diff --git a/.htaccess b/.htaccess
index 43ab5b04f..0342e0878 100644
--- a/.htaccess
+++ b/.htaccess
@@ -27,26 +27,16 @@ php_value session.gc_probability 1
RewriteEngine On
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
-# security rules
-RewriteRule ^/?(\.git|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
-RewriteRule /?(README(.md)?|composer\.json-dist|composer\.json|package\.xml)$ - [F]
+# security rules:
+# - deny access to files not containing a dot or starting with a dot
+# in all locations except installer directory
+RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
+# - deny access to some locations
+RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to some documentation files
+RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
-# deny access to all files not containing a "." (dot)
-# to block access to different README, Changelog, INSTALL, etc.
-# files of various skins and plugins.
-
- # Apache 2.4
-
- Require all denied
-
- # Apache 2.2
-
- Order Allow,Deny
- Deny from all
-
-
-
SetOutputFilter DEFLATE
diff --git a/CHANGELOG b/CHANGELOG
index a4088cc58..bd37a7dd9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ CHANGELOG Roundcube Webmail
===========================
- Implemented menu actions to copy/move messages, added folder-selector widget (#1484086)
+- Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)
- Fix regression where only first new folder was placed in correct place on the list (#1489472)
- Fix issue where children of selected and collapsed thread were skipped on various actions (#1489457)
- Fix issue where groups were not deleted when "Replace entire addressbook" option on contacts import was used (#1489420)