What the heck is "regular" about machine language(s)?

Best guess: they're using the term in its strict etymological sense of "follows rules".

I'd make a couple of separate envelopes-- same as in 2.2. One of them would say
<FilesMatch ^\.>
or, if you must,
<FilesMatch ^\.ht>
and then the other would be
<FilesMatch ^(wp-config|smlrpc)\.php>

I think it's really just as efficient for the server to check twice, especially if the Files(Match) envelopes themselves are located in an htaccess file, meaning that the RegEx has to be compiled all over again every time. But if it is in htaccess, surely the config file itself already blocks all access to files in .ht ? That would be inherited straight down the line unless you've got something like <Files *> which I frankly would never do.

Your "first attempt" is missing a | pipe, which I'll bet you noticed five seconds after the Edit Post deadline passed. Is that copy-and-paste or did it get lost in typing the post?

Or you can change file permissions (the old chmod ploy) to safeguard those files. If you don't need to post remotely xmlrpc is just a magnet for problems. There are plugins to disable it also.

RewriteRule xmlrpc - [F]

works for me :)

FYI - the newer builds of WP will not call xmlrpc. If this request is coming through a server port, it is absolutely an exploit probe. Make sure you have the latest version of WP.

RewriteRule ^xmlrpc - [F]

Put in an opening anchor and the server will get out of there a few nanoseconds sooner ;) Or at least a /b. Generally they're at the root, though I sometimes find the request attached to real file or directory names. (That is: real and specific to my site, not just random blind luck.)

I've recently started returning hard-coded 404s [R=404] * for various specific requests. This is the same response an out-of-the-blue visitor would eventually receive from an unprotected site, since we're talking about files that genuinely don't exist, but this way the server doesn't have to go physically look. The visitor doesn't know the difference. My reasoning is that some robots may give up sooner if they've established that the files aren't there, while a lockout will just make them suspicious.

:: detour to see what I've got ::

Anything in .php except {handful of actual php URLs}. Anything in /includes, ditto. (My bad for using this directory name at all; changing it would require replacing every single html file, which kinda blows the point of having includes in the first place.) Anything containing the element \bwp\b or "admin". I've also got a 404 on requests for one directory's 410 page; I never pinned down the error that caused the bingbot to ask for it by name, but a 404 is the only way to prevent an infinite loop**.


* A supplementary [L] will do no harm, but isn't needed when the R leads to something outside the 300 range.
** %{THE_REQUEST} means only "what the visitor originally asked for", not "the immediate reason for the server request at this precise nano-instant". Darn it.

Put in an opening anchor

Thanks for the suggestion but "xmlrpc" is not always at the start or stand alone. Sometimes this term is buried inside a larger term, example "sunxmlrpcrp." There are several variations of the WP plugin, some archaic some current. The current versions are considered security risks and the newer builds of WP do not support them, at least in that vernacular.

My actual code is muli-layer, encompassing several conditions and many UA attributes.

Ack!

Okay, panicked head exploding response has now passed.

So, if I grasp your kindly contributions correctly, what I'm left with is 3 possible "solutions" followed by 2 additional head explosions. LOL.

Thx.

3 possible "solutions" followed by 2 additional head explosions

For comparison purposes: When I first met Regular Expressions I was deathly afraid of them. This is natural and proper; you can seriously injure yourself with a carelessly applied RegEx. And that was in the context of text editing, not server configuration. For the first year I didn't dare use a RegEx for anything except finding text, as opposed to actively replacing it. Unsupervised global replaces took still longer.