In the root directory, put a .htaccess file with:
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|json|lock|swp|py|xml|phtml|g)|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
And in the subdirectories, put:
Deny from all
And, in the web folder, put:
Options All -Indexes