Develop Reference

.htaccess: Why I can't restrict access to certain file extensions?

I've tried a couple of solutions and for some reason, I can't restrict access to files with specific extensions. I use Wordpress and I want to restrict access to all OTF/TTF/WOFF/WOFF2 files that are uploaded in wp-content/uploads/2022/month_name folders (basically, I'd like to restrict access to whole /uploads/ folder with all subfolders). It's on Apache 2.4/PHP 8.0.
I tried this and it doesn't work:
<FilesMatch "\.(otf|ttf|woff|woff2)$">
Order Deny,Allow
Allow from all
</FilesMatch>
And this one:
RedirectMatch 403 ^wp-content/uploads/2022/11/.+\.(otf|ttf|woff|woff2)$ [F,L,NC]
RedirectMatch 403 ^wp-content/uploads/2022/10/.+\.(otf|ttf|woff|woff2)$ [F,L,NC]

Allow from all is wrong, it will allow those files with specified extensions. You need to use Deny from all to restrict access.
So the correct code will be this:
<FilesMatch "\.(otf|ttf|woff|woff2)$">
Order Deny,Allow
Deny from all
</FilesMatch>

htaccess Restrict wordpress login by IP does not work

Im trying to restrict WordPress Login by IP but for any reason does not work the "allow from",
I have been restarted my server and seems do not work. any ideas? (my IP is static). Always I get 403 error.
<Files wp-login.php>
Order deny,allow
deny from all
allow from MyIP
</Files>

What happened was that my WordPress was with a load balancer, and the IP shown was from the load balancer.
so I added a HTML Header (X-Forwarded-For) to fix it.
<Files wp-login.php>
Order deny,allow
Deny from all
SetEnvIf X-Forwarded-For "myIP" env_allow_1
Allow from env=env_allow_1
</Files>

WordPress single IP allow wp-admin access

In WordPress my network team restrict wpadmin folder with single ip. So my admin-ajax.php ajax call are 403 forbidden for end user. Is there a solution to allow everyone to access this?
Step 1: restrict Wp-admin folder file wise, and allow admin-ajax file
Step 2: Any another method is available to ajax call without adamin-ajax file
Are any of these possible?

If you want to allow access folder by ip, then please add the below code in .htaccess file.
<Directory /path/to/the/folder>
Options +Indexes
IndexOptions +FancyIndexing
Order deny,allow
Deny from all
Allow from X.X.X.X
</Directory>
For specific File then add the below code
<Files file-name.php>
Order deny,allow
Deny from all
Allow from X.X.X.X
</Files>

Apache Basic Auth seems to override File access restrictions set in .htaccess

I have setup a virtual host with Basic Auth.
<Directory ~ "^/home/www/.*/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
DirectoryIndex index.html index.php
AuthType Basic
AuthName "HALMA"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
Allow from 10.0.0
Satisfy Any
</Directory>
<Files ~ "\.(htaccess|inc|tpl)$">
Order deny,allow
Deny from all
</Files>
( The Files Section could be in a .htaccess, too - same effect)
Now .htaccess, .inc and .tpl files are accessible if the user authenticates successfully to the Basic Auth, which is not the intended behavior. The file restrictions should always be active, preventing any user from accessing critical files, logged-in or not.
I tried moving the Files-Section from vhost config to .htaccess and vice versa, commenting out the 10.0.0.
If I comment out the whole Auth stuff it works.
Would be glad, if someone could point me in the right direction.

Denying access to wp-config.php in WordPress

The WordPress article Hardening WordPress suggests that the following can be used in .htaccess to deny access to anyone surfing for wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>
My question: considering my file permissions for wp-config.php are set at 0600, why is adding this code necessary?