<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Allow secret admin directory (change path to match yours)
    RewriteCond %{REQUEST_URI} ^/kwo2bekosnsk2928wbsk9d2h/bsjwownwosnos/ [NC]
    RewriteRule . - [L]

    # Allow user dashboard
    RewriteCond %{REQUEST_URI} ^/user/dashboard$ [NC]
    RewriteRule ^user/dashboard$ user/dashboard.php [L]

    # Route /api/* to api/*.php
    RewriteCond %{REQUEST_URI} ^/api/ [NC]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^api/([^/]+)$ api/$1.php [QSA,L]

    # Any other request to a non-existing file returns 404
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . - [R=404,L]
</IfModule>

Options -Indexes

# Protect sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>