wo/cli/templates/ols-security.htaccess.mustache

# General Security .htaccess Rules - WordOps {{release}}
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE

# Deny access to hidden files (except .well-known)
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule "(^|/)\.(?!well-known\/)" - [F]
</IfModule>

# Deny access to backup, log, and config files
<FilesMatch "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

# Deny access to readme, license, and similar files
<FilesMatch "(readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

# Cache static files
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"
  ExpiresByType text/css "access plus 1 year"
  ExpiresByType application/javascript "access plus 1 year"
  ExpiresByType application/x-javascript "access plus 1 year"
  ExpiresByType font/ttf "access plus 1 year"
  ExpiresByType font/otf "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
</IfModule>

# CORS headers for static assets
<IfModule mod_headers.c>
  <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font\.css|css|js|gif|png|jpe?g|svg|svgz|ico|webp)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>

# Security headers
<IfModule mod_headers.c>
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-Content-Type-Options "nosniff"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
  Header set X-Powered-By "WordOps"
</IfModule>
feat: convert WordOps from Nginx to OpenLiteSpeed + LSPHP + LSCache Complete conversion of the WordOps stack from Nginx + PHP-FPM to OpenLiteSpeed + LSPHP + LSCache. This is a full rewrite across all 7 phases of the codebase: - Foundation: OLS paths, variables, services, removed pynginxconfig dep - Templates: 11 new OLS mustache templates, removed nginx-specific ones - Stack: stack_pref, stack, stack_services, stack_upgrade, stack_migrate - Site: site_functions, site, site_create, site_update - Plugins: debug, info, log, clean rewritten for OLS - SSL/ACME: acme.sh deploy uses lswsctrl, OLS vhssl blocks - Other: secure, backup, clone, install script Additional features: - Debian 13 (trixie) support - PHP 8.5 support - WP Fort Knox mu-plugin integration (wo secure --lockdown/--unlock) - --nginx CLI flag preserved for backward compatibility Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 18:55:16 +01:00			`# General Security .htaccess Rules - WordOps {{release}}`
			`# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE`

			`# Deny access to hidden files (except .well-known)`
			`<IfModule mod_rewrite.c>`
			`RewriteEngine On`
			`RewriteRule "(^\|/)\.(?!well-known\/)" - [F]`
			`</IfModule>`

			`# Deny access to backup, log, and config files`
			`<FilesMatch "\.(old\|orig\|original\|php#\|php~\|php_bak\|save\|swo\|aspx?\|tpl\|sh\|bash\|bak?\|cfg\|cgi\|dll\|exe\|git\|hg\|ini\|jsp\|log\|mdb\|out\|sql\|svn\|swp\|tar\|rdf\|gz\|zip\|bz2\|7z\|pem\|asc\|conf\|dump)$">`
			`Order Deny,Allow`
			`Deny from all`
			`</FilesMatch>`

			`# Deny access to readme, license, and similar files`
			`<FilesMatch "(readme\|license\|example\|README\|LEGALNOTICE\|INSTALLATION\|CHANGELOG)\.(txt\|html\|md)$">`
			`Order Deny,Allow`
			`Deny from all`
			`</FilesMatch>`

			`# Cache static files`
			`<IfModule mod_expires.c>`
			`ExpiresActive On`
			`ExpiresByType image/jpeg "access plus 1 year"`
			`ExpiresByType image/gif "access plus 1 year"`
			`ExpiresByType image/png "access plus 1 year"`
			`ExpiresByType image/webp "access plus 1 year"`
			`ExpiresByType image/svg+xml "access plus 1 year"`
			`ExpiresByType image/x-icon "access plus 1 year"`
			`ExpiresByType text/css "access plus 1 year"`
			`ExpiresByType application/javascript "access plus 1 year"`
			`ExpiresByType application/x-javascript "access plus 1 year"`
			`ExpiresByType font/ttf "access plus 1 year"`
			`ExpiresByType font/otf "access plus 1 year"`
			`ExpiresByType font/woff "access plus 1 year"`
			`ExpiresByType font/woff2 "access plus 1 year"`
			`</IfModule>`

			`# CORS headers for static assets`
			`<IfModule mod_headers.c>`
			`<FilesMatch "\.(ttf\|ttc\|otf\|eot\|woff\|woff2\|font\.css\|css\|js\|gif\|png\|jpe?g\|svg\|svgz\|ico\|webp)$">`
			`Header set Access-Control-Allow-Origin "*"`
			`</FilesMatch>`
			`</IfModule>`

			`# Security headers`
			`<IfModule mod_headers.c>`
			`Header set X-Frame-Options "SAMEORIGIN"`
			`Header set X-Content-Type-Options "nosniff"`
			`Header set Referrer-Policy "strict-origin-when-cross-origin"`
			`Header set X-Powered-By "WordOps"`
			`</IfModule>`