# ==================================================
# BEGIN WordPress (DO NOT EDIT)
# ==================================================
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# Prevent direct access to index.php
RewriteRule ^index\.php$ - [L]

# Admin trailing slash fix
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

# Main WordPress rewrite
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# ==================================================
# END WordPress
# ==================================================


# ==================================================
# SECURITY HARDENING (SAFE FOR ROOT)
# ==================================================

# Protect wp-config.php
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>

# Protect .htaccess itself
<Files .htaccess>
Order allow,deny
Deny from all
</Files>

# Disable directory browsing
Options -Indexes

# Block access to sensitive files
<FilesMatch "(^\.|wp-config\.php|readme\.html|license\.txt)">
Order allow,deny
Deny from all
</FilesMatch>

# Block PHP execution in wp-includes (extra safety)
<IfModule mod_rewrite.c>
RewriteRule ^wp-includes/.*\.php$ - [F,L]
</IfModule>


# ==================================================
# PERFORMANCE (OPTIONAL – SAFE)
# ==================================================

# Browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 7 days"
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
</IfModule>

# GZIP compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain text/html text/css text/javascript application/javascript application/json
</IfModule>
