closes #193 - block access to files that show WordPress version

inc/h5bp-htaccess

@@ -6,6 +6,9 @@
 ### This contains the HTML5 Boilerplate .htaccess that can be found at:
 ###  github.com/h5bp/html5-boilerplate/blob/master/.htaccess
 ###
+### Added:
+###  Block access to access to WordPress files that reveal version information.
+###
 ### Commented out by default:
 ###  Expires headers:      Use WP Super Cache or W3 Total Cache (unless using the H5BP build script)
 ###  ETag removal:         Use WP Super Cache or W3 Total Cache (unless using the H5BP build script)
@@ -494,6 +497,14 @@ AddCharset utf-8 .css .js .xml .json .rss .atom
 </FilesMatch>
 
 
+# Block access to WordPress files that reveal version information.
+<FilesMatch "^(wp-config\.php|readme\.html|license\.txt)">
+  Order allow,deny
+  Deny from all
+  Satisfy All
+</FilesMatch>
+
+
 # If your server is not already configured as such, the following directive
 # should be uncommented in order to set PHP's register_globals option to OFF.
 # This closes a major security hole that is abused by most XSS (cross-site

inc/roots-htaccess.php

@@ -68,6 +68,7 @@ if (stristr($_SERVER['SERVER_SOFTWARE'], 'apache') !== false) {
     }
   }
 
+  // add the contents of h5bp-htaccess into the .htaccess file
   function roots_add_h5bp_htaccess($rules) {
     global $wp_filesystem;
 
@@ -80,6 +81,7 @@ if (stristr($_SERVER['SERVER_SOFTWARE'], 'apache') !== false) {
   }
 
   add_filter('mod_rewrite_rules', 'roots_add_h5bp_htaccess');
+
 }
 
-?>
+?>