Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

How to Disable PHP Execution in Certain WordPress Directories

Last updated on by
Follow WPBeginner on YouTube
How to Disable PHP Execution in Certain WordPress Directories

Having cleaned numerous WordPress hacks, in our experience most backdoor access files disguise themselves in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not. One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories. In this article, we will show you how you can use .htaccess file to disable PHP execution in a specific directory.

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<Files *.php>
deny from all

Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.

Code Explanation: This code checks for any PHP file and denies access to it.

This article is in response to one of the Quora questions, a user asked if it was possible to harden your site’s security with .htaccess file. One of the tips we mentioned was disabling PHP execution in the uploads directory.

Note: This is not a FIX for a hack. This is just a security hardening tip.

If you are conscious about your WordPress security, then we suggest you purchase Sucuri Monitoring service. Here are 5 reasons why we are using Sucuri on our websites. The cost comes down to roughly ~$3 per month per website granted that you get a 5 website package.

Also keep a strong WordPress backup.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. Aurélien Debord says:

    A so useful post with such good and quick tips.


  2. Ramon says:

    I created an .htaccess file in the wp-includes folder. Site looked oke but my WYSIWYG editor in the admin pages wasn’t working. Had to remove the .htaccess file again. (WP 3.9.1)

  3. Wes says:

    I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.

    • Editorial Staff says:

      It does break it sometimes (depending on the plugin you are using), but not all the time.

  4. Red says:

    forgive my bad english…
    i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
    when i deleted it, the post was fine.

  5. Chris says:

    I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.

  6. Brad says:

    I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?

    Did you maybe mean /wp-includes/images ?

    • Editorial Staff says:

      Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.

      • Brad says:

        Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.

        But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding

        • Alfred says:

          Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.