# Rename this file to .htaccess in the WordPress document root.
# Compatible with Apache and LiteSpeed shared hosting.

Options -Indexes
ServerSignature Off

<IfModule mod_rewrite.c>
RewriteEngine On

# Force HTTPS after the SSL certificate is active.
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block direct access to sensitive and development files.
RewriteRule (^|/)\.(?!well-known/) - [F,L]
RewriteRule ^(?:readme|license)\.(?:html|txt)$ - [F,L,NC]

# Standard WordPress front controller.
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<FilesMatch "^(wp-config\.php|xmlrpc\.php|\.user\.ini|composer\.(json|lock)|package(-lock)?\.json|phpunit\.xml|error_log|debug\.log)$">
  Require all denied
</FilesMatch>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</IfModule>

<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType image/png "access plus 30 days"
  ExpiresByType image/jpeg "access plus 30 days"
  ExpiresByType image/webp "access plus 30 days"
  ExpiresByType image/svg+xml "access plus 30 days"
  ExpiresByType font/woff2 "access plus 30 days"
</IfModule>
