9366_protect_access

# Protect files and directories from prying eyes.
RedirectMatch 404 "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$"
 
# Disallow various other files
RedirectMatch 404 (README\.txt|INSTALL\.txt|CHANGELOG\.txt|COPYRIGHT\.txt|INSTALL\.mysql\.txt|INSTALL\.pgsql\.txt|LICENSE\.txt|MAINTAINERS\.txt|UPGRADE\.txt)
 
# Disallow admin paths
Redirect 404 /admin
Redirect 404 /scripts
Redirect 404 /profile
Redirect 404 /includes
Redirect 404 /cron.php
Redirect 404 /install.php
Redirect 404 /update.php
Redirect 404 /xmlrpc.php
 
# Disallow access to the feed modules import path
Redirect 404 /import
 
# disable direct access to nodes with their canonical URLs
Redirect 404 /node
 
# Protect webform uploads
Redirect 404 /sites/default/files/webform
 
# Protect Taxonomy lists
Redirect 404 /taxonomy
 
# Make any PHP request a 404, except for our 404 page which is PHP and the main index
RewriteCond %{REQUEST_URI} !^/sites/default/themes/themename/404/page-not-found\.php
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_URI} \.(php)$
RewriteCond %{REQUEST_URI} !^404\.%1$
RewriteRule ^(.*)$ 404.%1 [R=404,L]
 
# All others where a file is missing
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/sites/default/files/
RewriteCond %{REQUEST_URI} \.(png|gif|jpe?g|s?html?|css|js|cgi|ico|swf|flv|dll)$
RewriteCond %{REQUEST_URI} !^404.%1$
RewriteRule ^(.*)$ 404.%1 [R=404,L]
 
# Redirect any direct request for index.php and no query string to /
# The no query string part makes sure that clean URLs rewrites are
# not victims because they will have q=something
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^index.php$   / [R=301,L]