diff --git a/roles/matomo/templates/matomo-nginx.conf.j2 b/roles/matomo/templates/matomo-nginx.conf.j2
index 0a7b91609..8ec494bc0 100644
--- a/roles/matomo/templates/matomo-nginx.conf.j2
+++ b/roles/matomo/templates/matomo-nginx.conf.j2
@@ -10,6 +10,7 @@ location ~ ^/matomo(.*)\.php(.*)$ {
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_param SCRIPT_NAME     $fastcgi_script_name;
     fastcgi_param PATH_INFO       $2;
+    location ~ ^/matomo/(config|tmp|core|lang) { deny all; return 403; }
 }
 
 location ~ ^/matomo(/)? {