# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# Block spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .*/wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*edu.seoengineers.in.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]


# BEGIN Security Block
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Block bad bots and IPs
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (bot1|bot2|bot3) [NC,OR]
RewriteCond %{REMOTE_ADDR} ^(123\.45\.67\.89|987\.65\.43\.21)$ [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>


# protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

# protect .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>


# Disable directory listing
Options All -Indexes

<IfModule LiteSpeed>
RewriteEngine On
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule \.litespeed_conf\.dat - [F,L]
</IfModule>

# Cache mobile version separately
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera\ Mini|Opera\ Mobi [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]


# Don't cache URLs with query string
RewriteCond %{QUERY_STRING} !=""
RewriteRule .* - [E=Cache-Control:no-cache]

# Don't cache admin pages
RewriteRule ^wp-admin/.* - [E=Cache-Control:no-cache]

# Don't cache WooCommerce cart and checkout pages
RewriteRule ^wc-ajax/.* - [E=Cache-Control:no-cache]
RewriteRule ^checkout/.* - [E=Cache-Control:no-cache]

# Exclude pages from cache by URL
RewriteCond %{REQUEST_URI} /exclude-page/
RewriteRule .* - [E=Cache-Control:no-cache]

# Exclude pages from cache by user agent
RewriteCond %{HTTP_USER_AGENT} ^Googlebot
RewriteRule .* - [E=Cache-Control:no-cache]

# Set cache key
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga


# Cache specific file types
RewriteRule \.(ico|gif|jpg|jpeg|png|bmp|webp|svg|woff|woff2|eot|ttf|otf)$ - [E=cache-control:max-age=2592000]
RewriteRule \.(css|js)$ - [E=cache-control:max-age=604800]
RewriteRule \.(xml|txt)$ - [E=cache-control:max-age=86400]

# Set cache expire time for specific file types
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600]

# expiration date for static files:
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType text/css "access plus 1 week"
ExpiresByType text/javascript "access plus 1 week"
ExpiresByType application/javascript "access plus 1 week"
ExpiresByType application/x-javascript "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
</IfModule>

# remove server signature
ServerSignature Off

# Remove X-Powered-By header
Header always unset X-Powered-By

# Remove header with PHP version
Header always unset X-Powered-By
Header unset X-Powered-By
# END Security Block

# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/seoeihro/edu.seoengineers.in/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/seoeihro/edu.seoengineers.in/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF
