Hardening wordpress: blocking /includes with htaccess

You ask:

How does that work ? As far as I can read it, it only specifies not to
rewrite certain urls (using -),

These files are included within the WordPress PHP scripts, so there’s no need to access them in the browser, but notice the rewrite flags.

Here’s some information on the F, L and S flags from the Apache docs:

Using the [F] flag causes the server to return a 403 Forbidden status
code to the client.

When using [F], an [L] is implied – that is, the response is returned
immediately, and no further rules are evaluated.

The [S] flag is used to skip rules that you don’t want to run. The
syntax of the skip flag is [S=N], where N signifies the number of
rules to skip (provided the RewriteRule matches). This can be thought
of as a goto statement in your rewrite ruleset.

You ask:

and then fails to actually rewrite all other requests.

no, all other HTTP requests, that do not match the security rewrites, go to the # BEGIN WordPress part

So let’s check out the number of files affected by these security rewrite rules:

http://example.com/wp-admin/includes/*                 -  62 PHP files
http://example.com/wp-includes/*.php                   - 110 PHP files
http://example.com/wp-includes/theme-compat/*          -   5 PHP files
http://example.com/wp-includes/js/tinymce/langs/*.php  -   0 PHP files

according to my WordPress 3.9.1 install.

tech