# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

<FilesMatch "upl.php|style2.php|old-index.php|css.php|apikey.zip|license.txt|readme.html">
order deny,allow
deny from all
</FilesMatch>

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans


# Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
</IfModule>

# =============================
# Secure wp-includes folder
# =============================
<IfModule mod_rewrite.c>
RewriteEngine On

# Block PHP execution inside wp-includes
RewriteRule ^wp-includes/.*\.php$ - [F,L,NC]

# Deny access to sensitive files
RewriteRule ^wp-includes/.*\.(txt|md|xml|sh|log)$ - [F,L,NC]

# Allow necessary static assets (CSS, JS, images, fonts)
RewriteCond %{REQUEST_URI} !^/wp-includes/[^/]+\.css$
RewriteCond %{REQUEST_URI} !^/wp-includes/[^/]+\.js$
RewriteCond %{REQUEST_URI} !^/wp-includes/[^/]+\.(gif|jpg|jpeg|png|svg)$
RewriteCond %{REQUEST_URI} !^/wp-includes/[^/]+\.(woff|woff2|ttf|eot)$
RewriteCond %{REQUEST_URI} !^/wp-includes/js/tinymce/.*$
RewriteCond %{REQUEST_URI} !^/wp-includes/js/dist/.*$
RewriteCond %{REQUEST_URI} !^/wp-includes/css/.*$
RewriteRule ^wp-includes/ - [F,L,NC]
</IfModule>

# Disable directory browsing
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>