Wordpress htaccess security + PageSpeed Insights

Note: Some servers will not accept all apache commands in here. If you get error 500, remove the unfamiliar parts

Options All -Indexes

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]


# Block wp-includes folder and files

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]


# DEFLATE FO GOOGLE PAGE INSIGHT
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE x-font/otf
AddOutputFilterByType DEFLATE x-font/ttf
AddOutputFilterByType DEFLATE x-font/eot
AddOutputFilterByType DEFLATE x-font/woff
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE audio/aac
AddOutputFilterByType DEFLATE audio/mp4
AddOutputFilterByType DEFLATE audio/mpeg
AddOutputFilterByType DEFLATE audio/ogg
AddOutputFilterByType DEFLATE audio/wav
AddOutputFilterByType DEFLATE audio/webm
AddOutputFilterByType DEFLATE video/mp4
AddOutputFilterByType DEFLATE video/mpeg
AddOutputFilterByType DEFLATE video/quicktime
AddOutputFilterByType DEFLATE video/ogg
AddOutputFilterByType DEFLATE video/webm
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI "\.(?:gif|jpe?g|png)$" no-gzip

<ifmodule mod_deflate.c="">
    <filesmatch ".(js|css)$"="">
        SetOutputFilter DEFLATE
    </filesmatch>
</ifmodule>

# SECURITY ISSUE FIX - USE AT YOUR OWN RISK
<IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

# Securi security recommendations - if you get error 500, itll ne on of these 2 settings
#ServerSignature Off
#ServerTokens Prod
<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header always append X-Frame-Options SAMEORIGIN
  Header set X-Content-Type-Options nosniff
</IfModule>

# EXPIRES CACHING ##
<ifModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"

    ExpiresByType x-font/otf "access plus 1 year"
    ExpiresByType x-font/ttf "access plus 1 year"
    ExpiresByType x-font/eot "access plus 1 year"
    ExpiresByType x-font/woff "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresByType audio/aac "access plus 1 year"
    ExpiresByType audio/mp4 "access plus 1 year"
    ExpiresByType audio/mpeg "access plus 1 year"
    ExpiresByType audio/ogg "access plus 1 year"
    ExpiresByType audio/wav "access plus 1 year"
    ExpiresByType audio/webm "access plus 1 year"
    ExpiresByType video/mp4 "access plus 1 year"
    ExpiresByType video/mpeg "access plus 1 year"
    ExpiresByType video/quicktime "access plus 1 year"
    ExpiresByType video/ogg "access plus 1 year"
    ExpiresByType video/webm "access plus 1 year"

    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType text/x-javascript "access plus 1 month"
    ExpiresByType application/x-shockwave-flash "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresDefault "access plus 2 days"
 </ifModule>

<ifModule mod_headers.c>
    <filesMatch ".(ico|pdf|flv|jpg|jpeg|png|gif|swf|ogv|mp4|webm)$">
    Header unset ETag
    FileETag None
    Header set Cache-Control "max-age=25920000, public"
    Header set Expires "Thu, 15 Apr 2025 20:00:00 GMT"

    </filesMatch>
    <filesMatch ".(css)$">
        Header set Cache-Control "max-age=6048000, public"
    </filesMatch>
    <filesMatch ".(js)$">
        Header set Cache-Control "max-age=2160000, private"
    </filesMatch>
    <filesMatch ".(xml|txt)$">
        Header set Cache-Control "max-age=2160000, public, must-revalidate"
    </filesMatch>
    <filesMatch ".(html|htm|php)$">
        Header set Cache-Control "max-age=1, private, must-revalidate"
    </filesMatch>
</ifModule>

 # Fonts:
AddType x-font/otf .otf
AddType x-font/ttf .ttf
AddType x-font/eot .eot
AddType x-font/woff .woff
AddType image/x-icon .ico

# Audio
AddType audio/aac .aac
AddType audio/mp4 .mp4 .m4a
AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg
AddType audio/ogg .oga .ogg
AddType audio/wav .wav
AddType audio/webm .webm

# Video
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg
AddType video/quicktime .mov
AddType video/ogg .ogv
AddType video/webm .webm

# Furthr anti hacking - http://www.queness.com/code-snippet/6313/using-htaccess-to-prevent-hacking
# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

#Block bad bots
SetEnvIfNoCase user-Agent ^FrontPage [NC,OR]
SetEnvIfNoCase user-Agent ^Java.* [NC,OR]
SetEnvIfNoCase user-Agent ^Microsoft.URL [NC,OR]
SetEnvIfNoCase user-Agent ^MSFrontPage [NC,OR]
SetEnvIfNoCase user-Agent ^Offline.Explorer [NC,OR]
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR]
SetEnvIfNoCase user-Agent ^Zeus [NC]
<limit get="" post="" head="">
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
</limit>