# EMERGENCY SECURITY FIX
# Block all direct access to PHP files in includes directory

<FilesMatch "\.(php|inc|txt|log)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Allow PHP includes but not direct browser access
<FilesMatch "^$">
    Allow from all
</FilesMatch>

# Additional security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>