Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Disable PHP Execution in Certain WordPress Directories

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you looking to improve the security of your WordPress site?

Hackers can upload malware to your website in an attempt to break in. Disabling PHP in these directories will stop the malware from running.

In this article, we will show you how to disable PHP execution in WordPress using the .htaccess file.

How to Disable PHP Execution in Certain WordPress Directories

Why Disable PHP Execution in Certain WordPress Directories?

By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website.

However, this capability can be abused if it gets into the wrong hands, such as hackers who can use it to upload backdoor access files or malware to your WordPress website.

These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.

Sounds scary, right?

Don’t worry. There is an easy fix for that. Simply disable PHP execution in certain directories where you don’t need it. By doing so, no PHP files will run inside those directories.

Let’s take a look at how to improve WordPress security by disabling PHP execution using the .htaccess file.

Disabling PHP Execution in Certain WordPress Directories Using .htaccess File

Most WordPress sites have an .htaccess file in the root folder.

This powerful configuration file is used to password-protect the admin area, disable directory browsing, generate an SEO-friendly URL structure, and more.

By default, the .htaccess file is located in your WordPress website’s root folder, but you can also create and use additional .htaccess files inside your inner WordPress directories.

To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s/wp-includes/ and /wp-content/uploads/ directories.

Simply create a blank file on your computer using a text editor such as Notepad on Windows or TextEdit on Mac. Save the file as .htaccess and paste the following code inside it:

<Files *.php>
deny from all
</Files>

Now, save the file on your computer.

Next, you must upload this file to the /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.

You can upload it using an FTP client or the File Manager app in your hosting account’s cPanel dashboard.

Upload htaccess file to your WordPress site

Once the .htaccess file with the above code is added, it will stop any PHP files from running in these directories.

Checking for Backdoors in WordPress Using Sucuri

Using this .htaccess trick helps you harden your WordPress security, but it will not fix a WordPress site that has already been hacked.

Backdoors are cleverly disguised and can already be hidden in plain sight.

If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.

Sucuri

Sucuri is the best WordPress security plugin on the market. It scans your website for possible threats, suspicious code, malware, and vulnerabilities.

It also effectively blocks most hacking attempts from even reaching your website by adding a firewall between your site and suspicious traffic.

Most importantly, if your WordPress site gets hacked, then it will clean it up for you. To learn more, you can read our Sucuri review because we have been using their service for years.

You can learn more in our guide on finding and fixing backdoors in a hacked WordPress site.

Expert Guides on How to Improve WordPress Security

Now that you know how to improve your WordPress security by disabling PHP execution in certain directories, you may wish to learn some other security techniques.

Here are some of our best guides on improving WordPress security:

We hope this article helped you to learn how to disable PHP execution in certain WordPress directories to harden your website security. You might also want to learn how to create a free business email address or see our expert picks for the must-have WordPress plugins to grow your site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

38 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Jiří Vaněk says

    Thanks for these safety tips. I have created an htaccess file and will upload it to FTP. I have a website on my own server, so the question of security is entirely up to me. Thanks for the next step in making my WordPress a little more secure again.

  3. Unarine Leo Netshifhefhe says

    I also have this alert on my Updraft plugin where backups are not happening can this be due to htaccess?

    “Backup directory could not be created…

    The folder exists, but your webserver does not have permission to write to it. You will need to consult with your web hosting provider to find out how to set permissions for a WordPress plugin to write to the directory. (wp-content/updraft)”

  4. Brian Prom says

    FYI: you have a typo in your code snippet for the .htaccess snippet.

    Using your code snippet as is (without the closing /) breaks image loading.

  5. Vitor Gonçlaves says

    I’ve found some .php files in the uploads folder created by plugins. Can I assume this won’t cause a problem, or do I have to analyse each plugin individually?

    • WPBeginner Support says

      If you reach out to your plugins they can let you know the specifics for those files.

      Admin

  6. Suman Samanta says

    Great writing! You have a flair for informational writing. Your content has impressed me beyond words. I have a lot of admiration for your writing. Thank you for all your valuable input on this topic.

  7. Thato says

    Guys i think i have messed up my htaccess file, my website is completely not displaying images

    • WPBeginner Support says

      Hey Thato,

      You can download your .htaccess file to your computer as a backup and then delete it from your website. Go to WordPress admin area Settings » Permalinks and click on the save changes button. This should regenerate your .htaccess file.

      Admin

  8. Shawn Rebelo says

    Do not do wp-content.
    Do wp-content/uploads.

    And this:

    order allow,deny
    deny from all

    May very on servers.

  9. Hardik says

    Does it affect the uploads file to upload on webpages?
    I found that after uploading this htaccess file to the folder many of images from many posts are not displaying.

  10. Chuck Cochems says

    Yeah, denying access to php files in the includes directory breaks the site because including actually obeys .htaccess restrictions.

    But the restriction on the uploads directory is very smart, and this should be there .BY DEFAULT in the uploads directory, and there’s no good reason for it not to be present.

  11. KOnnie says

    ZOMG! can’t you just disable write access to /wp-includes folder?
    Why fight with consequences when you can prevent the cause?

  12. Jeff Wigal says

    You can also put this in your Apache virtualhost, which will accomplish the same thing:

    Order allow,deny
    Deny from all

  13. anton says

    how to implement this code if we have combination of lower case and upper case on file extention for example on.php on my website its work but it s not working if the file named with.PHp ,.PHP .PhP or combination of them,the backdoor script still executed

    Thank you

  14. Shams says

    Hi Syed,
    Thanks for such an informative post and in fact it provides a great solution for saving WordPress from hackers.

  15. Ramon says

    I created an .htaccess file in the wp-includes folder. Site looked oke but my WYSIWYG editor in the admin pages wasn’t working. Had to remove the .htaccess file again. (WP 3.9.1)

  16. Wes says

    I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.

  17. Red says

    forgive my bad english…
    i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
    when i deleted it, the post was fine.

  18. Chris says

    I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.

  19. Brad says

    I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?

    Did you maybe mean /wp-includes/images ?

    • Editorial Staff says

      Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.

      Admin

      • Brad says

        Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.

        But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding

        • Alfred says

          Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.