Latest Tech and Tips

How to Disable PHP Execution in Certain WordPress Directories


By default, WordPress makes sure directories writeable so that you just and different licensed customers in your web site can simply add themes, plugins, photos, and movies to your web site.

However this functionality may be abused if it will get in the unsuitable hand reminiscent of hackers who can use it to add backdoor entry recordsdata or malware to your web site.

These malicious recordsdata are sometimes disguised as core WordPress recordsdata. They are principally written in PHP and may run in the background to achieve full entry to each facet of your web site.

Sounds scary, proper?

Don’t fear there may be a simple repair for that. Basically, you’d merely disable PHP execution in sure directories the place you don’t want it. Doing so, any PHP recordsdata is not going to run inside these directories.

In this text, we are going to present you the way to disable PHP execution in WordPress utilizing the .htaccess file.

How to Disable PHP Execution in Certain WordPress Directories

Disabling PHP Execution in Certain WordPress Directories Using .htaccess File

Most WordPress websites have a .htaccess file in the foundation folder. This is a strong configuration file used to password defend admin space, disable listing looking, generate search engine optimisation pleasant URL construction, and extra.

By default, the .htaccess file situated in your WordPress web site’s root folder, however you may also create and use it inside your interior WordPress directories.

To defend your web site from backdoor entry recordsdata, you want to create a .htaccess file and add it to your website’s /wp-includes/ and /wp-content/uploads/ directories.

Simply create a clean file in your pc through the use of a textual content editor like Notepad (TextEdit on Mac). Save the file as .htaccess and paste the next code inside it.

<Files *.php>
deny from all

Create htaccess File with Code to Disable PHP

Now save the file in your pc.

Next, you want to add this file to /wp-includes/ and /wp-content/uploads/ folders in your WordPress internet hosting server.

You can add it through the use of an FTP consumer or by way of File Manager app in your internet hosting account’s cPanel dashboard.

Upload htaccess file to your WordPress site

Once the .htaccess file with the above code is added, it would cease any PHP file to run in these directories.

Using this .htaccess trick helps you harden your WordPress safety, however it’s not a FIX for an already hacked WordPress website.

Backdoors are cleverly disguised and may already be hidden in plain sight.

If you need to verify for attainable backdoors in your web site, then you definitely want to activate Sucuri in your web site.


Sucuri is the very best WordPress safety plugin in the marketplace. It scans your web site for attainable threats, suspicious code, malware, and vulnerabilities.

It additionally successfully blocks most hacking makes an attempt to even attain your web site by including a firewall between your website and suspicious site visitors.

Most importantly, in case your WordPress website will get hacked, then they are going to clear it up for you. To be taught extra, you possibly can verify our Sucuri overview as a result of we now have been utilizing their service for years.

We hope this text helped you to find out how to disable PHP execution in sure WordPress directories to harden your web site safety. If you might be on the lookout for a whole information, try our final WordPress safety information.

If you favored this text, then please subscribe to our YouTube Channel for WordPress video tutorials. You also can discover us on Twitter and Facebook.