I believe you can put a .htaccess file that rejects all browser requests in /databases and /users . The /cgi-bin scripts are executed in the system environment, not being restricted by the .htaccess files once they are executed.
The .htaccess file will look something like
Order deny, allow
Deny from all