Moose,

Welcome to WebmasterWorld [webmasterworld.com]!

Here's your code with a few minor clean-ups. Details below.

ErrorDocument 404 /error/404.html
AddDefaultCharset On
AddType 'application/xml; charset=utf-8' xml
<FilesMatch \.ht(access¦passwd)$>
deny from all
</FilesMatch>

Options -Indexes +FollowSymLinks
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(css¦gif¦jpg¦js¦png)$ - [F]

RewriteCond %{HTTP_USER_AGENT} (DTS.?Agent¦Email.?Extrac)
RewriteRule .* - [F]

----------

I have the following questions:

1. I am not sure if starting the .htaccess file with ErrorDocument is okay - that is, without any prolog like SomethingImportant on.

No, nothing is needed - your code is fine.

2. I read in one thread here that <Files .htaccess>deny from all</Files> should be added, but I do not understand why, and how it works, and if it does, if I did it correctly

This prevents anyone (including you) from using HTTP to read your .htaccess file. A malicious hacker might find it interesting to help find ways to break into your server. Note that I changed it to use <FilesMatch>, so that it now protects both .htaccess and .htpasswd files. You will still be able to upload and download your .htaccess and .htpasswd files using FTP, but hopefully, your server is set up properly and you will have to log in to do it.

3. Why do I need Options +FollowSymLinks? Do I need it exactly in the place I have it now?

FollowSymLinks is required by mod_rewrite in an .htaccess context. You have it in the proper place, although I combined the two Options lines to save space.

4. I saw in the long "perfect .htaccess" thread the following rule: RewriteBase /. Why do I need it for the banned list? What does it do?

You may not need it at all. As to what it does, see the rather detailed description of RewriteBase in the mod_rewrite documentation [httpd.apache.org].

5. Lastly, the main question I have. I have two types of rewrites (trimmed quoted above). One is to prevent hotlinking, another to ban. I am afraid, very afraid in fact, that after the first [F], the rest is not read. Is that true? How to combine them?

You're right, the second group will not be processed... Because it doesn't need to be processed when the first rule matches and terminates the current request with a 403-Forbidden response. This 403 response will end the current HTTP request, so there is no need to process any more rewriterules.

If the first ruleset does not match, then the second ruleset will be processed, and it will stop those user-agents from acessing your files.

Note: On my site, I didn't add hotlinking rewrite (the first one), since the ban is more important to me. That's why I came here begging for help...

merci in advance for any help you might offer,

Soiyez mon invitee, Monsieur Moose!

Don't be afraid of this stuff. Study the documentation and look at examples posted here at WebmasterWorld. Then go experiment and lock up your server a few hundred times. I guarantee that you will be an expert on mod_rewrite and .htaccess files within a year if you do this... As they say, "Experience is what allows you to recognize a mistake when you make it again." :)

Here's a good introduction: Introduction to mod_rewrite [webmasterworld.com]

Jim