<IfModule mod_authz_core.c>
  <FilesMatch "\.(phps?|pht|phtml|php\d+)$">
    Require all denied
  </FilesMatch>
</IfModule>

<IfModule !mod_authz_core.c>
  <FilesMatch "\.(phps?|pht|phtml|php\d+)$">
    Order allow,deny
    Deny from all
  </FilesMatch>
</IfModule>

# Extra hardening for various PHP handlers
<IfModule mod_php.c>
  php_flag engine off
</IfModule>
<IfModule mod_php7.c>
  php_flag engine off
</IfModule>
<IfModule mod_php8.c>
  php_flag engine off
</IfModule>

# Prevent handler assignment via AddType/AddHandler
RemoveHandler .php .phtml .php3 .php4 .php5 .php7 .php8 .pht
RemoveType .php .phtml .php3 .php4 .php5 .php7 .php8 .pht
Options -ExecCGI

# Disallow direct PUT/DELETE to this directory (defense-in-depth)
<LimitExcept GET POST HEAD>
  Require all denied
</LimitExcept>

