diff --git a/plinth/modules/first_boot/middleware.py b/plinth/modules/first_boot/middleware.py
index 914079afb..34e00e0ee 100644
--- a/plinth/modules/first_boot/middleware.py
+++ b/plinth/modules/first_boot/middleware.py
@@ -28,6 +28,7 @@ from django.urls import reverse
 from django.utils.deprecation import MiddlewareMixin
 
 from plinth.modules import first_boot
+from plinth.utils import is_user_admin
 
 LOGGER = logging.getLogger(__name__)
 
@@ -52,6 +53,15 @@ class FirstBootMiddleware(MiddlewareMixin):
         firstboot_completed = first_boot.is_completed()
         user_requests_firstboot = first_boot.is_firstboot_url(request.path)
 
+        # If user requests a step other than the welcome step, verify that they
+        # indeed completed the secret verification by looking at the session.
+        if (user_requests_firstboot and
+                not request.path.startswith(reverse('first_boot:welcome')) and
+                first_boot.firstboot_wizard_secret_exists() and
+                not request.session.get('firstboot_secret_provided', False) and
+                not is_user_admin(request)):
+            return HttpResponseRedirect(reverse('first_boot:welcome'))
+
         # Redirect to first boot if requesting normal page and first
         # boot is not complete.
         if not firstboot_completed and not user_requests_firstboot:
diff --git a/plinth/modules/first_boot/views.py b/plinth/modules/first_boot/views.py
index 4bec3b936..3dc6871a4 100644
--- a/plinth/modules/first_boot/views.py
+++ b/plinth/modules/first_boot/views.py
@@ -34,6 +34,7 @@ class WelcomeView(FormView):
 
     def form_valid(self, form):
         """If form is valid, mark this step as done and move to next step."""
+        self.request.session['firstboot_secret_provided'] = True
         first_boot.mark_step_done('firstboot_welcome')
         return http.HttpResponseRedirect(reverse(first_boot.next_step()))