diff --git a/src/ep.json b/src/ep.json
index b917aa1f3..63942ac17 100644
--- a/src/ep.json
+++ b/src/ep.json
@@ -50,12 +50,6 @@
         "expressCreateServer": "ep_etherpad-lite/node/hooks/express/padurlsanitize"
       }
     },
-    {
-      "name": "webaccess",
-      "hooks": {
-        "expressConfigure": "ep_etherpad-lite/node/hooks/express/webaccess"
-      }
-    },
     {
       "name": "apicalls",
       "hooks": {
diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 351ab5bf2..94d914009 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -12,6 +12,7 @@ const SessionStore = require('../db/SessionStore');
 const settings = require('../utils/Settings');
 const stats = require('../stats');
 const util = require('util');
+const webaccess = require('./express/webaccess');
 
 const logger = log4js.getLogger('http');
 let serverName;
@@ -203,6 +204,7 @@ exports.restartServer = async () => {
   app.use(exports.sessionMiddleware);
 
   app.use(cookieParser(settings.sessionKey, {}));
+  app.use(webaccess.checkAccess);
 
   await Promise.all([
     hooks.aCallAll('expressConfigure', {app}),
diff --git a/src/node/hooks/express/webaccess.js b/src/node/hooks/express/webaccess.js
index 3d47b0aeb..9ab338498 100644
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@@ -203,7 +203,10 @@ const checkAccess = async (req, res, next) => {
   res.status(403).send('Forbidden');
 };
 
-exports.expressConfigure = (hookName, args, cb) => {
-  args.app.use((req, res, next) => { checkAccess(req, res, next).catch(next); });
-  return cb();
+/**
+ * Express middleware to authenticate the user and check authorization. Must be installed after the
+ * express-session middleware.
+ */
+exports.checkAccess = (req, res, next) => {
+  checkAccess(req, res, next).catch((err) => next(err || new Error(err)));
 };