You ask:
How does that work ? As far as I can read it, it only specifies not to
rewrite certain urls (using -),
These files are included within the WordPress PHP scripts, so there’s no need to access them in the browser, but notice the rewrite flags.
Here’s some information on the F
, L
and S
flags from the Apache docs:
Using the [F] flag causes the server to return a 403 Forbidden status
code to the client.When using [F], an [L] is implied – that is, the response is returned
immediately, and no further rules are evaluated.The [S] flag is used to skip rules that you don’t want to run. The
syntax of the skip flag is [S=N], where N signifies the number of
rules to skip (provided the RewriteRule matches). This can be thought
of as a goto statement in your rewrite ruleset.
You ask:
and then fails to actually rewrite all other requests.
no, all other HTTP requests, that do not match the security rewrites, go to the # BEGIN WordPress
part
So let’s check out the number of files affected by these security rewrite rules:
http://example.com/wp-admin/includes/* - 62 PHP files
http://example.com/wp-includes/*.php - 110 PHP files
http://example.com/wp-includes/theme-compat/* - 5 PHP files
http://example.com/wp-includes/js/tinymce/langs/*.php - 0 PHP files
according to my WordPress 3.9.1 install.