diff --git a/.htaccess b/.htaccess
index 86a4669eaa9ddf1aed0b1104327079be4085412e..a69bdd4e8b24c518c3a55f5729e7ffa860a4cf5a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(sig|engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
+<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
   Order allow,deny
 </FilesMatch>
 
diff --git a/core/includes/file.inc b/core/includes/file.inc
index 05bf6c1b38da6d22a83112bdc88d775412019cc9..1fde2f4508d06187c43c0f74c260e4d617c10060 100644
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@@ -467,6 +467,7 @@ function file_ensure_htaccess() {
     file_save_htaccess('private://', TRUE);
   }
   file_save_htaccess('temporary://', TRUE);
+  file_save_htaccess(config_get_config_directory(), TRUE);
 }
 
 /**
diff --git a/core/includes/install.core.inc b/core/includes/install.core.inc
index b44f1540a7a7b96f09289902cb64a6e5cd683244..5ba4aa52de501772f72d146eb8eaa02a924656ee 100644
--- a/core/includes/install.core.inc
+++ b/core/includes/install.core.inc
@@ -1011,6 +1011,11 @@ function install_settings_form_submit($form, &$form_state) {
   if (!file_prepare_directory($config_path, FILE_CREATE_DIRECTORY)) {
     // How best to handle errors here?
   };
+  
+  // Write out a .htaccess file that will protect the config directory from
+  // prying eyes.
+  file_save_htaccess($config_path, TRUE);
+  
   // Indicate that the settings file has been verified, and check the database
   // for the last completed task, now that we have a valid connection. This
   // last step is important since we want to trigger an error if the new