A collection of .htaccess rules which make your WordPress setup more secure without having to use any 3rd party plugin or service.
Disclaimer: While dropping the snippet into an .htaccess file is most of the time sufficient, there are cases when certain modifications might be required. Editing your .htaccess may alos bring your site(s) offline so make sure to create a backup of your original .htaccess prior modifying it.
Header always set X-Xss-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
Header always set Referrer-Policy "no-referrer-when-downgrade"Options All -IndexesRewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]<FilesMatch "(.htaccess|wp-config.php|readme.html)">
order allow,deny
deny from all
</files>RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*YOURDOMAIN.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]RewriteCond %{QUERY_STRING} (^|&)author=
RewriteRule . http://%{SERVER_NAME}/? [L]