One small mistake in the .htaccess file makes it pointless

[AndisGrossteins]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the plugin and it is still present.

WordPress version

6.8.3

Cloudflare-WordPress version

4.13.0

PHP version

8.3.6

Expected result

Supposedly, the .htaccess file, as introduced by PR #473, blocks access to sensitive files (config.json, output.log, readme.txt, LICENSE.md, etc.). However, there's a small, barely noticeable, mistake which makes ALL declarations in the file void.

Actual result

All the rules in .htaccess file should apply. Otherwise it's pointless.

Steps to reproduce

1. Try browsing to wp-content/plugins/cloudflare/output.log on a WordPress installed hosted on Apache and without other security measures.
2. Request does not produce HTTP 403.

Additional factoids

The code in qiestion:

Cloudflare-WordPress/.htaccess

Lines 43 to 54 in 3f10a17

	# Cloudflare fonts
	<FilesMatch "^.+(eot|ttf||otf|woff|woff2)$">
	# Apache 2.2
	<IfModule !mod_authz_core.c>
	Allow from all
	</IfModule>
	# Apache 2.4
	<IfModule mod_authz_core.c>
	Require all granted
	</IfModule>
	</FilesMatch>

For those who don't grok regex well, take a look at what it does in Regex101 debugger: https://regex101.com/r/hCulh2/1

References

PR #473 introduced the file with the mistake.