# this give internal server error throughout site: <Files ~ "/users/"> Header set X-Robots-Tag "noindex, nofollow" </FilesMatch>
This would give an “internal server error” (500 response) because you’ve used </FilesMatch> to close the <Files> section. It should be </Files>.
But as you suggested, this won’t work anyway, as the <Files> directive matches real files only, not virtual URL-paths.
But you don’t need to set the X-Robots-Tag if you simply want to block (403 Forbidden) the request.
RewriteEngine on RewriteRule ^.*/users/.*$ - [F]
This should work, in order to send a “403 Forbidden” response for any URL that contains /users/ as part of the URL-path, providing you place this at the top of your .htaccess, before the WordPress code block (ie. before the # BEGIN WordPress section).
However, you do not need to repeat the RewriteEngine On directive. And the RewriteRule pattern should be modified to avoid matching /users/ anywhere in the URL-path, otherwise, it could potentially block valid URLs.
Try the following instead at the top of your .htaccess file:
RewriteRule ^forums/users/ - [F]
This blocks any request that simply starts /forums/users/.
Note there is no slash prefix on the RewriteRule pattern.
UPDATE: If this fails to work then make sure you don’t have a custom 403 ErrorDocument defined. If not then this could still be configured in your server config (by your web host), which is out of your control. However, you can still reset this to the default Apache error response in your .htaccess file:
ErrorDocument 403 default
a way to make it go 404 instead, …? I don’t find such a flag for RewriteRule.
You can use the R=404 flag instead of F to trigger a “404 Not Found” response. Whilst this might look like a “redirect”, since it’s using the R (redirect) flag, it’s not an external redirect (which is only triggered for 3xx response codes).
In fact, you can use R=403 instead of F if you wanted to. F is simply a shortcut.