您确定要这样做吗?甚至 css 和 js 文件和图像和...?

Are you sure, you want to do that? Even css and js files and images and ...?

好的，首先检查apache中是否安装了mod_access，然后将以下内容添加到您的.htaccess中:

OK, first check if mod_access in installed to apache, then add the following to your .htaccess:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>

第一个指令禁止访问除本地主机以外的任何文件，因为Order Deny,Allow，Allow 稍后应用，第二个指令只影响 index.php.

The first directive forbids access to any files except from localhost, because of Order Deny,Allow, Allow gets applied later, the second directive only affects index.php.

警告:订单行中逗号后没有空格.

Caveat: No space after the comma in the Order line.

要允许访问匹配 *.css 或 *.js 的文件，请使用以下指令:

To allow access to files matching *.css or *.js use this directive:

<FilesMatch ".*.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

但是，您不能在 .htaccess 文件中使用 或 指令.

You cannot use directives for <Location> or <Directory> inside .htaccess files, though.

您的选择是在第一个允许、拒绝组周围使用 ，然后明确允许访问 index.php.

Your option would be to use <FilesMatch ".*.php$"> around the first allow,deny group and then explicitely allow access to index.php.

Apache 2.4 更新:这个答案对于 Apache 2.2 是正确的.在 Apache 2.4 中，访问控制范式发生了变化，正确的语法是使用 Require all denied.

Update for Apache 2.4: This answer is correct for Apache 2.2. In Apache 2.4 the access control paradigm has changed, and the correct syntax is to use Require all denied.