How to Disable PHP Execution in some WordPress Directories

Disable PHP Execution in Some WordPress Directories

Disable PHP Execution in Some WordPress Directories-: In this post, I will explain how you can add an extra layer of security to your WordPress website with disabling of PHP execution.  This will stop hacker to inject any malicious code to your WordPress website.

WordPress is one of the most popular CMS with over 35% of internet website are build on WordPress CMS at this time of writing this post. There other CMS like Squarespace, Joomla, Drupal etc but use by only fewer sites. 

As WordPress is more popular CMS, therefore, it is the main target for a hacker. As per Sucuri WordPress accounted for 90 per cent of all hacked CMS sites in 2018. WordPress is very secure by default itself most of the security breach occurs due to the use of theme and plugin from unauthorized sources.

How to Disable PHP Execution in some WordPress Directories
Image Credit-: Sucuri.com

Sucuri experts blamed most of the hacks on vulnerabilities in plugins and themes, misconfiguration issues, and a lack of maintenance by webmasters, who often forgot to update their CMS, themes, and plugins.

It does not matter your WordPress website uses Apache, Nginx or Lightspeed server some of the WordPress folders like Uploads, Theme or Plugin are writable by default so that we can easily upload theme and plugin to our WordPress website. WordPress folders like Uploads, Theme or Plugin are writable by default which mean anybody can see it and plan a potential threat.

An example of a directory listing is as follow. Directory listing provides a clear cut idea about your website structure to a hacker to find a weak section of your website. By default most web servers like Apache, NGINX and LiteSpeed have directory browsing enabled.

How to Disable PHP Execution in some WordPress Directories

This is a potential threat to your WordPress website. This type of permission allows users to upload images and videos on the site. or install themes and plugins on a site. When we install theme and plugin a new file stored in the respective folder.

If you make your theme or plugin folder non-writable you will not be able to upload and theme or plugin which is not a good choice, the easiest way is to disable PHP execution. In this post, I will explain how to Disable PHP Execution in Some WordPress Directories using the .htaccess file.

Disable PHP Execution in Some WordPress Directories using .htaccess file-:

Step.1-: First log in to Your Hosting cPanel with your Login Credential and browse the following path. a shown in Image.

How to Disable PHP Execution in some WordPress Directories

Step.2-: Now create a simple .htaccess file by pasting below code in a blank notepad and name it .htaccess file. if .htacces file does not present in your directory. you can get sample of .htaccess file here also.

Step.3-: Now in above .htaccess file add the below code after the # END WordPress

<FilesMatch “\.(php|php\.)$”> 
Order Allow,Deny 
Deny from all </FilesMatch>

Step.4-: After all modification your .htaccess looks like below.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] 
# END WordPress
<FilesMatch “\.(php|php\.)$”> 
Order Allow,Deny 
Deny from all 
</FilesMatch>

To disable PHP execution for maximum security, add the above file to the following folder

  • /wp-includes
  • /wp-content/uploads
  • /wp-content

Save the file and upload it at path public_HTML==>>wp-content==>> uploads.  same way follow for /wp-includes and /wp-content/uploads. This .htaccess file will ensure that any file having PHP will be caught and prevented from execution. If a hacker manages to upload a file like “mailciousPHPFileDisguisedAsJPEFfile.php.jpg”, it’ll be blocked from execution. For maximum security, you can add the codes to .htaccess files of plugin and themes folder as well.

Conclusion-: Disabling PHP Execution is one of the best methods to secure your website from hacker and I have explained in my knowledge. If you do not like this method then you can use Defender plugin to Disable PHP execution in WordPress.

Thanks for reading…“Pardon my grammar, English is not my native tongue.”

If you like my work, Please Share on Social Media! You can Follow WP knol on Facebook, Twitter, Pinterest and YouTube for latest updates. You may Subscribe to WP Knol Newsletter to get latest updates via Email. You May also Continue Reading my Recent Posts Which Might Interest You.

About Amar Patel 263 Articles
Hi, I am Amar Patel from India. Founder, Author and Administrator of wpknol.com. I am a Simple Average Man who Loves life and Love living life.Professionally I am a Mechanical Engineer. Apart from my Job, I Love to write the things around WordPress WordPress CMS.