Firewall Rule to block access to php files

Thanks for the suggestion @sdayman. I just tried removing the . before php, but still the rule doesn’t seem to take – no 1020 access denied message, just a blank page.

Any rule in mind that would protect the theme’s php files? I can have 2 separate rules: one for plugins, already working, and one for the theme.

Would something like this work?

(http.request.uri.path contains “/wp-content/themes” and not http.referer contains “mywebsite.com”)

Thanks for your help!