### Added by Truehost Safety Team ###
# Enforce HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block consistently compromised paths
RewriteRule ^(arg|22)(/.*)?$ - [F,L]

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# Disable directory browsing
Options -Indexes

# Protect .htaccess and other sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all
</Files>

# Prevent PHP execution in uploads
<Directory "/wp-content/uploads/">
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

# Prevent PHP execution in wp-includes
<Directory "/wp-includes/">
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

# Prevent access to xmlrpc.php if not used
<Files xmlrpc.php>
    Order allow,deny
    Deny from all
</Files>

# Prevent unauthorized access to .htaccess
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>
