You’ll have to excuse the formatting, it seems wordpress doesn’t want to display the page properly since updating to the latest version.
Recently I was asked to block php files from running in a site’s /images directory.  No problem I thought.

First attempt:  mod_rewite

rewrite_cond  .*/images/.*\.php$ [NC]
rewrite_rule .* / [F,L]
That didn’t work however because the site in question had “Options None” set which prevents mod_rewrite from running.  I could have altered the Options directive but I preferred not to.

Second attempt: .htaccess files

To block .php files from running in /images, I put the following configuration snippet into /var/www/htdocs/images/.htaccess.
 <Files ~ "\.php$">
 Deny from all
 </Files>
It worked and was simple.  The problem was there was 30+ sites that I would need to add the file to.  Not fun or easy to maintain.

Final solution: <Directory> meet <Files>

What I did in the end was add the following configuration block to the top level apache configuration file.
<Directory ~ ".*/images">
 <Files ~ "\.php$">
 Deny from all
 </Files>
</Directory>

This catches all directories that end in /images then looks to see if the file being accessed ends in .php. The deny is self explanatory. If /images was an alias this approach would not work because <Direcory> looks for the directory on disk, it does not match URLs. So why not use a <Location> block? <Files> cannot be called inside a <Localtion> block.