First, if you are doing this in .htaccess mod_rewrite does not stop processing but instead does an internal redirect. See this answer for details.
You need to escape the period in your second rewrite rule. Period (or dot) will match any character if not escaped.
Fixed rule:
RewriteRule ^/([a-zA-Z0-9\._-]+)$ /index.php?user=$1 [L]
Edit 3:
Based on your comments and own answer, here's an updated solution. The way RewriteCond %{REQUEST_FILENAME}
works in Apache depends on the context you are in. You can also omit the ?
from the matching pattern.
RewriteRule ^/help$ /index.php?page=help [L]
# If you are inside <VirtualHost> context
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
RewriteRule ^/([a-zA-Z0-9\._-]+)$ /index.php?user=$1 [L]
# If you are inside <Directory> or .htaccesscontext
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^/([a-zA-Z0-9\._-]+)$ /index.php?user=$1 [L]
Do bear in mind that this solution causes conflicts if there are users with the same name as any of the files or directories you have on your server.