# WordPress Common Security Rules - WordOps {{release}}
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# This file is auto-generated and placed in the site's htdocs/.htaccess

# Limit access to wp-login.php to prevent brute force attacks
<Files wp-login.php>
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^https?://(.*)?{{site_name}} [NC]
    RewriteRule .* - [F]
  </IfModule>
</Files>

# Block xmlrpc.php except Jetpack IPs
<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  Allow from 122.248.245.244
  Allow from 54.217.201.243
  Allow from 54.232.116.4
  Allow from 192.0.80.0/20
  Allow from 192.0.96.0/20
  Allow from 192.0.112.0/20
  Allow from 195.234.108.0/22
</Files>

# Block wp-config.txt
<Files wp-config.txt>
  Order Deny,Allow
  Deny from all
</Files>

# Deny access to PHP files in uploads directory
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule ^wp-content/uploads/.*\.php$ - [F]
  RewriteRule ^wp-content/uploads/edd/.*\.zip$ / [R=301,L]
</IfModule>

# Mitigate DoS attack with WordPress script concatenation
<Files "load-scripts.php">
  Order Deny,Allow
  Deny from all
</Files>
<Files "load-styles.php">
  Order Deny,Allow
  Deny from all
</Files>