# ================================
# WordPress default rules
# ================================
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

# ================================
# Security rules
# ================================

# Protect wp-config.php
<Files wp-config.php>
  Order Allow,Deny
  Deny from all
</Files>

# Protect .htaccess itself
<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

# Block access to readme/license/error files
<FilesMatch "^(readme\.html|license\.txt|error_log|wp-config-sample\.php)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# Protect wp-content/uploads (no PHP execution)
<FilesMatch "\.php$">
  <If "%{REQUEST_URI} =~ m#^/wp-content/uploads/#">
    Require all denied
  </If>
</FilesMatch>

# Optional: Block PHP in theme subfolders (only in subfolders with static files)
<FilesMatch "\.php$">
  <If "%{REQUEST_URI} =~ m#^/wp-content/themes/your-theme/assets/#">
    Require all denied
  </If>
</FilesMatch>

# Block PHP in wp-content folder (except plugins and themes)
<IfModule mod_rewrite.c>
    RewriteRule ^wp-content/.*\.(?:php[0-9]?|phtml)$ - [F,L]
</IfModule>

# Block direct access to wp-includes PHP
<IfModule mod_rewrite.c>
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php$ - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Block sensitive files
<FilesMatch "(^\.htaccess|\.htpasswd|php\.ini|install\.php|debug\.log|error_log|\.log$)">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block author enumeration
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} ^author=\d+ [NC]
    RewriteRule .* - [F,L]
</IfModule>

# Block suspicious query strings
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
    RewriteCond %{QUERY_STRING} (etc/passwd|boot\.ini) [NC,OR]
    RewriteCond %{QUERY_STRING} (eval\() [NC]
    RewriteRule .* - [F,L]
</IfModule>

# Disable TRACE/TRACK
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F,L]
</IfModule>

# Disable directory listing
Options All -Indexes

# Remove header with PHP version
Header always unset X-Powered-By
Header unset X-Powered-By

# Additional security headers
<IfModule mod_headers.c>
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

# Block xmlrpc.php - prevents brute force and DDoS amplification attacks
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>