diff --git a/Dockerfile b/Dockerfile
index 1866a5648a911edb81d4855095d37fc00ba2489c..9c65de395471dcf7f875ddd8e7a9061313a14de2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ ADD . /build
 WORKDIR /build
 RUN /build/install.sh
 
-FROM registry.git.autistici.org/ai3/docker/apache2-php-base:master
+FROM registry.git.autistici.org/ai3/docker/apache2-php-base:s6
 
 COPY --from=build /build/app/ /opt/noblogs/www
 
@@ -13,7 +13,6 @@ COPY docker/wp-config.php /opt/noblogs/www/wp-config.php
 COPY docker/wp-cache-config.php /opt/noblogs/www/wp-content/wp-cache-config.php
 COPY docker/conf /tmp/conf
 COPY docker/build.sh /tmp/build.sh
-COPY docker/post-upgrade.sh /post-upgrade.sh
 
 RUN /tmp/build.sh && rm /tmp/build.sh
 
diff --git a/docker/conf/chaperone.d/clean-sessions.service b/docker/conf/chaperone.d/clean-sessions.service
deleted file mode 100644
index ab03897f87fc367faea30ca5ee7dddb71346274f..0000000000000000000000000000000000000000
--- a/docker/conf/chaperone.d/clean-sessions.service
+++ /dev/null
@@ -1,5 +0,0 @@
-clean_sessions.service: {
-    type: cron,
-    interval: "10,40 * * * *",
-    command: "/usr/bin/find /var/lib/php/sessions -mindepth 1 -type f -mtime +1 -delete",
-}
diff --git a/docker/conf/chaperone.d/startup.conf b/docker/conf/chaperone.d/startup.conf
deleted file mode 100644
index 847ae6a9380e047745187321f1ee51522baf52ab..0000000000000000000000000000000000000000
--- a/docker/conf/chaperone.d/startup.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-noblogs_upgrade.service: {
-    type: oneshot,
-    stdout: inherit,
-    command: "/post-upgrade.sh",
-    ignore_failures: true,
-    process_timeout: 7200,
-    exit_kills: false,
-}
diff --git a/docker/post-upgrade.sh b/docker/conf/cont-init.d/99noblogs-post-upgrade
similarity index 99%
rename from docker/post-upgrade.sh
rename to docker/conf/cont-init.d/99noblogs-post-upgrade
index a2d017afea26ce8211b5c47626545c790337bba6..731f7954daef792f5569d333b4b7a394458a17c5 100755
--- a/docker/post-upgrade.sh
+++ b/docker/conf/cont-init.d/99noblogs-post-upgrade
@@ -44,4 +44,4 @@ if [ $cur_schema_version -lt $new_schema_version ]; then
     echo "network upgrade message removed"
 fi
 
-exit 0
\ No newline at end of file
+exit 0
diff --git a/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf b/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
index 3bb2ced0b93a0dd6f21f8b755368f1195b93c944..3eb80335f2744af7d06fb10b10775b2feadfcd5d 100644
--- a/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+++ b/docker/conf/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
@@ -21,16 +21,7 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/themes.php" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:newcontent"
-
-# The ability to edit CSS triggers XSS rules when editing posts.
-# Disable all CRS rules on the wp-json API endpoint.
-SecRule REQUEST_URI "@beginsWith /wp-json/wp/v2/posts/" \
-    "id:1003,\
-    phase:2,\
-    pass,\
-    nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:content"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:newcontent"
 
 # Make the eventlist plugin work (SIGH for the lack of regexps).
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
@@ -38,26 +29,26 @@ SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
     phase:2,\
     pass,\
     nolog,\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[1][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[2][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[3][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[4][location_length],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][title],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][cat_filter],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][num_events],\
-    ctl:ruleRemoveTargetByTag=CRS;ARGS:widget-event_list_widget[5][location_length]"
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[1][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[2][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[3][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[4][location_length],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][title],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][cat_filter],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][num_events],\
+    ctl:ruleRemoveTargetByTag=OWASP_CRS;ARGS:widget-event_list_widget[5][location_length]"
 
 # More eventlist plugin workarounds.
 SecRule REQUEST_FILENAME "@endsWith /wp-admin/admin-ajax.php" \
diff --git a/docker/conf/php/7.3/fpm/conf.d/99-noblogs.ini b/docker/conf/php/7.4/fpm/conf.d/99-noblogs.ini
similarity index 100%
rename from docker/conf/php/7.3/fpm/conf.d/99-noblogs.ini
rename to docker/conf/php/7.4/fpm/conf.d/99-noblogs.ini
diff --git a/docker/conf/php/7.3/fpm/pool.d/www.conf b/docker/conf/php/7.4/fpm/pool.d/www.conf
similarity index 95%
rename from docker/conf/php/7.3/fpm/pool.d/www.conf
rename to docker/conf/php/7.4/fpm/pool.d/www.conf
index 9be0c6090846a616c871f7910b9d02ddc81e9f79..294100233c15834359afea86421d89662d2a5fbd 100644
--- a/docker/conf/php/7.3/fpm/pool.d/www.conf
+++ b/docker/conf/php/7.4/fpm/pool.d/www.conf
@@ -1,6 +1,6 @@
 [www]
 user = ${PHP_FPM_USER}
-listen = /run/php/php7.3-fpm.sock
+listen = /run/php/php7.4-fpm.sock
 
 pm = dynamic
 pm.max_children = 75