Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

How to Disable PHP Execution in Certain WordPress Directories

Last updated on by
Follow WPBeginner on YouTube
How to Disable PHP Execution in Certain WordPress Directories

Having cleaned numerous WordPress hacks, in our experience most backdoor access files disguise themselves in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not. One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories. In this article, we will show you how you can use .htaccess file to disable PHP execution in a specific directory.

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<Files *.php>
deny from all
</Files>

Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.

Code Explanation: This code checks for any PHP file and denies access to it.

This article is in response to one of the Quora questions, a user asked if it was possible to harden your site’s security with .htaccess file. One of the tips we mentioned was disabling PHP execution in the uploads directory.

Note: This is not a FIX for a hack. This is just a security hardening tip.

If you are conscious about your WordPress security, then we suggest you purchase Sucuri Monitoring service. Here are 5 reasons why we are using Sucuri on our websites. The cost comes down to roughly ~$3 per month per website granted that you get a 5 website package.

Also keep a strong WordPress backup.


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »
  • Wes

    I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.

    • http://www.wpbeginner.com Editorial Staff

      It does break it sometimes (depending on the plugin you are using), but not all the time.

  • Red

    forgive my bad english…
    i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
    when i deleted it, the post was fine.

    • http://www.wpbeginner.com Editorial Staff

      Which directory did you upload the .htaccess file that caused this issue?

  • Chris

    I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.

  • Brad

    I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?

    Did you maybe mean /wp-includes/images ?

    • http://www.wpbeginner.com Editorial Staff

      Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.

      • Brad

        Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.

        But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding

        • Alfred

          Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?