diff --git a/conf/nginx/bedrock-wordpress.conf.erb b/conf/nginx/bedrock-wordpress.conf.erb
index 3e3f4fe7..1384eba5 100644
--- a/conf/nginx/bedrock-wordpress.conf.erb
+++ b/conf/nginx/bedrock-wordpress.conf.erb
@@ -7,8 +7,10 @@ location / {
 
 rewrite /wp-admin$ $scheme://$host$uri/ permanent;
 
-location ~ /\. {
-	deny all;
+# Prevent clients from accessing hidden files (starting with a dot)
+# Access to `/.well-known/` is allowed.
+location ~* /\.(?!well-known\/) {
+	 deny all;
 }
 
 location ~* /(?:uploads|files)/.*\.php$ {