You should use the "Require" rule instead of "order/allow/deny" directives.
They are deprecated and will be removed in future version of apache server.
E.g.:
1. When you need to deny access to specific files, then:
Instead of this:
<FilesMatch "(xmlrpc\.php|wp-trackback\.php)">
Order Allow,Deny
Deny from all
</FilesMatch>
Use this:
<FilesMatch "(xmlrpc\.php|wp-trackback\.php)">
Require all denied
</FilesMatch>
2. When you need to allow access only from specific IP or range, use this:
Require ip 103.21.244.0 # allow connections from specified IPv4 address
Require ip 103.21.244.0/22 # allow connections from specified IPv4 range
Require ip 2400:cb00::/32 # allow connections from specified IPv6 range
# Allow connections only from CloudFlare (see https://www.cloudflare.com/ips/)
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 104.16.0.0/13
Require ip 104.24.0.0/14
Require ip 108.162.192.0/18
Require ip 131.0.72.0/22
Require ip 141.101.64.0/18
Require ip 162.158.0.0/15
Require ip 172.64.0.0/13
Require ip 173.245.48.0/20
Require ip 188.114.96.0/20
Require ip 190.93.240.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32