Lean Bunker Security – WordPress Plugin
Lean Bunker Security è un codice per .htaccess da copiare e incollare.
Niente dipendenze, niente bloat, niente tracciamento. Solo protezione reale, trasparente e verificabile.
Non modifica il core, non carica librerie esterne, non rallenta il sito.
Fa esattamente ciò che serve — e niente di più.
# -----------------------------------------------------------------
# LEAN BUNKER SECURITY – .htaccess hardening
# Version: 0.0.1
# Autore: Riccardo Bastillo
# Obiettivo: massima sicurezza, zero bloat, core integro
# Compatibile con: WordPress Multisite (subfolder), Beaver Builder, LeanPress
# -----------------------------------------------------------------
<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>
# -----------------------------------------------------------------
# 🔥 FIREWALL – Protezione mirata senza rompere SEO
# -----------------------------------------------------------------
<IfModule mod_rewrite.c>
# Blocca exploit comuni
RewriteCond %{QUERY_STRING} [<>\"'\(\)\[\]\{\}\|\;\$\*] [NC,OR]
RewriteCond %{QUERY_STRING} (union\s+select|concat|information_schema|load_file|sleep\(|base64_decode|eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (exec\(|system\(|passthru\(|shell_exec\() [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [NC]
RewriteRule ^ - [F,L]
# Blocca accesso a file sensibili (per nome, non per estensione)
RewriteCond %{REQUEST_URI} (^|/)(\.env|\.git|\.svn|\.hg|\.bzr|composer\.lock|yarn\.lock|package-lock\.json|error_log|debug\.log|access_log|php_errorlog|php_errors|logs?|backups?|dumps?|sql|old|bak|save|swp|~)$ [NC]
RewriteRule ^ - [F,L]
# Blocca user enumeration
RewriteCond %{QUERY_STRING} author=\d+ [NC]
RewriteRule ^ - [R=403,L]
# Blocca bot malevoli
RewriteCond %{HTTP_USER_AGENT} (sqlmap|nikto|hydra|nmap|acunetix|dirbuster|gobuster|ffuf|wget|curl|python-urllib|zgrab) [NC]
RewriteRule ^ - [F,L]
# Blocca richieste senza Host (bot)
RewriteCond %{HTTP_HOST} ^$
RewriteRule ^ - [F,L]
# Blocca esecuzione in uploads/
RewriteRule ^wp-content/uploads/.*\.(php|phtml|php[0-9]*|phar|pht|shtml|cgi|pl|py|rb|sh|asp|aspx|jsp|exe|com|scr|msi|vbs|js\.php)$ - [F,L]
# Blocca file nascosti
RewriteRule (^|/)\. - [F,L]
</IfModule>
# -----------------------------------------------------------------
# 🔐 PROTEZIONE FILE STATICI – SOLO quelli sensibili
# -----------------------------------------------------------------
# Blocca file di configurazione e backup noti
<FilesMatch "^(wp-config\.php|readme\.html|license\.txt|changelog\.txt|install\.php|setup-config\.php|upgrade\.php|xmlrpc\.php|wlwmanifest\.xml|wp-links-opml\.php|composer\.json|package\.json|yarn\.lock|database\.sql|dump\.sql|error_log|debug\.log|access_log|php_errorlog|php_errors|\.htaccess)$">
Require all denied
</FilesMatch>
# Blocca file sensibili con estensioni pericolose (ma NON .txt/.xml generici!)
<FilesMatch "\.(env|git|svn|hg|bzr|DS_Store|Thumbs\.db|bak|backup|old|save|swp|~|log|sql|lock|yml|yaml)$">
Require all denied
</FilesMatch>
# -----------------------------------------------------------------
# 🛑 ALTRE MISURE DI SICUREZZA
# -----------------------------------------------------------------
Options -Indexes
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset Server
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
# HSTS: attivato solo in HTTPS
Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
</IfModule>
# -----------------------------------------------------------------
# 🌐 REGOLE MULTISITE (subfolder)
# -----------------------------------------------------------------
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]