﻿# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Block access to xmlrpc.php (prevents brute force attacks)
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

# Block access to wp-config.php
<Files wp-config.php>
Order Deny,Allow
Deny from all
</Files>

# Disable directory browsing
Options -Indexes

# Block access to hidden files (.htaccess, .htpasswd, etc.)
<FilesMatch "^\.">
Order Deny,Allow
Deny from all
</FilesMatch>

# Block PHP execution in uploads directory
<IfModule mod_rewrite.c>
RewriteRule ^wp-content/uploads/.*\.php$ - [F]
</IfModule>

# Prevent script injection
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
</IfModule>