diff --git a/nginx.conf.sample b/nginx.conf.sample
index cc1d52e1d928..9d80b478efec 100644
--- a/nginx.conf.sample
+++ b/nginx.conf.sample
@@ -47,6 +47,11 @@ location /.user.ini {
 location ~* ^/setup($|/) {
     root $MAGE_ROOT;
     location ~ ^/setup/index.php {
+        deny all;
+        # If you want to enable the web based setup functionality, add your
+        # ip address to the allow list below or comment out the deny all above.
+        # allow 127.0.0.1;
+
         fastcgi_pass   fastcgi_backend;
 
         fastcgi_param  PHP_FLAG  "session.auto_start=off \n suhosin.session.cryptua=off";
diff --git a/setup/.htaccess b/setup/.htaccess
index 3e6764bf4bab..582ee8f488d0 100644
--- a/setup/.htaccess
+++ b/setup/.htaccess
@@ -1,3 +1,15 @@
+# If you want to enable the web based setup functionality, add your ip address
+# to the allow list below or comment out the IfVersion Deny deny blocks below.
+<Files "index.php">
+    <IfVersion < 2.4>
+        order allow,deny
+        deny from all
+    </IfVersion>
+    <IfVersion >= 2.4>
+        Require all denied
+    </IfVersion>
+</Files>
+
 Options -Indexes
 
 <IfModule mod_rewrite.c>