bigin · bigin · May 14, 2026 · May 14, 2026
diff --git a/.htaccess b/.htaccess
@@ -5,37 +5,36 @@
 
     Options -Indexes
     Options +SymLinksIfOwnerMatch
-    # Options +SymLinksifOwnerMatch
-
-    # RewriteBase /
 
     # Redirecting HTTP to HTTPS
     # RewriteCond %{SERVER_PORT} 80
     # RewriteRule ^(.*)$ https://your-website.com/$1 [R,L]
-
-    # Allow harmless files
-    RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png|svg|webp)$
-    # Allow file upload handler
-    RewriteCond %{REQUEST_URI} !(^|/)imanager/upload/server/php($|/.*$)$
-
-    # Block some directories and files
-    RewriteCond %{REQUEST_URI} (^|/)(boot|imanager)(.php$) [NC,OR]
-    # Block access to certain native Scriptor files.
-    RewriteCond %{REQUEST_URI} (^|/)(.htaccess|data|imanager|modules|core|lang|_.*)($|/.*$) [NC,OR]
-    # Forbid access to all directories and files that start with a dot
+
+    # ----------------------------------------------------------------
+    # Deny chain — fires only when ALL conditions match.
+    # The first condition lets harmless static assets pass through;
+    # the rest enumerate paths that must never be served directly.
+    # ----------------------------------------------------------------
+
+    RewriteCond %{REQUEST_URI} !\.(?:css|js|map|jpe?g|gif|png|svg|webp|woff2?|ttf|eot)$
+
+    # Block direct execution of the bootstrap stub.
+    RewriteCond %{REQUEST_URI} (^|/)boot\.php$ [NC,OR]
+    # Block direct access to source code, configuration and CLI dirs.
+    RewriteCond %{REQUEST_URI} (^|/)(data|boot|vendor|bin|lang)($|/.*$) [NC,OR]
+    # Forbid every dot-file (.htaccess, .git, .env, .DS_Store, ...).
     RewriteCond %{REQUEST_URI} (^|/)\.[^/]*($|/.*$)
 
     RewriteRule ^ - [F,L]
 
-    # Block access to .zip, .pdf, and .tar files under "/data/uploads/"
-    #RewriteCond %{REQUEST_URI} /data/uploads/.*\.(zip|pdf|tar)$ [NC]
-    #RewriteRule ^ - [F,L]
-
-    RewriteCond %{REQUEST_FILENAME} !-f
-    RewriteCond %{REQUEST_FILENAME} !-d
-    RewriteRule ^editor/(.*)$ editor/index.php?id=$1 [L,QSA]
+    # ----------------------------------------------------------------
+    # Front controller — route everything that isn't a real file or
+    # directory to index.php. Scriptor's index.php handles the
+    # admin-path delegation in PHP, so changing `admin_path` in
+    # data/settings/scriptor-config.php needs no .htaccess update.
+    # ----------------------------------------------------------------
 
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule ^(.*)$ index.php?id=$1 [L,QSA]
-</IfModule>
+</IfModule>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -65,6 +65,20 @@ dispatch, PSR-16 caching). The legacy 1.x flat-file storage is gone.
   side-step the missing path-repo). The Dockerfile now runs a
   plain `composer install --no-dev`. `docker/composer-rewrite.php`
   is removed.
+- **`.htaccess` refreshed for the 2.0 layout.** The Apache fallback
+  rules now match what actually lives in the tree: directory deny
+  list switched from the gone `imanager`/`modules`/`core` to the
+  current `boot`/`vendor`/`bin` (real source dirs); legacy
+  `imanager/upload/server/php` exception removed; the literal
+  `editor/`-rewrite is gone — every request lands on `index.php`
+  which delegates `/<admin_path>/*` in PHP, so changing
+  `admin_path` no longer requires editing `.htaccess`. The static
+  asset whitelist gained `woff/woff2/ttf/eot` for theme fonts.
+  Caddy and nginx ignore `.htaccess` entirely; this is purely an
+  Apache-fallback hygiene pass.
+- **`scriptor-config.php` admin_path comment** no longer claims
+  the user must update `.htaccess` after changing `admin_path`.
+  The 2.0 PHP-level delegation in `index.php` makes that obsolete.
 
 ### Removed
 

diff --git a/data/settings/scriptor-config.php b/data/settings/scriptor-config.php
@@ -49,9 +49,11 @@
 	/**
 	 * Relative path to the admin folder.
 	 *
-	 * Please note that if you change the folder name, you also need to update the paths
-	 * in the .htaccess file in the root directory accordingly.
-	 * 
+	 * The folder must exist on disk and contain `index.php` (the admin entry).
+	 * Routing to this path is handled in PHP (`index.php` delegates
+	 * `/<admin_path>/*` to `<admin_path>/index.php`), so no web-server
+	 * rewrite rules need to be touched when this value changes.
+	 *
 	 * @var string
 	 */
 	'admin_path' => 'editor/',