diff --git a/apache-extras.template b/apache-extras.template
index 9903a738d2..513e099bbe 100644
--- a/apache-extras.template
+++ b/apache-extras.template
@@ -15,4 +15,12 @@ RUN set -eux; \
a2enconf remoteip; \
# https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512
# (replace all instances of "%h" with "%a" in LogFormat)
- find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +
+ find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \
+# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes
+ { \
+ echo 'RedirectMatch 403 /\..*$'; \
+ echo ''; \
+ echo 'Require all denied'; \
+ echo ''; \
+ } > /etc/apache2/conf-available/forbidden.conf; \
+ a2enconf forbidden
diff --git a/php7.2/apache/Dockerfile b/php7.2/apache/Dockerfile
index 1666292c1d..225836c6fb 100644
--- a/php7.2/apache/Dockerfile
+++ b/php7.2/apache/Dockerfile
@@ -90,7 +90,15 @@ RUN set -eux; \
a2enconf remoteip; \
# https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512
# (replace all instances of "%h" with "%a" in LogFormat)
- find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +
+ find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \
+# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes
+ { \
+ echo 'RedirectMatch 403 /\..*$'; \
+ echo ''; \
+ echo 'Require all denied'; \
+ echo ''; \
+ } > /etc/apache2/conf-available/forbidden.conf; \
+ a2enconf forbidden
ENV WORDPRESS_VERSION 5.5
diff --git a/php7.3/apache/Dockerfile b/php7.3/apache/Dockerfile
index 3681298c31..ccddf5c8ed 100644
--- a/php7.3/apache/Dockerfile
+++ b/php7.3/apache/Dockerfile
@@ -91,7 +91,15 @@ RUN set -eux; \
a2enconf remoteip; \
# https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512
# (replace all instances of "%h" with "%a" in LogFormat)
- find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +
+ find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \
+# apply some sensible security defaults: 403 hidden files/dirs + common backup/source filetypes
+ { \
+ echo 'RedirectMatch 403 /\..*$'; \
+ echo ''; \
+ echo 'Require all denied'; \
+ echo ''; \
+ } > /etc/apache2/conf-available/forbidden.conf; \
+ a2enconf forbidden
ENV WORDPRESS_VERSION 5.5
diff --git a/php7.4/apache/Dockerfile b/php7.4/apache/Dockerfile
index a53bac71fb..0199e1eddf 100644
--- a/php7.4/apache/Dockerfile
+++ b/php7.4/apache/Dockerfile
@@ -91,7 +91,15 @@ RUN set -eux; \
a2enconf remoteip; \
# https://github.com/docker-library/wordpress/issues/383#issuecomment-507886512
# (replace all instances of "%h" with "%a" in LogFormat)
- find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +
+ find /etc/apache2 -type f -name '*.conf' -exec sed -ri 's/([[:space:]]*LogFormat[[:space:]]+"[^"]*)%h([^"]*")/\1%a\2/g' '{}' +; \
+# apply sensible security defaults: 403 hidden files/dirs + common backup/source filetypes
+ { \
+ echo 'RedirectMatch 403 /\..*$'; \
+ echo ''; \
+ echo 'Require all denied'; \
+ echo ''; \
+ } > /etc/apache2/conf-available/forbidden.conf; \
+ a2enconf forbidden
ENV WORDPRESS_VERSION 5.5