# Admin area – only PHP files are served; all others are blocked.
# Authentication is handled by admin/auth.php (PHP session), NOT HTTP Basic Auth,
# so no AuthType directive is needed here.

Options -Indexes

# Deny access to everything by default, then selectively allow PHP files
<FilesMatch "\.php$">
    Require all granted
</FilesMatch>

# Deny everything that is NOT a .php file
<FilesMatch "^(?!.*\.php$)">
    Require all denied
</FilesMatch>