING} \=\\|w\\| [NC,OR]
	RewriteCond %{QUERY_STRING} ^(.)/self/(.)$ [NC,OR]
	RewriteCond %{QUERY_STRING} ^(.)cPath=(http\|https)://(.)$ [NC,OR]
	RewriteCond %{QUERY_STRING} (\<\|%3C).script.(\>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (<\|%3C)([^s]s)+cript.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (\<\|%3C).embed.(\>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (<\|%3C)([^e]e)+mbed.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (\<\|%3C).object.(\>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (<\|%3C)([^o]o)+bject.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (\<\|%3C).iframe.(\>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} (<\|%3C)([^i]i)+frame.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} base64_encode.\(.\) [NC,OR]
	RewriteCond %{QUERY_STRING} base64_(en\|de)code[^(]\([^)]\) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=\|\[\|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=\|\[\|\%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} ^.(<\|>\|%3c\|%3e). [NC,OR]
	RewriteCond %{QUERY_STRING} ^.(\x00\|\x04\|\x08\|\x0d\|\x1b\|\x20\|\x3c\|\x3e\|\x7f). [NC,OR]
	RewriteCond %{QUERY_STRING} (NULL\|OUTFILE\|LOAD_FILE) [OR]
	RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd\|etc\|bin) [NC,OR]
	RewriteCond %{QUERY_STRING} (localhost\|loopback\|127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} (<\|>\|%0A\|%0D\|%3C\|%3E\|%00) [NC,OR]
	RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
	RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
	RewriteCond %{QUERY_STRING} union([^a]a)+ll([^s]s)+elect [NC,OR]
	RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include\|allow_url_fopen\|safe_mode\|disable_functions\|auto_prepend_file) [NC,OR]
	RewriteCond %{QUERY_STRING} (;\|<\|>\|'\|"\|\)\|%0A\|%0D\|%22\|%27\|%3C\|%3E\|%00).(/\\|union\|select\|insert\|drop\|delete\|update\|cast\|create\|char\|convert\|alter\|declare\|order\|script\|set\|md5\|benchmark\|encode) [NC,OR]
	RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
	RewriteRule ^(.*)$ - [F]
	# END BPSQSE BPS QUERY STRING EXPLOITS

	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	# WP REWRITE LOOP END

	# DENY BROWSER ACCESS TO THESE FILES
	# Use BPS Custom Code to modify/edit/change this code and to save it permanently.
	# wp-config.php, bb-config.php, php.ini, php5.ini, readme.html
	# To be able to view these files from a Browser, replace 127.0.0.1 with your actual
	# current IP address. Comment out: #Require all denied and Uncomment: Require ip 127.0.0.1
	# Comment out: #Deny from all and Uncomment: Allow from 127.0.0.1
	# Note: The BPS System Info page displays which modules are loaded on your server.

	<FilesMatch "^(wp-config\.php\|php\.ini\|php5\.ini\|readme\.html\|bb-config\.php)">
	<IfModule mod_authz_core.c>
	Require all denied
	#Require ip 127.0.0.1
	</IfModule>

	<IfModule !mod_authz_core.c>
	<IfModule mod_access_compat.c>
	Order Allow,Deny
	Deny from all
	#Allow from 127.0.0.1
	</IfModule>
	</IfModule>
	</FilesMatch>

	# HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
	# PLACEHOLDER ONLY
	# Use BPS Custom Code to add custom code and save it permanently here.

	Options All -Indexes

	# Block wp-includes folder and files
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^wp-admin/includes/ - [F,L]
	RewriteRule !^wp-includes/ - [S=3]
	RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
	RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
	RewriteRule ^wp-includes/theme-compat/ - [F,L]
	</IfModule>

	# Deny access to wp-config.php file
	<files wp-config.php>
	order allow,deny
	deny from all
	</files>

	# Deny access to all .htaccess files
	<files ~ "^.*\.([Hh][Tt][Aa])">
	order allow,deny
	deny from all
	satisfy all
	</files>

	# Prevent image hotlinking script. Replace last URL with any image link you want.
	RewriteEngine on
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com/ [NC]
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourodmain.com/ [NC]
	RewriteRule \.(jpg\|jpeg\|png\|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]

	# Setup browser caching
	<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresByType image/jpg "access 1 year"
	ExpiresByType image/jpeg "access 1 year"
	ExpiresByType image/gif "access 1 year"
	ExpiresByType image/png "access 1 year"
	ExpiresByType text/css "access 1 month"
	ExpiresByType application/pdf "access 1 month"
	ExpiresByType text/x-javascript "access 1 month"
	ExpiresByType application/x-shockwave-flash "access 1 month"
	ExpiresByType image/x-icon "access 1 year"
	ExpiresDefault "access 2 days"
	</IfModule>

	# BEGIN WP CERBER GROOVE
	# END WP CERBER GROOVE

	# BEGIN DEFLATE COMPRESSION
	<IfModule mod_filter.c>
	AddOutputFilterByType DEFLATE "application/atom+xml" \
	"application/javascript" \
	"application/json" \
	"application/ld+json" \
	"application/manifest+json" \
	"application/rdf+xml" \
	"application/rss+xml" \
	"application/schema+json" \
	"application/vnd.geo+json" \
	"application/vnd.ms-fontobject" \
	"application/x-font-ttf" \
	"application/x-javascript" \
	"application/x-web-app-manifest+json" \
	"application/xhtml+xml" \
	"application/xml" \
	"font/eot" \
	"font/opentype" \
	"image/bmp" \
	"image/svg+xml" \
	"image/vnd.microsoft.icon" \
	"image/x-icon" \
	"text/cache-manifest" \
	"text/css" \
	"text/html" \
	"text/javascript" \
	"text/plain" \
	"text/vcard" \
	"text/vnd.rim.location.xloc" \
	"text/vtt" \
	"text/x-component" \
	"text/x-cross-domain-policy" \
	"text/xml"
	</IfModule>
	# END DEFLATE COMPRESSION

	# BEGIN GZIP COMPRESSION
	<IfModule mod_gzip.c>
	mod_gzip_on Yes
	mod_gzip_dechunk Yes
	mod_gzip_item_include file \.(html?\|txt\|css\|js\|php\|pl)$
	mod_gzip_item_include handler ^cgi-script$
	mod_gzip_item_include mime ^text/.*
	mod_gzip_item_include mime ^application/x-javascript.*
	mod_gzip_item_exclude mime ^image/.*
	mod_gzip_item_exclude rspheader ^Content-Encoding:.gzip.
	</IfModule>
	# END GZIP COMPRESSION