# ══════════════════════════════════════════════════════════════
#  CUSTOM LOGIN URL — /portal → login.php
#  admin/ is now the real folder name (physically renamed)
# ══════════════════════════════════════════════════════════════
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /new/

# ── Login slug ────────────────────────────────────────────────
RewriteRule ^portal/?$    login.php [L,QSA]
RewriteRule ^portal/(.*)$ login.php?$1 [L,QSA]

</IfModule>


# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /new/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /new/index.php [L]
</IfModule>

# END WordPress


# ══════════════════════════════════════════════════════════════
#  GENERAL HARDENING
# ══════════════════════════════════════════════════════════════
Options -Indexes

# Block access to sensitive files
<FilesMatch "^(readme\.html|license\.txt|wp-config\.php\.bak)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Block direct XML-RPC hits (brute-force vector)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{THE_REQUEST} \s/new/xmlrpc\.php [NC]
RewriteRule ^ - [F,L]
</IfModule>




# ══════════════════════════════════════════════════════════════
#  ADVANCED SECURITY HARDENING (APPENDED — SAFE)
# ══════════════════════════════════════════════════════════════

# ── Security Headers ──────────────────────────────────────────
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'"
</IfModule>

# ── Block Common Malicious User Agents (basic bot filtering) ──
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (sqlmap|nmap|nikto|dirbuster|curl|wget) [NC]
RewriteRule .* - [F,L]
</IfModule>

# ── Protect wp-config.php ─────────────────────────────────────
<Files wp-config.php>
    Order Allow,Deny
    Deny from all
</Files>

# ── Disable PHP Execution in Uploads Folder ───────────────────
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^wp-content/uploads/.*\.php$ - [F,L]
</IfModule>

# ── Block Access to Hidden Files (.htaccess, .htpasswd, etc.) ─
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Prevent Script Injection via URL ──────────────────────────
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|%[0-9A-Z]{0,2}) [NC,OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|%[0-9A-Z]{0,2}) [NC]
RewriteRule .* - [F,L]
</IfModule>