# Never execute scripts from uploads/ — only serve static files (images, etc.).
#
# The <FilesMatch> block below is the real protection and works on EVERY host,
# including PHP-FPM / CGI setups (Namecheap cPanel and most shared hosts).
#
# `php_flag engine off` ONLY works when the classic mod_php module is loaded.
# On PHP-FPM/CGI hosts an unguarded `php_flag` line causes an immediate
# HTTP 500 ("Invalid command 'php_flag'"), so it is guarded by <IfModule> and
# is applied only where mod_php actually exists.
<IfModule mod_php.c>
    php_flag engine off
</IfModule>
<IfModule mod_php7.c>
    php_flag engine off
</IfModule>
<IfModule mod_php8.c>
    php_flag engine off
</IfModule>

<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|phar|cgi|pl)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>
