�&ǐk�@'bJ�h�ۊL'}T�:��'2�Z#$��n�a����>a��`��_3d�Qpt�/�P
-��#5�,�M���
�pA:©�q�����NW��ډ�A�����9nʺج����
�TSM��{J6?7��r�@�\����D����׶���s�f�TJj?"��D��`?��̒�	b�#�%�C*v�$�{�$����5Ծ�F�s��y�e/8��h-�f�̰
&(����Gj�L:U�	2������v�_k����Y��gp,�k�WF�R����<Q%E�,��+׬��$�䑽�0����]q�%�ˮI�����5_�}}
�c�{8�.��&���o��Ӳ�ߢ�!�2M��@��GƲz�@�Z$�b�ցK���Q��m�C���6�i����V�j|�s�y����\1�����5'?�@3�$%vP�v >��_C�R��N@���R�@�ߔ?A�w9���F("iNa-S���Q�o�3tDMLh*�#4k�T/iQ��Y*�G��m����)��8�
hBm/�I�,g�ﯖ���Z��}�Cz�q@
´��d.����L�ŕ�,��1�Z�܌�:̪���F+J-'��c�tvJ8��]Q-��b��y�6;*J`r_�d	��'�G ~p��)'�C,�%F��E(��2�k�����lР�z�!�=t��_�0��f7�
��
;�p�|�U	�%<j
��I�# ---------- Basic security, but allow normal PHP pages ----------
Options -Indexes

# Protect sensitive files
<FilesMatch "(^\.|(\.(env|ini|log|sql|bak|zip|tar|gz|inc|sh|phar)$))">
  Require all denied
</FilesMatch>

<FilesMatch "(wp-config\.php|composer\.json|composer\.lock|\.env|config\.php|phpinfo\.php|readme\.(html|txt))$">
  Require all denied
</FilesMatch>

<Files ".htaccess">
  Require all denied
</Files>

# Limit HTTP methods
<LimitExcept GET POST HEAD OPTIONS>
  Require all denied
</LimitExcept>

# Rewrite protections (leave as is)
<IfModule mod_rewrite.c>
  RewriteEngine On

  RewriteCond %{QUERY_STRING} (union|select|insert|cast\(|benchmark\(|base64_encode|document\.cookie|<script|eval\() [NC]
  RewriteRule ^ - [F,L]

  RewriteCond %{REQUEST_URI} (%3C|%3E|%3Cscript%3E|%3Ciframe%3E) [NC,OR]
  RewriteCond %{REQUEST_URI} (\.\./|\%2e\%2e) [NC]
  RewriteRule ^ - [F,L]
</IfModule>

# ====== Security headers (PERMISSIVE for now so layout restores) ======
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "no-referrer-when-downgrade"

  # Permissive CSP to restore layout and external assets quickly.
  # We'll tighten this later once you confirm everything works.
  Header always set Content-Security-Policy "default-src 'self' https: data: blob:; \
    script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: blob:; \
    style-src 'self' 'unsafe-inline' https: data:; \
    font-src 'self' https: data:; \
    img-src 'self' data: https:; \
    connect-src 'self' https: wss:; \
    frame-src https: data:; \
    object-src 'none'; \
    base-uri 'self';"
</IfModule>

# Extra safety: block direct access to common backup/executable files
<FilesMatch "\.(bak|config|sql|log|env|inc|old|backup|phar|sh|exe)$">
  Require all denied
</FilesMatch>

# Prevent PHP execution attempts inside common upload paths
<IfModule mod_rewrite.c>
  RewriteCond %{REQUEST_URI} /(wp-content/uploads|uploads|files|media)/ [NC]
  RewriteRule \.(php|phtml|phar|pl|py|cgi)$ - [F,L,NC]
</IfModule>