diff --git a/Dockerfile b/Dockerfile
index 8cf8bafbfab540e53e88e91850792be02cf2613d..9dd0bad9c328b2ae2aa6c5c00455c70eee4fee3e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,8 @@ FROM registry.git.autistici.org/ai3/docker/apache2-php-base:master
 COPY --from=build /build/app/ /opt/noblogs/www
 
 COPY docker/htaccess /opt/noblogs/www/.htaccess
+COPY docker/htaccess-noindex /opt/noblogs/www/wp-admin/.htaccess
+COPY docker/htaccess-noindex /opt/noblogs/www/wp-includes/.htaccess
 COPY docker/wp-config.php /opt/noblogs/www/wp-config.php
 COPY docker/wp-cache-config.php /opt/noblogs/www/wp-content/wp-cache-config.php
 COPY docker/conf /tmp/conf
diff --git a/docker/htaccess b/docker/htaccess
index 1c59a6169d48765ecffe36bb19bd8539ab00bb39..92aefd9325b5ce1a2a507cc1700827585375748c 100644
--- a/docker/htaccess
+++ b/docker/htaccess
@@ -27,10 +27,11 @@ RewriteRule ^gallery/[0-9]+/(.*)$  wp-includes/ms-files.php?file=2010/08/$1 [L]
 RewriteRule ^resource/[^/]+/preview/(.*)$ wp-includes/ms-files.php?file=2010/08/$1 [L]
 RewriteRule ^resource/[^/]+/download/(.*)$ wp-includes/ms-files.php?file=2010/08/$1 [L]
 
-# hardening of wp-includes
+# hardening of wp-includes (with the exception of ms-files.php, the WP multisite file server).
 RewriteRule ^wp-admin/includes/ - [F,L]
 RewriteRule !^wp-includes/ - [S=3]
-RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
+RewriteCond %{REQUEST_URI} !^wp-includes/ms-files.php$
+RewriteRule ^wp-includes/.+\.php$ - [F,L]
 RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
 RewriteRule ^wp-includes/theme-compat/ - [F,L]
 
diff --git a/docker/htaccess-noindex b/docker/htaccess-noindex
new file mode 100644
index 0000000000000000000000000000000000000000..5a928f6da25ac6d6ba65480b76d03a71cb906138
--- /dev/null
+++ b/docker/htaccess-noindex
@@ -0,0 +1 @@
+Options -Indexes