diff --git a/.htaccess b/.htaccess
index 3642f88..4eebc7f 100644
--- a/.htaccess
+++ b/.htaccess
@@ -125,17 +125,19 @@ DirectoryIndex index.php index.html index.htm
   RewriteCond %{REQUEST_URI} !=/favicon.ico
   RewriteRule ^ index.php [L]
 
-  # If this is a production site you may want to forbid access to PHP files in
+  # On publicly accessible sites you should forbid access to PHP files in
   # subfolders for security reasons. If you need to directly execute PHP files
   # in a module or want to run another PHP application somewhere in your
-  # docroot tree you might want to modify this. Uncomment the following two
-  # lines to only allow PHP files in the webroot and in "/core":
-  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
-  # RewriteRule "^.+/.*\.php$" - [F]
-  # Example for allowing just one PHP file of statistics module:
-  # RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
-  # RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$
-  # RewriteRule "^.+/.*\.php$" - [F]
+  # docroot tree you might want to modify this. The following line only allows
+  # PHP files in the webroot and in "/core" like update.php or install.php:
+  RewriteCond %{REQUEST_URI} !^/core/[^/]*\.php$
+  # Allow access to specific PHP files for tests:
+  RewriteCond %{REQUEST_URI} !^/core/modules/system/tests/http.php$
+  RewriteCond %{REQUEST_URI} !^/core/modules/system/tests/https.php$
+  # Copy and adapt this statistics rule if you need to enable access to a 
+  # single php file from a contributed or custom module.
+  RewriteCond %{REQUEST_URI} !^/core/modules/statistics/statistics.php$
+  RewriteRule "^.+/.*\.php$" - [F]
 
   # Rules to correctly serve gzip compressed CSS and JS files.
   # Requires both mod_rewrite and mod_headers to be enabled.