# BEGIN WordPress
# BEGIN 410 Gone for old pages
<IfModule mod_rewrite.c>
RewriteEngine On

# Match any URL ending with .html, .htm, .shtml, or .shtm (case-insensitive)
RewriteCond %{REQUEST_URI} \.(html|htm|shtml|shtm)$ [NC]

# Return 410 Gone
RewriteRule ^.*$ - [G,L]
</IfModule>
# END 410 Gone

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Disable directory browsing
Options -Indexes

# Protect wp-config.php
<Files wp-config.php>
    order allow,deny
    deny from all
</Files>

# Protect .htaccess itself
<Files .htaccess>
    order allow,deny
    deny from all
</Files>

# Protect wp-admin and wp-includes from external access except your IP
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^YOUR.IP.ADD.RESS$
RewriteRule ^(.*)$ - [R=403,L]

RewriteCond %{REQUEST_URI} ^(.*)?wp-includes(.*)$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# Disable PHP execution in specific directories
<FilesMatch "\.(php|php5|php7|phtml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

<Directory "/wp-content/uploads/">
    <FilesMatch "\.(php|php5|php7|phtml)$">
        deny from all
    </FilesMatch>
</Directory>

<Directory "/wp-content/cache/">
    <FilesMatch "\.(php|php5|php7|phtml)$">
        deny from all
    </FilesMatch>
</Directory>

<Directory "/wp-content/themes/">
    <FilesMatch "\.(php|php5|php7|phtml)$">
        deny from all
    </FilesMatch>
</Directory>

# Block common malicious query strings
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} union.*select [NC,OR]
RewriteCond %{QUERY_STRING} concat.*\(
RewriteRule .* - [F,L]
</IfModule>

# Disable server signature
ServerSignature Off
