# =====================================
# SEGURIDAD BÁSICA (ESTABLE)
# =====================================

# Ocultar listado de directorios
Options -Indexes

# Proteger archivos sensibles
<Files wp-config.php>
    Require all denied
</Files>

<Files .htaccess>
    Require all denied
</Files>

# Bloquear acceso a archivos ocultos (.git, .env, etc.)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Bloquear xmlrpc (ataques comunes)
<Files xmlrpc.php>
    Require all denied
</Files>

# =====================================
# HEADERS DE SEGURIDAD
# =====================================
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# =====================================
# REGLAS WORDPRESS (OFICIALES)
# =====================================
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On

# Mantener autorización (importante para APIs)
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteBase /
RewriteRule ^index\.php$ - [L]

# Si no es archivo ni carpeta → enviar a WordPress
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# =====================================
# PHP (cPanel - mantener)
# =====================================
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81___lsphp .php .php8 .phtml
</IfModule>

# =====================================
# LITESPEED (compatible)
# =====================================
<IfModule Litespeed>
    SetEnv noabort 1
</IfModule>