Having cleaned numerous WordPress hacks, in our experience most backdoor access files disguise themselves in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not. One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories. In this article, we will show you how you can use .htaccess file to disable PHP execution in a specific directory.
Create a blank file in a text editor. Call it .htaccess and paste the following code in there:
<Files *.php> deny from all </Files>
Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.
Code Explanation: This code checks for any PHP file and denies access to it.
This article is in response to one of the Quora questions, a user asked if it was possible to harden your site’s security with .htaccess file. One of the tips we mentioned was disabling PHP execution in the uploads directory.
Note: This is not a FIX for a hack. This is just a security hardening tip.
If you are conscious about your WordPress security, then we suggest you purchase Sucuri Monitoring service. Here are 5 reasons why we are using Sucuri on our websites. The cost comes down to roughly ~$3 per month per website granted that you get a 5 website package.
Also keep a strong WordPress backup.
Guys i think i have messed up my htaccess file, my website is completely not displaying images
Hey Thato,
You can download your .htaccess file to your computer as a backup and then delete it from your website. Go to WordPress admin area Settings » Permalinks and click on the save changes button. This should regenerate your .htaccess file.
Do not do wp-content.
Do wp-content/uploads.
And this:
order allow,deny
deny from all
May very on servers.
Does it affect the uploads file to upload on webpages?
I found that after uploading this htaccess file to the folder many of images from many posts are not displaying.
Yeah, denying access to php files in the includes directory breaks the site because including actually obeys .htaccess restrictions.
But the restriction on the uploads directory is very smart, and this should be there .BY DEFAULT in the uploads directory, and there’s no good reason for it not to be present.
What’s the method for IIS servers?
Thanks,
ZOMG! can’t you just disable write access to /wp-includes folder?
Why fight with consequences when you can prevent the cause?
Wouldn’t this stop wordpresss being able to update the files in core updates?
You can also put this in your Apache virtualhost, which will accomplish the same thing:
Order allow,deny
Deny from all
how to implement this code if we have combination of lower case and upper case on file extention for example on.php on my website its work but it s not working if the file named with.PHp ,.PHP .PhP or combination of them,the backdoor script still executed
Thank you
You can put this in your .htaccess file
Order Deny,Allow
Deny from All
Hi Syed,
Thanks for such an informative post and in fact it provides a great solution for saving WordPress from hackers.
Hi!
I followed all your instructions in this article, but Its not working…
Thanks
A so useful post with such good and quick tips.
Thanks
I created an .htaccess file in the wp-includes folder. Site looked oke but my WYSIWYG editor in the admin pages wasn’t working. Had to remove the .htaccess file again. (WP 3.9.1)
I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.
It does break it sometimes (depending on the plugin you are using), but not all the time.
forgive my bad english…
i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
when i deleted it, the post was fine.
Which directory did you upload the .htaccess file that caused this issue?
I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.
I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?
Did you maybe mean /wp-includes/images ?
Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.
Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.
But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding
Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?