diff --git a/.gitignore b/.gitignore
index ea26ec2..4bf7ba1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 .data
+.idea
diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..fadf0fc
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,11 @@
+# Block direct web access to sensitive files that must remain on disk.
+# Returns 404 to avoid revealing file existence.
+Redirect 404 /config.php
+Redirect 404 /config-dist.php
+Redirect 404 /install.php
+Redirect 404 /brokenfile.php
+Redirect 404 /register-redis-cache-store.php
+Redirect 404 /version.php
+
+# Block db/install.xml across all plugin paths.
+RedirectMatch 404 /install\.xml$
diff --git a/Dockerfile b/Dockerfile
index db1e029..19ca68f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,10 +32,14 @@ RUN set -eux; \
 # lockstep with whatever lands on ubc/moodle:ltic-v4.5.11 without having to
 # enumerate which files changed.
 ARG MOODLE_LTIC_REF=ltic-v4.5.11
+COPY delete-dev-files.sh /tmp/delete-dev-files.sh
 RUN set -eux; \
     curl -fL "https://github.com/ubc/moodle/archive/${MOODLE_LTIC_REF}.tar.gz" \
       | tar xz --strip=1 -C /var/www/html; \
-    chown -R www-data:www-data /var/www/html
+    bash /tmp/delete-dev-files.sh; \
+    rm /tmp/delete-dev-files.sh; \
+    chown -R www-data:www-data /var/www/html; \
+    chmod 444 /var/www/html/config.php # Addresses "Writable config.php" moodle warning
 
 # Fetching and unzipping all plugins
 COPY plugins/ /plugins/
@@ -121,6 +125,8 @@ RUN set -eux; \
     done; \
     rm -rf /plugins
 
+COPY --chown=www-data:www-data .htaccess /var/www/html/.htaccess
+
 COPY kalturapatch.sh /tmp/
 RUN sh /tmp/kalturapatch.sh && rm /tmp/kalturapatch.sh
 
diff --git a/delete-dev-files.sh b/delete-dev-files.sh
new file mode 100644
index 0000000..3834a94
--- /dev/null
+++ b/delete-dev-files.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# Remove paths from the Moodle release after extraction.
+# Paths are relative to /var/www/html. Both files and directories are accepted.
+set -euo pipefail
+
+BASE=/var/www/html
+
+# Exact paths (relative to $BASE) to remove.
+REMOVE=(
+    "check_lang_sort.sh"
+    "admin/environment.xml"
+    "composer.json"
+    "composer.lock"
+    "package.json"
+    "npm-shrinkwrap.json"
+    "Gruntfile.js"
+    "behat.yml.dist"
+    "phpcs.xml.dist"
+    "phpunit.xml.dist"
+    "CONTRIBUTING.md"
+    "COPYING.txt"
+    "INSTALL.txt"
+    "PATCH_UPGRADE_NOTES.md"
+    "TRADEMARK.txt"
+    "UPGRADING.md"
+    "security.txt"
+    ".eslintrc"
+    ".gherkin-lintrc"
+    ".gitattributes"
+    ".github"
+    ".gitignore"
+    ".grunt"
+    ".jshintignore"
+    ".jshintrc"
+    ".nvmrc"
+    ".phpstorm.meta.php"
+    ".shifter.json"
+    ".stylelintrc"
+    ".upgradenotes"
+)
+
+# Case-insensitive exact filenames matched recursively across the entire tree.
+PATTERNS=(
+    "readme"
+    "readme.md"
+    "readme.txt"
+    "readme_moodle.txt"
+    "readme.rst"
+    "readme.html"
+    "upgrade.txt"
+    "upgrading.md"
+    "upgrading-current.md"
+)
+
+for entry in "${REMOVE[@]}"; do
+    target="${BASE}/${entry}"
+    if [[ -e "$target" || -L "$target" ]]; then
+        echo "Removing: $target"
+        rm -rf "$target"
+    else
+        echo "Not found (skipping): $target"
+    fi
+done
+
+for pattern in "${PATTERNS[@]}"; do
+    find "$BASE" -depth -iname "$pattern" -printf "Removing: %p\n" -exec rm -rf {} +
+done