Are you sure, you want to do that? Even css and js files and images and ...?
OK, first check if mod_access in installed to apache, then add the following to your .htaccess:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
<Files /index.php>
Order Allow,Deny
Allow from all
</Files>
The first directive forbids access to any files except from localhost, because of Order Deny,Allow
, Allow gets applied later, the second directive only affects index.php.
Caveat: No space after the comma in the Order line.
To allow access to files matching *.css or *.js use this directive:
<FilesMatch ".*\.(css|js)$">
Order Allow,Deny
Allow from all
</FilesMatch>
You cannot use directives for <Location>
or <Directory>
inside .htaccess files, though.
Your option would be to use <FilesMatch ".*\.php$">
around the first allow,deny group and then explicitely allow access to index.php.
Update for Apache 2.4:
This answer is correct for Apache 2.2. In Apache 2.4 the access control paradigm has changed, and the correct syntax is to use Require all denied
.