I have seen many different and unfortunately completely differing articles on this, but I am more and more confused the more of them I look at.
What I want to do is simply make sure nobody can read or write to, or even look at(dir list) any files on my site.
Everyone seems to begin with using the file .htaccess and say that you should "add" some things to it. First of all: my WP never installed an .htaccess file! and my site didn't have one by default, it's a new subdomain. I'll probably be changing it to a /subdir on the domain's root anyway, but that's off the topic already.
What's to stop someone from finding the location of the wp-config file, for example, and reading the database name, and the username and password for access?
I tried using one of the various methods I saw online, where you restrict privileges unless the requester is index.php. This didn't seem to work.
I'd very much appreciate a link to, or sample of, a typical .htaccess file (or set of files for each folder) that will secure all the folders from access using a browser. I still want WordPress to be able to make changes, of course, and I also want to be able to make changes via my website host's utilities. But either of those methods require authentication. -- That's one of the things that also went wrong - when I used my site's "protect" utility to "protect" the /wp-admin folder, for example, then the site started asking me for authentication even to load the main index.php page! I assume this is because that page calls files from the subdirectory wp-admin.
Please consider me a total web development dummy. When it comes to network setup and servers and hardware, I can solve anything in my sleep, but this stuff is a foreign world for me.
Any help is appreciated, thanks