By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website.
However this capability can be abused if it gets in the wrong hand such as hackers who can use it to upload backdoor access files or malware to your website.
These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.
Sounds scary, right?
Don’t worry there is an easy fix for that. Basically, you’d simply disable PHP execution in certain directories where you don’t need it. Doing so, any PHP files will not run inside those directories.
In this article, we will show you how to disable PHP execution in WordPress using the .htaccess file.
Disabling PHP Execution in Certain WordPress Directories Using .htaccess File
Most WordPress sites have a .htaccess file in the root folder. This is a powerful configuration file used to password protect admin area, disable directory browsing, generate SEO friendly URL structure, and more.
By default, the .htaccess file located in your WordPress website’s root folder, but you can also create and use it inside your inner WordPress directories.
To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.
Simply create a blank file on your computer by using a text editor like Notepad (TextEdit on Mac). Save the file as .htaccess and paste the following code inside it.
<Files *.php> deny from all </Files>
Now save the file on your computer.
Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.
You can upload it by using an FTP client or via File Manager app in your hosting account’s cPanel dashboard.
Once the .htaccess file with the above code is added, it will stop any PHP file to run in these directories.
Using this .htaccess trick helps you harden your WordPress security, but it is not a FIX for an already hacked WordPress site.
Backdoors are cleverly disguised and can already be hidden in plain sight.
If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.
Sucuri is the best WordPress security plugin on the market. It scans your website for possible threats, suspicious code, malware, and vulnerabilities.
It also effectively blocks most hacking attempts to even reach your website by adding a firewall between your site and suspicious traffic.
Most importantly, if your WordPress site gets hacked, then they will clean it up for you. To learn more, you can check our Sucuri review because we have been using their service for years.
We hope this article helped you to learn how to disable PHP execution in certain WordPress directories to harden your website security. If you are looking for a complete guide, check out our ultimate WordPress security guide.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Vitor Gonçlaves says
I’ve found some .php files in the uploads folder created by plugins. Can I assume this won’t cause a problem, or do I have to analyse each plugin individually?
WPBeginner Support says
If you reach out to your plugins they can let you know the specifics for those files.
Admin
nirbo says
Thanks for the information
WPBeginner Support says
You’re welcome
Admin
cliff denney says
thank you very much
WPBeginner Support says
You’re welcome
Admin
Suman Samanta says
Great writing! You have a flair for informational writing. Your content has impressed me beyond words. I have a lot of admiration for your writing. Thank you for all your valuable input on this topic.
WPBeginner Support says
Thank you, glad you enjoy our writing
Admin
Thato says
Guys i think i have messed up my htaccess file, my website is completely not displaying images
WPBeginner Support says
Hey Thato,
You can download your .htaccess file to your computer as a backup and then delete it from your website. Go to WordPress admin area Settings » Permalinks and click on the save changes button. This should regenerate your .htaccess file.
Admin
Shawn Rebelo says
Do not do wp-content.
Do wp-content/uploads.
And this:
order allow,deny
deny from all
May very on servers.
Hardik says
Does it affect the uploads file to upload on webpages?
I found that after uploading this htaccess file to the folder many of images from many posts are not displaying.
Chuck Cochems says
Yeah, denying access to php files in the includes directory breaks the site because including actually obeys .htaccess restrictions.
But the restriction on the uploads directory is very smart, and this should be there .BY DEFAULT in the uploads directory, and there’s no good reason for it not to be present.
Stan says
What’s the method for IIS servers?
Thanks,
KOnnie says
ZOMG! can’t you just disable write access to /wp-includes folder?
Why fight with consequences when you can prevent the cause?
Jonathan Hodgson says
Wouldn’t this stop wordpresss being able to update the files in core updates?
Jeff Wigal says
You can also put this in your Apache virtualhost, which will accomplish the same thing:
Order allow,deny
Deny from all
anton says
how to implement this code if we have combination of lower case and upper case on file extention for example on.php on my website its work but it s not working if the file named with.PHp ,.PHP .PhP or combination of them,the backdoor script still executed
Thank you
Timothée Moulin says
You can put this in your .htaccess file
Order Deny,Allow
Deny from All
Shams says
Hi Syed,
Thanks for such an informative post and in fact it provides a great solution for saving WordPress from hackers.
Vladimir says
Hi!
I followed all your instructions in this article, but Its not working…
Thanks
Aurélien Debord says
A so useful post with such good and quick tips.
Thanks
Ramon says
I created an .htaccess file in the wp-includes folder. Site looked oke but my WYSIWYG editor in the admin pages wasn’t working. Had to remove the .htaccess file again. (WP 3.9.1)
Wes says
I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.
Editorial Staff says
It does break it sometimes (depending on the plugin you are using), but not all the time.
Admin
Red says
forgive my bad english…
i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
when i deleted it, the post was fine.
Editorial Staff says
Which directory did you upload the .htaccess file that caused this issue?
Admin
Chris says
I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.
Brad says
I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?
Did you maybe mean /wp-includes/images ?
Editorial Staff says
Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.
Admin
Brad says
Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.
But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding
Alfred says
Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?