Issue #1587270 by klausi, greggles, sun: Forbid execution of PHP files in subfolders by default (except those needed by core).

.htaccess

@@ -126,17 +126,20 @@ DirectoryIndex index.php index.html index.htm
   RewriteCond %{REQUEST_URI} !=/favicon.ico
   RewriteRule ^ index.php [L]
 
-  # If this is a production site you may want to forbid access to PHP files in
-  # subfolders for security reasons. If you need to directly execute PHP files
-  # in a module or want to run another PHP application somewhere in your
-  # docroot tree you might want to modify this. Uncomment the following two
-  # lines to only allow PHP files in the webroot and in "/core":
-  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
-  # RewriteRule "^.+/.*\.php$" - [F]
-  # Example for allowing just one PHP file of statistics module:
-  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
-  # RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$
-  # RewriteRule "^.+/.*\.php$" - [F]
+  # For security reasons, deny access to other PHP files on public sites.
+  # Note: The following URI conditions are not anchored at the start (^),
+  # because Drupal may be located in a subdirectory. To further improve
+  # security, you can replace '!/' with '!^/'.
+  # Allow access to PHP files in /core (like update.php or install.php):
+  RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
+  # Allow access to test-specific PHP files:
+  RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php$
+  # Allow access to Statistics module's custom front controller.
+  # Copy and adapt this rule to directly execute PHP files in contributed or
+  # custom modules or to run another PHP application in the same directory.
+  RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
+  # Deny access to any other PHP files that do not match the rules above.
+  RewriteRule "^.+/.*\.php$" - [F]
 
   # Rules to correctly serve gzip compressed CSS and JS files.
   # Requires both mod_rewrite and mod_headers to be enabled.