diff --git a/Dockerfile b/Dockerfile
index 8cf8bafbfab540e53e88e91850792be02cf2613d..9dd0bad9c328b2ae2aa6c5c00455c70eee4fee3e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,6 +9,8 @@ FROM registry.git.autistici.org/ai3/docker/apache2-php-base:master
 COPY --from=build /build/app/ /opt/noblogs/www
 
 COPY docker/htaccess /opt/noblogs/www/.htaccess
+COPY docker/htaccess-noindex /opt/noblogs/www/wp-admin/.htaccess
+COPY docker/htaccess-noindex /opt/noblogs/www/wp-includes/.htaccess
 COPY docker/wp-config.php /opt/noblogs/www/wp-config.php
 COPY docker/wp-cache-config.php /opt/noblogs/www/wp-content/wp-cache-config.php
 COPY docker/conf /tmp/conf
diff --git a/docker/htaccess b/docker/htaccess
index d891492c65938fc261428cd5b6613982bc9e60d5..846f0f321bb94701dfb54a7f12310f5c8f5a6d92 100644
--- a/docker/htaccess
+++ b/docker/htaccess
@@ -27,6 +27,13 @@ RewriteRule ^gallery/[0-9]+/(.*)$  wp-includes/ms-files.php?file=2010/08/$1 [L]
 RewriteRule ^resource/[^/]+/preview/(.*)$ wp-includes/ms-files.php?file=2010/08/$1 [L]
 RewriteRule ^resource/[^/]+/download/(.*)$ wp-includes/ms-files.php?file=2010/08/$1 [L]
 
+# hardening of wp-includes (with the exception of ms-files.php, the WP multisite file server).
+RewriteRule ^wp-admin/includes/ - [F,L]
+RewriteRule !^wp-includes/ - [S=2]
+RewriteCond $0 !^wp-includes/ms-files\.php$
+RewriteRule ^wp-includes/.+\.php(/|$) - [F,L]
+RewriteRule ^wp-includes/theme-compat/ - [F,L]
+
 # BEGIN WPSuperCache
 <IfModule mod_rewrite.c>
 AddDefaultCharset UTF-8
@@ -66,6 +73,8 @@ RewriteRule ^(.*) "/wp-content/cache/supercache/%{HTTP_HOST}/%{HTTP:X-Forwarded-
 RewriteCond %{REQUEST_FILENAME} -f [OR]
 RewriteCond %{REQUEST_FILENAME} -d
 RewriteRule ^ - [L]
+RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
+RewriteRule ^(.*\.php)$ $1 [L]
 RewriteRule . index.php [L]
 # END WordPress
 
diff --git a/docker/htaccess-noindex b/docker/htaccess-noindex
new file mode 100644
index 0000000000000000000000000000000000000000..5a928f6da25ac6d6ba65480b76d03a71cb906138
--- /dev/null
+++ b/docker/htaccess-noindex
@@ -0,0 +1 @@
+Options -Indexes