### Added by Truehost Safety Team ###
# Enforce HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block consistently compromised paths
RewriteRule ^(arg|22)(/.*)?$ - [F,L]

# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

# Disable directory browsing
Options -Indexes

# Protect .htaccess and other sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to wp-config.php
<Files wp-config.php>
    Order allow,deny
    Deny from all
</Files>

# Prevent PHP execution in uploads
<Directory "/wp-content/uploads/">
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

# Prevent PHP execution in wp-includes
<Directory "/wp-includes/">
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

# Prevent access to xmlrpc.php if not used
<Files xmlrpc.php>
    Order allow,deny
    Deny from all
</Files>

# Prevent unauthorized access to .htaccess
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php83” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php83 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
