WordPress Site Güvenliğini Artırmak İçin .htaccess Dosyası Kullanımı

WordPress sitenizin güvenliğini artırmak için .htaccess dosyasını nasıl kullanabileceğinizi öğrenin. Bu adım adım rehber, zararlı saldırılara karşı koruma sağlamak ve sitenizin performansını iyileştirmek için etkili yöntemler sunar.

ÇOK KATI DIŞARIDAN AKIŞ ÇEKMEK DAHİ YASAK

Aşağıdaki yapılandırma ile youtube dan video akışı dahi çekemezsiniz.

# TEMEL AYARLAR
Options -Indexes +FollowSymLinks
ServerSignature Off
 
# GÜVENLİK BAŞLIKLARI (XSS ve Diğer Koruma Mekanizmaları)
<IfModule mod_headers.c>
    # XSS KORUMASI - Modern tarayıcılarda XSS saldırılarını engeller
    Header set X-XSS-Protection "1; mode=block"
     
    # Clickjacking koruması
    Header always append X-Frame-Options SAMEORIGIN
     
    # MIME türü atlama koruması
    Header set X-Content-Type-Options nosniff
     
    # İçerik Güvenlik Politikası (Güçlü XSS koruması)
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:; frame-ancestors 'self'"
     
    # Referrer Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
     
    # HSTS (HTTPS Zorlama)
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</IfModule>
 
# WORDPRESS YÖNLENDİRME
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
 
# DOSYA ERİŞİM KONTROLLERİ
# ZARARLI UZANTILARI ENGELLE
<FilesMatch "\.(exe|sh|asp|aspx|jsp|pl|cgi|bak|env|git|sql|md|log|inc|swp|config|yml|phar|ini|htaccess)$">
    Require all denied
</FilesMatch>
 
# YÖNETİM PANELİ KORUMASI (Apache 2.4+ Formatı)
<FilesMatch "^(wp-login\.php|wp-admin/.*|admin-ajax\.php)$">
    <RequireAll>
        Require ip 37.130.81.93
        # Gerektiğinde ek IP'ler buraya eklenebilir
        # Require ip 192.168.1.100
    </RequireAll>
    ErrorDocument 403 "Erişim Engellendi!"
</FilesMatch>
 
# ÖNEMLİ DOSYA KORUMALARI
<FilesMatch "^(wp-config\.php|license\.txt|readme\.html|wp-config-sample\.php|\.htaccess)$">
    Require all denied
</FilesMatch>
 
# DÜZENLEYİCİ KAPATMA
<FilesMatch "^(plugin-editor\.php|theme-editor\.php|install\.php|wp-upgrade\.php)$">
    Require all denied
</FilesMatch>
 
# ZARARLI İSTEKLERİ ENGELLE (XSS/SQL/Command Injection)
<IfModule mod_rewrite.c>
    RewriteEngine On
     
    # Kötü niyetli botları engelle
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (bot|crawl|spider|havij|sqlmap|nmap) [NC]
     
    # XSS ve SQL Injection koruması
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:|alert\(|document\.cookie|onmouseover=) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode|eval\(|unescape\(|fromCharCode) [NC,OR]
     
    # SQL Injection koruması
    RewriteCond %{QUERY_STRING} (union.*select|benchmark|insert|cast|declare|drop|update|md5|sha1) [NC,OR]
    RewriteCond %{QUERY_STRING} (globals|mosconfig|_request|etc/passwd) [NC,OR]
    RewriteCond %{QUERY_STRING} (\;|'|\"|%22|%27|%3C|%3E).*(/\*|union|select|insert) [NC]
     
    RewriteRule ^(.*)$ - [F,L]
</IfModule>
 
# PHP GÜVENLİK AYARLARI (XSS ve Diğer Saldırılar için)
<IfModule mod_php7.c>
    php_flag allow_url_fopen Off
    php_flag allow_url_include Off
    php_flag register_globals Off
    php_flag display_errors Off
    php_value session.cookie_httponly 1
    php_value session.cookie_secure 1
    php_value session.use_strict_mode 1
    php_value expose_php Off
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
</IfModule>
 
# EKLENTİ GÜVENLİĞİ
<IfModule mod_rewrite.c>
    # Eklenti dizinlerine doğrudan erişimi engelle
    RewriteRule ^wp-content/plugins/(.*\.php)$ - [F,L]
     
    # Temalardaki PHP dosyalarına erişimi engelle (wp-content/themes/theme-name/*.php)
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/[^/]+/header\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/[^/]+/footer\.php
    RewriteRule ^wp-content/themes/([^/]+)/.*\.php$ - [F,L]
</IfModule>
 
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/alagurmeiclikoft/public_html/arifakyuz/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/alagurmeiclikoft/public_html/arifakyuz/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>

# END Wordfence WAF

YOUTUBE VE İZİN VERECEĞİNİZ SİTELERDEN VERİ ÇEKEBİLECVEĞİNİZ YAPILANDIRMA

# TEMEL AYARLAR
Options -Indexes +FollowSymLinks
ServerSignature Off

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

<files wp-config.php>
order allow,deny
deny from all
</files>

  
# GÜVENLİK BAŞLIKLARI (XSS ve Diğer Koruma Mekanizmaları)
<IfModule mod_headers.c>
    # XSS KORUMASI - Modern tarayıcılarda XSS saldırılarını engeller
    Header set X-XSS-Protection "1; mode=block"
      
    # Clickjacking koruması
    Header always append X-Frame-Options "SAMEORIGIN"
      
    # MIME türü atlama koruması
    Header set X-Content-Type-Options nosniff
      
    # İçerik Güvenlik Politikası (Yeni siteler eklendi)
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:; frame-src 'self' https://www.youtube.com https://youtu.be https://arifakyuz.speedtestcustom.com https://www.speedtest.net; frame-ancestors 'self'"
      
    # Referrer Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
      
    # HSTS (HTTPS Zorlama)
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</IfModule>
  
# WORDPRESS YÖNLENDİRME
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
  
# DOSYA ERİŞİM KONTROLLERİ
# ZARARLI UZANTILARI ENGELLE
<FilesMatch "\.(exe|sh|asp|aspx|jsp|pl|cgi|bak|env|git|sql|md|log|inc|swp|config|yml|phar|ini|htaccess)$">
    Require all denied
</FilesMatch>
  
# YÖNETİM PANELİ KORUMASI (Apache 2.4+ Formatı)
<FilesMatch "^dukmakxs$">
    <RequireAll>
        Require ip 37.130.81.93
        # Gerektiğinde ek IP'ler buraya eklenebilir
        # Require ip 192.168.1.100
    </RequireAll>
    ErrorDocument 403 "Erişim Engellendi. Lütfen yetkili IP adresi kullanın."
</FilesMatch>


<FilesMatch "^dukmakxs$">
    <RequireAll>
        Require expr %{HTTP:X-Forwarded-For} =~ /^37\.130\.81\.93/
    </RequireAll>
    ErrorDocument 403 "Erişim Engellendi. Lütfen yetkili IP adresi kullanın."
</FilesMatch>


  
# ÖNEMLİ DOSYA KORUMALARI
<FilesMatch "^(wp-config\.php|license\.txt|readme\.html|wp-config-sample\.php|\.htaccess)$">
    Require all denied
</FilesMatch>
  
# DÜZENLEYİCİ KAPATMA
<FilesMatch "^(plugin-editor\.php|theme-editor\.php|install\.php|wp-upgrade\.php)$">
    Require all denied
</FilesMatch>
  
# ZARARLI İSTEKLERİ ENGELLE (XSS/SQL/Command Injection)
<IfModule mod_rewrite.c>
    RewriteEngine On
      
    # Kötü niyetli botları engelle
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (bot|crawl|spider|havij|sqlmap|nmap) [NC]
      
    # XSS ve SQL Injection koruması
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:|alert\(|document\.cookie|onmouseover=) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode|eval\(|unescape\(|fromCharCode) [NC,OR]
      
    # SQL Injection koruması
    RewriteCond %{QUERY_STRING} (union.*select|benchmark|insert|cast|declare|drop|update|md5|sha1) [NC,OR]
    RewriteCond %{QUERY_STRING} (globals|mosconfig|_request|etc/passwd) [NC,OR]
    RewriteCond %{QUERY_STRING} (\;|'|\"|%22|%27|%3C|%3E).*(/\*|union|select|insert) [NC]
      
    RewriteRule ^(.*)$ - [F,L]
</IfModule>
  
# PHP GÜVENLİK AYARLARI (XSS ve Diğer Saldırılar için)
<IfModule mod_php7.c>
    php_flag allow_url_fopen Off
    php_flag allow_url_include Off
    php_flag register_globals Off
    php_flag display_errors Off
    php_value session.cookie_httponly 1
    php_value session.cookie_secure 1
    php_value session.use_strict_mode 1
    php_value expose_php Off
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
</IfModule>
  
# EKLENTİ GÜVENLİĞİ
<IfModule mod_rewrite.c>
    # Eklenti dizinlerine doğrudan erişimi engelle
    RewriteRule ^wp-content/plugins/(.*\.php)$ - [F,L]
      
    # Temalardaki PHP dosyalarına erişimi engelle (wp-content/themes/theme-name/*.php)
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/[^/]+/header\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/[^/]+/footer\.php
    RewriteRule ^wp-content/themes/([^/]+)/.*\.php$ - [F,L]
</IfModule>
  
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
 
# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/alagurmeiclikoft/public_html/arifakyuz/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/alagurmeiclikoft/public_html/arifakyuz/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
 
# END Wordfence WAF

GOOGLE ADSENSE YOUTUBE SPEED TEST VE İZİN VERECEĞİNİZ SİTELERDEN VERİ ÇEKEBİLECVEĞİNİZ YAPILANDIRMA

# TEMEL AYARLAR
Options -Indexes +FollowSymLinks
ServerSignature Off

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

<files wp-config.php>
order allow,deny
deny from all
</files>

  
# GÜVENLİK BAŞLIKLARI (XSS ve Diğer Koruma Mekanizmaları)
<IfModule mod_headers.c>
    # XSS KORUMASI - Modern tarayıcılarda XSS saldırılarını engeller
    Header set X-XSS-Protection "1; mode=block"
      
    # Clickjacking koruması
    Header always append X-Frame-Options "SAMEORIGIN"
      
    # MIME türü atlama koruması
    Header set X-Content-Type-Options nosniff
      
    # İçerik Güvenlik Politikası (Yeni siteler eklendi)
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:; frame-src 'self' https://www.youtube.com https://youtu.be https://arifakyuz.speedtestcustom.com https://www.speedtest.net; frame-ancestors 'self'"
      
    # Referrer Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
      
    # HSTS (HTTPS Zorlama)
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</IfModule>
  
# WORDPRESS YÖNLENDİRME
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
  
# DOSYA ERİŞİM KONTROLLERİ
# ZARARLI UZANTILARI ENGELLE
<FilesMatch "\.(exe|sh|asp|aspx|jsp|pl|cgi|bak|env|git|sql|md|log|inc|swp|config|yml|phar|ini|htaccess)$">
    Require all denied
</FilesMatch>
  
# YÖNETİM PANELİ KORUMASI (Apache 2.4+ Formatı)
<FilesMatch "^dukmakxs$">
    <RequireAll>
        Require ip 37.130.81.93
        # Gerektiğinde ek IP'ler buraya eklenebilir
        # Require ip 192.168.1.100
    </RequireAll>
    ErrorDocument 403 "Erişim Engellendi. Lütfen yetkili IP adresi kullanın."
</FilesMatch>


<FilesMatch "^dukmakxs$">
    <RequireAll>
        Require expr %{HTTP:X-Forwarded-For} =~ /^37\.130\.81\.93/
    </RequireAll>
    ErrorDocument 403 "Erişim Engellendi. Lütfen yetkili IP adresi kullanın."
</FilesMatch>


  
# ÖNEMLİ DOSYA KORUMALARI
<FilesMatch "^(wp-config\.php|license\.txt|readme\.html|wp-config-sample\.php|\.htaccess)$">
    Require all denied
</FilesMatch>
  
# DÜZENLEYİCİ KAPATMA
<FilesMatch "^(plugin-editor\.php|theme-editor\.php|install\.php|wp-upgrade\.php)$">
    Require all denied
</FilesMatch>
  
# ZARARLI İSTEKLERİ ENGELLE (XSS/SQL/Command Injection)
<IfModule mod_rewrite.c>
    RewriteEngine On
      
    # Kötü niyetli botları engelle
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (bot|crawl|spider|havij|sqlmap|nmap) [NC]
      
    # XSS ve SQL Injection koruması
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:|alert\(|document\.cookie|onmouseover=) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode|eval\(|unescape\(|fromCharCode) [NC,OR]
      
    # SQL Injection koruması
    RewriteCond %{QUERY_STRING} (union.*select|benchmark|insert|cast|declare|drop|update|md5|sha1) [NC,OR]
    RewriteCond %{QUERY_STRING} (globals|mosconfig|_request|etc/passwd) [NC,OR]
    RewriteCond %{QUERY_STRING} (\;|'|\"|%22|%27|%3C|%3E).*(/\*|union|select|insert) [NC]
      
    RewriteRule ^(.*)$ - [F,L]
</IfModule>
  
# PHP GÜVENLİK AYARLARI (XSS ve Diğer Saldırılar için)
<IfModule mod_php7.c>
    php_flag allow_url_fopen Off
    php_flag allow_url_include Off
    php_flag register_globals Off
    php_flag display_errors Off
    php_value session.cookie_httponly 1
    php_value session.cookie_secure 1
    php_value session.use_strict_mode 1
    php_value expose_php Off
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
</IfModule>
  
# EKLENTİ GÜVENLİĞİ
<IfModule mod_rewrite.c>
    # Eklenti dizinlerine doğrudan erişimi engelle
    RewriteRule ^wp-content/plugins/(.*\.php)$ - [F,L]
      
    # Temalardaki PHP dosyalarına erişimi engelle (wp-content/themes/theme-name/*.php)
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/[^/]+/header\.php
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/[^/]+/footer\.php
    RewriteRule ^wp-content/themes/([^/]+)/.*\.php$ - [F,L]
</IfModule>
  
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php74” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
 
# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/alagurmeiclikoft/public_html/arifakyuz/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/alagurmeiclikoft/public_html/arifakyuz/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
 
# END Wordfence WAF

Arif Akyüz Sistem Network Yöneticisi ve Siber Güvenlik Uzmanı

Arif Akyüz
Bilgi Teknolojileri
Sistem Network Yöneticisi
ve Siber Güvenlik Uzmanı
[email protected]