Hey @begrafiks,

how would i do that so it only applies to images in that slider?

Thanks so far!

Oh, but, is there a small doc i can use for the current version of bwp with enfold?

Hi Basilis,

it’s more like a security-feature for the visitors, but okay, i guess it is not THAT important.

Thanks anyway!

Cheers

Ümit

Hi,

thanks for your reply! This is the whole File (just changed the htpasswd-path), the problems only seem to occur with the securityheaders above added. This one seems to work quite fine (it’s a slightly changed version of dr webs htaccess). I guess the problem occurs when blocking external sources for loading?

# ----------------------------------------------------------------------
# | Komprimierung und Caching                                                    |
# ----------------------------------------------------------------------

# Serve resources with far-future expires headers.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://httpd.apache.org/docs/current/mod/mod_expires.html

<IfModule mod_expires.c>

    ExpiresActive on
    ExpiresDefault                                      "access plus 1 week"

  # CSS

    ExpiresByType text/css                              "access plus 1 week"

  # Data interchange

    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!) and cursor images

    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML

    ExpiresByType text/html                             "access plus 3600 seconds"

  # JavaScript

    ExpiresByType application/javascript                "access plus 1 week"
    ExpiresByType application/x-javascript              "access plus 1 week"
    ExpiresByType text/javascript                       "access plus 1 week"

  # Manifest files

    ExpiresByType application/manifest+json             "access plus 1 week"
    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"

  # Media files

    ExpiresByType audio/ogg                             "access plus 1 week"
    ExpiresByType image/bmp                             "access plus 1 week"
    ExpiresByType image/gif                             "access plus 1 week"
    ExpiresByType image/jpeg                            "access plus 1 week"
    ExpiresByType image/png                             "access plus 1 week"
    ExpiresByType image/svg+xml                         "access plus 1 week"
    ExpiresByType image/webp                            "access plus 1 week"
    ExpiresByType video/mp4                             "access plus 1 week"
    ExpiresByType video/ogg                             "access plus 1 week"
    ExpiresByType video/webm                            "access plus 1 week"

  # Web fonts

    # Embedded OpenType (EOT)
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 week"
    ExpiresByType font/eot                              "access plus 1 week"

    # OpenType
    ExpiresByType font/opentype                         "access plus 1 week"

    # TrueType
    ExpiresByType application/x-font-ttf                "access plus 1 week"

    # Web Open Font Format (WOFF) 1.0
    ExpiresByType application/font-woff                 "access plus 1 week"
    ExpiresByType application/x-font-woff               "access plus 1 week"
    ExpiresByType font/woff                             "access plus 1 week"

    # Web Open Font Format (WOFF) 2.0
    ExpiresByType application/font-woff2                "access plus 1 week"

  # Other

    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"

</IfModule>

<IfModule mod_deflate.c>
# Insert filters / compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/vtt 
AddOutputFilterByType DEFLATE text/x-component
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/js
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/atom+xml 
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/ld+json 
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject 
AddOutputFilterByType DEFLATE application/x-font-ttf 
AddOutputFilterByType DEFLATE application/x-web-app-manifest+json 
AddOutputFilterByType DEFLATE font/opentype 
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon 

# Exception: Images
SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary

# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>

#Alternative caching using Apache's "mod_headers", if it's installed.
#Caching of common files - ENABLED
<IfModule mod_headers.c>
<FilesMatch "\.(ico|pdf|flv|swf|js|css|gif|png|jpg|jpeg|txt)$">
Header set Cache-Control "max-age=2592000, public"
</FilesMatch>
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\.(js|css|xml|gz)$">
    Header append Vary Accept-Encoding
  </FilesMatch>
</IfModule>

# Set Keep Alive Header
<IfModule mod_headers.c>
    Header set Connection keep-alive
</IfModule>

# If your server don't support ETags deactivate with "None" (and remove header)
<IfModule mod_expires.c> 
  <IfModule mod_headers.c> 
    Header unset ETag 
  </IfModule> 
  FileETag None 
</IfModule>

# ----------------------------------------------------------------------
# | 6g Firewall für Sicherheit
# ----------------------------------------------------------------------

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|

|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\’|\”)(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* – [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* – [F]
</IfModule>

# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* – [F]
</IfModule>

# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\’|=\\%27|/\\\’/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\”|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\”\\\”)
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
<limit GET POST PUT>
Order Allow,Deny
Allow from All
Deny from env=bad_bot
</limit>
</IfModule>

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>

# ———————————————————————-
# | Zeichensatz setzen
# ———————————————————————-

AddDefaultCharset UTF-8

# ———————————————————————-
# Wichtige WordPress-Dateien gegen den Zugriff von außen blocken
# ———————————————————————-

# Verzeichnislistings verhindern
Options -Indexes

# Kein Zugriff auf die install.php
<files install.php>
Order allow,deny
Deny from all
</files>

# Kein Zugriff auf die wp-config.php
<files wp-config.php>
Order allow,deny
Deny from all
</files>

# Kein Zugriff auf die xmlrpc.php
<files xmlrpc.php>
Order allow,deny
Deny from all
</files>

# Kein Zugriff auf die readme.html
<files readme.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>

# Kein Zugriff auf die liesmich.html für die DE Edition
<Files liesmich.html>
Order Allow,Deny
Deny from all
Satisfy all
</Files>

# Kein Zugriff auf das Error-Log
<files error_log>
Order allow,deny
Deny from all
</files>

#Zugriff auf .htaccess und .htpasswd verbieten. Wenn keine .htpasswd benutzt wird, kann der Code dafür entfernt werden.
<FilesMatch “(\.htaccess|\.htpasswd)”>
Order deny,allow
Deny from all
</FilesMatch>

# Den Zugriff auf den Include-Ordner verbieten
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

# Schutz des Administrator-Bereichs. Wenn der .htaccess/.htpasswd Schutz genutzt werden soll, auskommentieren.
<Files wp-login.php>
AuthName “restriced access”
AuthType Basic
AuthUserFile /mypath/.htpasswd
require valid-user
</Files>

# ———————————————————————-
# | WordPress Rewrite Rules
# ———————————————————————-

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

`

I guess it would be fine to add other sources to the securityheaders? Or do you have any other idea?

Thanks in advance!

Cheers

• This reply was modified 8 years, 5 months ago by onlylettersandnumbers.

Hi Rikard,

thanks for your reply! I’ve put the details on the private section. Please keep in mind that this is a staging and not a test site, the contents will go live very soon.

The CSS i found and used without checking it really, it can of course be removed. :)
Thanks again!

Ümit