diff --git a/apache2/conf-available/wp-secuirty.conf b/apache2/conf-available/wp-secuirty.conf
new file mode 100644
index 0000000..2325988
--- /dev/null
+++ b/apache2/conf-available/wp-secuirty.conf
@@ -0,0 +1,13 @@
+# restrict access to wordpress directories
+<Directory "/srv/www/*/html/wp-content/">
+  <Limit POST PUT DELETE>
+    order deny,allow
+    deny from all
+  </Limit>
+</Directory>
+<Directory "/srv/www/*/html/wp-content/uploads/">
+  <Files "*.php">
+    Order Deny,Allow
+    Deny from All
+  </Files>
+</Directory>
diff --git a/install.sh b/install.sh
index 339d14e..924c78a 100755
--- a/install.sh
+++ b/install.sh
@@ -34,6 +34,12 @@ chmod 644 /usr/local/lib/systemd/system/wp-cron.*
 systemctl enable wp-cron.timer
 systemctl start wp-cron.timer
 
+# enable wp-security, restricts access to wordpress directories
+cp apache2/conf-available/wp-secuirty.conf /etc/apache2/conf-available/wp-secuirty.conf
+chmod 644 /etc/apache2/conf-available/wp-secuirty.conf
+a2enconf wp-secuirty
+systemctl reload apache2
+
 # fail2ban wordpress configs
 if [[ -d /etc/fail2ban/ ]]; then
   chmod 644 fail2ban/filter.d/*
@@ -44,3 +50,4 @@ if [[ -d /etc/fail2ban/ ]]; then
 else
   echo "Fail2ban not installed, skipping fail2ban wordpress configs."
 fi
+