I've been adding rules to my htaccess files for a two years now. Jeff Starr's 5G Blacklist, to be put in the htaccess file, protects websites (not only WP sites) from hostile bots and hackers. The plugin Better WordPress Security writes similar rules to the htaccess file. Some of these rules secure WP against SQL injection hacks, by forbidding TRACE or TRACK requests, etc. A rule in the above plugin prevents access to sensitive files such as the wp-config.php.
My question is, are these htaccess rules necessary for a secure WP site? If so, why are they not built in? Obviously, if someone can get access to the wp-config, they can cause no end of trouble. We shouldn't have to alter the default installation to secure such a file. And shouldn't sql injection hacks be blocked by default also? I'm hoping the security team can clarify this for me.