.htaccess

# BEGIN wp-secure-deploy
# Disallow access to htaccess, wordpress config and xmlrpc
<FilesMatch "^(\.htaccess|\.htpasswd|wp-config\.php|xmlrpc\.php)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Protect sensitive files
<FilesMatch "^(\.bashrc|sftp\.json|sftp-config\.json|sftp-settings\.json|\.deploy\.json)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

# Block access to wp-includes
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=2]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    # Protect dev folders
    RewriteRule \.(git|svn|vscode|idea)(/.*)?$ - [F,NC]
</IfModule>
# END wp-secure-deploy