# BEGIN WordPress
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# prevent a PHP file from being downloaded by client. Change the PHP module number to the version you are using.
<IfModule php7_module>
    AddType application/x-httpd-php .php
    <FilesMatch \.php$>
        SetHandler application/x-httpd-php
    </FilesMatch>
    AddType application/x-httpd-php-source .phps
    <IfModule dir_module>
       DirectoryIndex index.php index.html
    </IfModule>
</IfModule>


#################
#    SECURITY   #
#################

# prevents users from browsing wp directories
Options -Indexes

<FilesMatch "(\.(bak|config|ini|log|psd|sh|sql|swp)|~)$">
	order allow,deny
	deny from all
</FilesMatch>

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
	order deny,allow
	deny from all
	allow from 123.123.123.123
</Files>

# Disallow your page to be embedded within a <frame>, <iframe> or <object>
Header set X-Frame-Options DENY

# Disable MIME type sniffing, which can e.g. make IE execute an innocent looking .img URL as a javascript.
Header set X-Content-Type-Options nosniff

# Enforce HSTS- only HTTPS pages will be served. See https://hstspreload.org for more information.
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

#################
#  PERFORMANCE  #
#################

# set Expire headers. Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresDefault "access 1 month"
</IfModule>

# set Cache-Control Headers. Customization of HTTP request and response headers
# Prevents pages from loading when they detect reflected XSS attacks, 
<IfModule mod_headers.c>

	Header set X-XSS-Protection "1; mode=block;"
	Header unset ETag

	<FilesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
		Header set Cache-Control "max-age=2592000, public"
	</FilesMatch>
	<FilesMatch "\\.(css)$">
		Header set Cache-Control "max-age=2592000, public"
	</FilesMatch>
	<FilesMatch "\\.(js)$">
		Header set Cache-Control "max-age=2592000, private"
	</FilesMatch>
	<FilesMatch "\\.(xml|txt)$">
		Header set Cache-Control "max-age=2592000, public, must-revalidate"
	</FilesMatch>
	<FilesMatch "\\.(html|htm|php)$">
		Header set Cache-Control "max-age=2592000, private, must-revalidate"
	</FilesMatch>
</IfModule>
FileETag None


AddHandler application/x-httpd-php72 .php .php5 .php4 .php3 .php7

# The below two bits of code only work on apache servers.
<IfModule mod_gzip.c>
	mod_gzip_on Yes
	mod_gzip_dechunk Yes
	mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
	mod_gzip_item_include handler ^cgi-script$
	mod_gzip_item_include mime ^text/.*
	mod_gzip_item_include mime ^application/x-javascript.*
	mod_gzip_item_exclude mime ^image/.*
	mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

# The mod_deflate module provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.
<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>