Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

How to Disable PHP Execution in Certain WordPress Directories

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
How to Disable PHP Execution in Certain WordPress Directories

Having cleaned numerous WordPress hacks, in our experience most backdoor access files disguise themselves in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not. One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories. In this article, we will show you how you can use .htaccess file to disable PHP execution in a specific directory.

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<Files *.php>
deny from all

Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.

Code Explanation: This code checks for any PHP file and denies access to it.

This article is in response to one of the Quora questions, a user asked if it was possible to harden your site’s security with .htaccess file. One of the tips we mentioned was disabling PHP execution in the uploads directory.

Note: This is not a FIX for a hack. This is just a security hardening tip.

If you are conscious about your WordPress security, then we suggest you purchase Sucuri Monitoring service. Here are 5 reasons why we are using Sucuri on our websites. The cost comes down to roughly ~$3 per month per website granted that you get a 5 website package.

Also keep a strong WordPress backup.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. Chuck Cochems says:

    Yeah, denying access to php files in the includes directory breaks the site because including actually obeys .htaccess restrictions.

    But the restriction on the uploads directory is very smart, and this should be there .BY DEFAULT in the uploads directory, and there’s no good reason for it not to be present.

  2. Stan says:

    What’s the method for IIS servers?

  3. KOnnie says:

    ZOMG! can’t you just disable write access to /wp-includes folder?
    Why fight with consequences when you can prevent the cause?

  4. Jeff Wigal says:

    You can also put this in your Apache virtualhost, which will accomplish the same thing:

    Order allow,deny
    Deny from all

  5. anton says:

    how to implement this code if we have combination of lower case and upper case on file extention for example on.php on my website its work but it s not working if the file named with.PHp ,.PHP .PhP or combination of them,the backdoor script still executed

    Thank you

  6. Shams says:

    Hi Syed,
    Thanks for such an informative post and in fact it provides a great solution for saving WordPress from hackers.

  7. Vladimir says:


    I followed all your instructions in this article, but Its not working…


  8. Aurélien Debord says:

    A so useful post with such good and quick tips.


  9. Ramon says:

    I created an .htaccess file in the wp-includes folder. Site looked oke but my WYSIWYG editor in the admin pages wasn’t working. Had to remove the .htaccess file again. (WP 3.9.1)

  10. Wes says:

    I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.

    • Editorial Staff says:

      It does break it sometimes (depending on the plugin you are using), but not all the time.

  11. Red says:

    forgive my bad english…
    i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
    when i deleted it, the post was fine.

  12. Chris says:

    I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.

  13. Brad says:

    I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?

    Did you maybe mean /wp-includes/images ?

    • Editorial Staff says:

      Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.

      • Brad says:

        Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.

        But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding

        • Alfred says:

          Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.