Block fingerprinting attack

Referrer filtering for common media files. Replace with your own domain name.This blocks most common fingerprinting attacks ;)
Note: Change www\.example\.com with your own domain name, substituting the dots with \.  i.e. use www\.example\.com for www.example.com

 RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]  
 RewriteCond %{HTTP_REFERER} .  
 RewriteCond %{HTTP_REFERER} !^http?://(www\.)?localhost\/ [NC]  
 RewriteCond %{HTTP_REFERER} !^http?://(www\.)?example\.com [NC]  
 RewriteCond %{REQUEST_FILENAME} -f  
 RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]  

Disallow visual fingerprinting of Joomla! sites (module position dump)
Initial idea by Brian Teeman and Ken Crowder,
see: http://www.slideshare.net/brianteeman/hidden-joomla-secrets
Improved by @nikosdion to work more efficiently and handle template and tmpl query parameters

 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]  
 RewriteRule .* - [L]  
 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]  
 RewriteRule .* - [F]  

Disallow access to htaccess.txt, configuration.php, configuration.php-dist and php.ini

 RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F]  

Back-end protection
This also blocks fingerprinting attacks browsing for XML and INI files

   RewriteRule ^administrator/?$ - [L]  
   RewriteRule ^administrator/index\.(php|html?)$ - [L]  
   RewriteRule ^administrator/index[23]\.php$ - [L]  
   RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|xml|ini|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]  
   RewriteRule ^administrator/ - [F]   

Block suspicious request methods

 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]  
 RewriteRule ^(.*)$ - [F,L]