-# Exception: allow access to wfpl_main.php
-#
-# this allows access to any files named "wfpl_main.php" anywhere, so there's a
-# rewrite rule above to use the top-level one, no matter which was requested.
+# code execution exception: allow only /wfpl_main.php
+# <Files> matches regardless of directory/path, so rewrite php in subdirs
+RewriteRule ^wfpl_main\.php$ - [L]
+RewriteRule .*\.php$ - [L,R=404]