Here are some notes and comments on the topic. Additional entries will be added as new points of interest or issues arise that are deemed worth sharing.
Mixed Redirects
x) Redirect all subfolder requests to another domain:
Redirect 301 /subfolder http://www.domain.com
x) Force subfolder install to use subdomain:
RedirectMatch ^/subfolder/(.*)$ http://subdomain.domain.com/$1
x) Redirect all non-www requests to www:
# Redirect to www subdomain
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]x) Redirect only specific subdomain to https:
# Redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^subdomain.example.com$ [NC]
RewriteRule .? https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
x) Remove specific URI segment if subdomain is different to „www“:
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.(.+)
RewriteRule ^something/(.+) /$1 [R=301,L]x) Use subfolder install with domain root:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^domain.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.domain.com$
RewriteCond %{REQUEST_URI} !subfolder/
RewriteRule (.*) /subfolder/$1 [L]
x) Replace string within URL:
# Replace ":query:" with "?"
RewriteRule ^(.*):query:(.*)$ /$1\?$2 [R=301,L]x) Disable modsecurity for a specific directory (e.g. if webhost doesn’t allow TimThumb and other scripts by default):
# Disable modsecurity for this folder <IfModule security2_module> SecRuleEngine Off SecRequestBodyAccess Off </IfModule>
or:
# Disable modsecurity for this folder <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
WordPress Specific
x) Commonly recommended for root-htaccess: Insert before the ‚BEGIN WordPress‘ line.
# ============ BEGIN bub Security ==============
# Prevent access to wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>
# Prevent access to all htaccess-files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
# Disable directory browsing
Options All -Indexes
# Block the includes files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Redirect to HTTPS
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
# ============ END bub Security ==============x) Securing the „uploads“ folder:
<Files *.php>
Deny from all
</Files>x) Mixed Security (careful):
# Allow Duplicator plugin on some servers
<IfModule mod_security.c>
SecFilterRemove 001838
</IfModule>
# Allow for code snippets in WP editor
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>x) Subfolder Install:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wp-root-folder/index.php [L]
</IfModule>
# END WordPressService Specific
x) SiteGround Web Hosting:
# ============ BEGIN bub SiteGround ==============
# Disable SiteGround Caching
<IfModule mod_headers.c>
Header set Cache-Control "private"
</IfModule>
# ============ END bub SiteGround ==============The following used to be required for SiteGround, but apparently isn’t anymore:
# Allow Duplicator Plugin on Siteground Hosting
<IfModule mod_security.c>
SecFilterRemove 001838
</IfModule>