# ============================================
# BOT PROTECTION (HEAD requests + crawlers)
# ============================================
SetEnvIfNoCase Request_Method "HEAD" headreq=1
SetEnvIfNoCase User-Agent "(meta-externalagent|facebookexternalhit|SemrushBot|AhrefsBot|MJ12bot|DotBot|DataForSeoBot|SeznamBot|BLEXBot|PetalBot|Bytespider|bingbot|YandexBot|Applebot|Discordbot|Twitterbot|WhatsApp|TelegramBot|crawler|spider|bot)" badbot=1

# ============================================
# WORDPRESS MULTISITE REWRITES
# ============================================
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# Index
RewriteRule ^index\.php$ - [L]

# Uploaded files
RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

# Trailing slash voor /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

# Als bestand of directory bestaat -> niets doen
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Alle overige naar WordPress
RewriteRule . index.php [L]

# --- BotActionBlock binnen rewrite ---
# 1) HEAD requests blocken
RewriteCond %{ENV:headreq} =1
RewriteCond %{QUERY_STRING} (^|&)(add(?:_|-)?to(?:_|-)?(cart|wishlist)|add_to_wishlist|add-to-cart)(=|&|$) [NC]
RewriteRule ^ - [F,L]

# 2) Bekende bots blocken
RewriteCond %{ENV:badbot} =1
RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC]
RewriteCond %{QUERY_STRING} (^|&)(add(?:_|-)?to(?:_|-)?(cart|wishlist)|add_to_wishlist|add-to-cart)(=|&|$) [NC]
RewriteRule ^ - [F,L]
</IfModule>

# ============================================
# LITESPEED CACHE
# ============================================
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule litespeed/debug/.*\.log$ - [F,L]
RewriteRule \.litespeed_conf\.dat - [F,L]

### marker ASYNC start ###
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=async_litespeed
RewriteRule .* - [E=noabort:1]
### marker ASYNC end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} image/webp [OR]
RewriteCond %{HTTP_USER_AGENT} iPhone\ OS\ (1[4-9]|[2-9][0-9]) [OR]
RewriteCond %{HTTP_USER_AGENT} Firefox/([6-9][0-9]|[1-9][0-9]{2,})
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###
</IfModule>

# ============================================
# NON LSCACHE (Browser cache)
# ============================================
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A4838400
ExpiresByType image/x-icon A4838400
ExpiresByType image/svg+xml A4838400
ExpiresByType image/jpg A4838400
ExpiresByType image/jpeg A4838400
ExpiresByType image/png A4838400
ExpiresByType image/gif A4838400
ExpiresByType image/webp A4838400
ExpiresByType image/avif A4838400
ExpiresByType video/ogg A4838400
ExpiresByType audio/ogg A4838400
ExpiresByType video/mp4 A4838400
ExpiresByType video/webm A4838400
ExpiresByType text/css A4838400
ExpiresByType text/javascript A4838400
ExpiresByType application/javascript A4838400
ExpiresByType application/x-javascript A4838400
ExpiresByType font/ttf A4838400
ExpiresByType font/otf A4838400
ExpiresByType font/woff A4838400
ExpiresByType font/woff2 A4838400
ExpiresByType application/vnd.ms-fontobject A4838400
</IfModule>

# ============================================
# WP ROCKET
# ============================================
AddDefaultCharset UTF-8
<IfModule mod_mime.c>
  AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml
</IfModule>
<IfModule mod_headers.c>
  Header unset ETag
</IfModule>
FileETag None

<IfModule mod_alias.c>
<FilesMatch "\.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$">
<IfModule mod_headers.c>
Header set X-Powered-By "WP Rocket/3.19.3"
Header unset Pragma
Header append Cache-Control "public"
Header unset Last-Modified
</IfModule>
</FilesMatch>
<FilesMatch "\.(css|htc|js|gif|jpg|jpeg|png|svg|woff|woff2|ttf|otf|eot|pdf|zip|mp4|webm)$">
<IfModule mod_headers.c>
Header unset Pragma
Header append Cache-Control "public"
</IfModule>
</FilesMatch>
</IfModule>

<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType image/webp "access plus 4 months"
ExpiresByType font/woff2 "access plus 4 months"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
</IfModule>

<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf|mp4|webm|zip)$ no-gzip dont-vary
</IfModule>
</IfModule>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE application/javascript application/json text/css text/html text/xml
</IfModule>
<IfModule mod_headers.c>
Header append Vary: Accept-Encoding
</IfModule>
</IfModule>

# ============================================
# WORDFENCE WAF
# ============================================
<IfModule LiteSpeed>
php_value auto_prepend_file '/var/www/vhosts/xman.be/httpdocs/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/var/www/vhosts/xman.be/httpdocs/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>

# ============================================
# Really Simple Security
# ============================================
Options -Indexes