I think that .php should not be blocked. It's strange that it would be. If the file name is "index.php" then the FilesMatch would see
=> .* (file name starts with anything)
=> . (a literal "." character)
=> php (of the choices phtml|php...suspected, php matches)
=> $ (end of file name)
So it would block any file that is .php. I think it should be
Code:
<FilesMatch ".*\.(phtml|PhP|php5|suspected)$">
Order Allow,Deny
Deny from all
</FilesMatch>
I don't know why any of this is necessary, but I assume Wordpress has some theory on it.
Here's a regex tester you can play with to see the result:
https://regex101.com/r/NRQCnr/1