Block access to backup and source files. The below script in .htaccess tells the server to look for files with any of this extensions: [filename].config, [filename].sql, [filename].bak and so on, and if so, deny processing requests for such files.It will return a 403 Forbidden error instead.
<FilesMatch "(\.(config|sql|bak|ini|log|sh|inc)|~)$"> Order allow,deny Deny from all Satisfy All </FilesMatch>
For extra security we should block access to the WordPress readme.html file and other default WordPress files which publicly display your current WordPress version number. Rather than deleting these files, it’s better to add the following directive to our .htaccess file to block public access to these files.
[manage_adv width=”486″ height=”60″ sponsor=”affiliate” type=”image”]
<FilesMatch "^(wp-config\.php|readme\.html|readme\.txt|license\.txt)"> Order allow,deny Deny from all Satisfy All </FilesMatch>