diff --git a/.htaccess b/.htaccess
index 07cf7e4..199f0dc 100644
--- a/.htaccess
+++ b/.htaccess
@@ -146,8 +146,7 @@ AddEncoding gzip svgz
   RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
   # Deny access to any other PHP files that do not match the rules above.
   # Specifically, disallow autoload.php from being served directly.
-  RewriteRule "^(.+/.*|autoload)\.php$" - [F]
-
+  RewriteRule "^(.+/.*|autoload)\.php(/.*)*$" - [F]
   # Rules to correctly serve gzip compressed CSS and JS files.
   # Requires both mod_rewrite and mod_headers to be enabled.
   <IfModule mod_headers.c>
diff --git a/core/modules/system/src/Tests/System/HtaccessTest.php b/core/modules/system/src/Tests/System/HtaccessTest.php
index 94bfe20..dd21350 100644
--- a/core/modules/system/src/Tests/System/HtaccessTest.php
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -54,6 +54,14 @@ public function testFileAccess() {
     foreach ($this->getProtectedFiles() as $file) {
       $this->assertNoFileAccess($file);
     }
+
+    // Test that php files are not accessible.
+    $this->assertNoFileAccess('core/lib/Drupal.php');
+    $this->assertNoFileAccess('core/vendor/autoload.php');
+
+    // Test that adding "/1" to a .php URL does not make it accessible.
+    $this->drupalGet('core/lib/Drupal.php/1');
+    $this->assertResponse(403);
   }
 
   /**
@@ -63,7 +71,7 @@ public function testFileAccess() {
    *   Path to file. Without leading slash.
    */
   protected function assertNoFileAccess($path) {
-    $this->assertTrue(file_exists(\Drupal::root() . '/' . $path));
+    $this->assertTrue(file_exists(\Drupal::root() . '/' . $path), "The file $path exists.");
     $this->drupalGet($path);
     $this->assertResponse(403);
   }