It's right but can be simplified:

RewriteRule file2?\.zip - [NC,F]

The 2? makes the 2 optional.

Without anchoring EVERY request for pages and files will be tested to see if it ends in file.zip or file2.zip.

If these files are in a specific folder you should state that path within the rule, so the rule can be more quickly skipped if it does not apply to the current request.

Necessary disclaimer: Make sure nothing on your site uses invisible php. If it does, you'll need to check THE_REQUEST so you're only blocking requests from "outside". In my case it was auto-indexing. (You wouldn't think Apache would use anything but, well, itself. But there you are.)

Unless, of course, invisible php is exactly what you are trying to block. Then you've got it made.

No, actually the files have specific names, I was just using file as an example. So, it should work fine. Thank you all.

If you include a start anchor and the full path to the file, the rule will be skipped faster for all requests where the rule is not meant to apply.

Well, that might be a problem. You see, those files are only potential files. I had someone file inject those particular files onto my hosted site's server and removed them immediately. But if someone else tries it again, I want them to be null and void, so giving anyone who might access them a forbidden error should do the trick. So, I don't know what the path to the file could potentially be. I'm just including the names of those two files in my htaccess code as a stop gap measure for possible future events.

For "any folder" use

^([^/]+/)*file\.zip

which reads "any level of folder (not a slash one or more times, followed by slash), the whole, zero or more times".

Giving the full path just saves you a few more nanoseconds. If all you know is the filename, that will do fine. The important thing is to give as much information as possible so mod_rewrite can weed out the non-starters right away.

And take arms against a sea of troubles. Oops.

By skipping folder levels with

^([^/]+/)*

you avoid the situation where a request for

blah/blahblah

file

blah<something>

looks like it might match when

f i l e

is seen and then found not to match when it is not followed by a period, but matching has to carry on to the end to be sure there isn't

file.zip

on the end after all.

This should give me enough information to take a stab at it. Initially, when the files were discovered (same day they were planted) two visitors checked out the one php file according to my logs. Those visitor IPs were from overseas. Once the files were deleted, the visits stopped. Both IPs had the same user agent. The file names are unique. Nothing like them exists on the server now. It was an attempted Phishing scheme. Of course, this will only work on a file injection with the same file names. I will be changing passwords more frequently now.