I haven't tried much besides this:
Order deny, allow
Deny from all
<Files "index.php">
Allow from all
</Files>
It worked but it also prevented php and link tags from accessing other files.
When you write any script or link in your code, they won't send request to server themselves, it's actually user sending request for that resource. If there is a link to any resource to any part of your server and you want it to be served, you must let browser access that and browser means user.