OK, newbie question here. I have a file called .user.ini created by the Wordpress "Wordfence" plugin. Wordfence is complaining this file (which it created) is accessible.
So the external address of the fuile would be:
https://mysite.com/.user.ini
I've tried blocking it using a RewriteRule (in...