diff --git a/CHANGELOG.md b/CHANGELOG.md
index ccef7b7e..bdfcd6a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ The **patch** part changes incrementally at each release.
 ### Changed
 
 * apache: rotate logs daily instead of weekly
+* apache: deny requests to ^/evolinux_fpm_status-.*
 * certbot: use a fixed 1.9.0 version of the certbot-auto script (renamed "letsencrypt-auto")
 * cerbot: use the legacy script on Debian 8 and 9
 * evoacme: upstream release 21.01
diff --git a/apache/files/evolinux-defaults.conf b/apache/files/evolinux-defaults.conf
index 348717ea..e5eadda8 100644
--- a/apache/files/evolinux-defaults.conf
+++ b/apache/files/evolinux-defaults.conf
@@ -9,16 +9,19 @@ StartServers 50
 MinSpareServers 20
 MaxSpareServers 30
 MaxRequestsPerChild 0
+
 <Directory /home/>
     AllowOverride None
     Require all granted
     # "Require not env XXX" is not supported :(
     Deny from env=GoAway
 </Directory>
+
 <IfModule mod_ssl.c>
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
 </IfModule>
+
 <Files ~ "\.(inc|bak)$">
     Require all denied
 </Files>
@@ -31,6 +34,10 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
 </IfModule>
 
 <IfModule mpm_itk.c>
-LimitUIDRange       0 6000
-LimitGIDRange       0 6000
+    LimitUIDRange       0 6000
+    LimitGIDRange       0 6000
 </IfModule>
+
+<LocationMatch "^/evolinux_fpm_status-.*">
+    Require all denied
+</LocationMatch>