diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
index c792f77ef..300a4265c 100644
--- a/roles/wordpress-setup/templates/wordpress-site.conf.j2
+++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -170,6 +170,13 @@ server {
   }
   {% endblock %}
 
+  {% block plugin_theme_docs_files -%}
+  # Block .txt and .md files in plugins, mu-plugins, and themes directories to prevent version disclosure
+  location ~* /app/(plugins|mu-plugins|themes)/.+\.(txt|md)$ {
+    deny all;
+  }
+  {% endblock %}
+
   {% block location_primary -%}
   location / {
     try_files $uri $uri/ /index.php?$args;