wo/cli/templates/ols-wpcommon.htaccess.mustache

# WordPress Common Security Rules - WordOps {{release}}
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# This file is auto-generated and placed in the site's htdocs/.htaccess

# Limit access to wp-login.php to prevent brute force attacks
<Files wp-login.php>
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^https?://(.*)?{{site_name}} [NC]
    RewriteRule .* - [F]
  </IfModule>
</Files>

# Block xmlrpc.php except Jetpack IPs
<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  Allow from 122.248.245.244
  Allow from 54.217.201.243
  Allow from 54.232.116.4
  Allow from 192.0.80.0/20
  Allow from 192.0.96.0/20
  Allow from 192.0.112.0/20
  Allow from 195.234.108.0/22
</Files>

# Block wp-config.txt
<Files wp-config.txt>
  Order Deny,Allow
  Deny from all
</Files>

# Deny access to PHP files in uploads directory
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule ^wp-content/uploads/.*\.php$ - [F]
  RewriteRule ^wp-content/uploads/edd/.*\.zip$ / [R=301,L]
</IfModule>

# Mitigate DoS attack with WordPress script concatenation
<Files "load-scripts.php">
  Order Deny,Allow
  Deny from all
</Files>
<Files "load-styles.php">
  Order Deny,Allow
  Deny from all
</Files>
feat: convert WordOps from Nginx to OpenLiteSpeed + LSPHP + LSCache Complete conversion of the WordOps stack from Nginx + PHP-FPM to OpenLiteSpeed + LSPHP + LSCache. This is a full rewrite across all 7 phases of the codebase: - Foundation: OLS paths, variables, services, removed pynginxconfig dep - Templates: 11 new OLS mustache templates, removed nginx-specific ones - Stack: stack_pref, stack, stack_services, stack_upgrade, stack_migrate - Site: site_functions, site, site_create, site_update - Plugins: debug, info, log, clean rewritten for OLS - SSL/ACME: acme.sh deploy uses lswsctrl, OLS vhssl blocks - Other: secure, backup, clone, install script Additional features: - Debian 13 (trixie) support - PHP 8.5 support - WP Fort Knox mu-plugin integration (wo secure --lockdown/--unlock) - --nginx CLI flag preserved for backward compatibility Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-08 18:55:16 +01:00			`# WordPress Common Security Rules - WordOps {{release}}`
			`# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE`
			`# This file is auto-generated and placed in the site's htdocs/.htaccess`

			`# Limit access to wp-login.php to prevent brute force attacks`
			`<Files wp-login.php>`
			`<IfModule mod_rewrite.c>`
			`RewriteEngine On`
			`RewriteCond %{REQUEST_METHOD} POST`
			`RewriteCond %{HTTP_REFERER} !^https?://(.*)?{{site_name}} [NC]`
			`RewriteRule .* - [F]`
			`</IfModule>`
			`</Files>`

			`# Block xmlrpc.php except Jetpack IPs`
			`<Files xmlrpc.php>`
			`Order Deny,Allow`
			`Deny from all`
			`Allow from 122.248.245.244`
			`Allow from 54.217.201.243`
			`Allow from 54.232.116.4`
			`Allow from 192.0.80.0/20`
			`Allow from 192.0.96.0/20`
			`Allow from 192.0.112.0/20`
			`Allow from 195.234.108.0/22`
			`</Files>`

			`# Block wp-config.txt`
			`<Files wp-config.txt>`
			`Order Deny,Allow`
			`Deny from all`
			`</Files>`

			`# Deny access to PHP files in uploads directory`
			`<IfModule mod_rewrite.c>`
			`RewriteEngine On`
			`RewriteRule ^wp-content/uploads/.*\.php$ - [F]`
			`RewriteRule ^wp-content/uploads/edd/.*\.zip$ / [R=301,L]`
			`</IfModule>`

			`# Mitigate DoS attack with WordPress script concatenation`
			`<Files "load-scripts.php">`
			`Order Deny,Allow`
			`Deny from all`
			`</Files>`
			`<Files "load-styles.php">`
			`Order Deny,Allow`
			`Deny from all`
			`</Files>`