Webalizer

On any domain, you can enter /webalizer and get to a default webalizer report. I do not want this as PCI scans deem this as a security threat. Is there a way to turn this off, so only domains with webalizer enabled return a report. And webalizer and awstats should be behind HTTP Auth protection right?