If your php script includes files that are very sensitive and should not be accessed by anyone, you can deny access with this htaccess rule set. Just place this in your htaccess file at the top most directory that you want to protect:

Warning: Make a backup of your .htaccess file first. If things go wrong, you won’t leave your site disabled due to a typo.

This code should go near the top of your htaccess file. I like to use block statements first to save processing time later.

This particular rule set denies access to the very important file, wp-config.php. Although WordPress and PHP has built in rules to avoid exposing this code, this extra precaution protects it.

We are also denying access to xmlrpc.php. Attacks are on the rise against this file, so if you are not using this feature, deny access to it and protect your site/server.

Example below defines how to block two file names from the world, but allow one IP address to access.

order deny,allow
deny from all
allow from 152.225.158.8

Another example:

order allow,deny
deny from all