RewriteEngine On

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Prevent Directory Listing
Options -Indexes

# Block Sensitive Files
<FilesMatch "\.(sql|log|env|bak|sh)$">
    Order allow,deny
    Deny from all
</FilesMatch>

<Files "config.php">
    Order allow,deny
    Deny from all
</Files>

<Files "functions.php">
    Order allow,deny
    Deny from all
</Files>

# Block directories
RewriteRule ^cron/ - [F,L]
RewriteRule ^database/ - [F,L]
RewriteRule ^includes/ - [F,L]

# Block common exploits
RewriteRule ^(wp-admin|wp-login|xmlrpc) - [F,L]

# PHP Settings
php_value upload_max_filesize 10M
php_value post_max_size 10M
php_value max_execution_time 60

# Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Cache Static Assets
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 30 days"
    ExpiresByType image/png "access plus 30 days"
    ExpiresByType image/gif "access plus 30 days"
    ExpiresByType image/webp "access plus 30 days"
    ExpiresByType text/css "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType font/woff2 "access plus 1 year"
</IfModule>

# Gzip Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json
</IfModule>

# Error Pages
ErrorDocument 404 /404.php
ErrorDocument 403 /403.php