RewriteEngine On
RewriteBase /admin/

# Protect admin directory
AuthType Basic
AuthName "Admin Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

# Rewrite rules
RewriteRule ^([a-zA-Z0-9_-]+)/?$ $1.php [L,QSA]
RewriteRule ^$ index.php [L,QSA]

# Deny access to sensitive files
<FilesMatch "\.(sql|log|bak|inc)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>