WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» Tutorials» How to Disable PHP Execution in Certain WordPress Directories

How to Disable PHP Execution in Certain WordPress Directories

Last updated on June 26th, 2019 by Editorial Staff
298 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
How to Disable PHP Execution in Certain WordPress Directories

By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website.

However this capability can be abused if it gets in the wrong hand such as hackers who can use it to upload backdoor access files or malware to your website.

These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.

Sounds scary, right?

Don’t worry there is an easy fix for that. Basically, you’d simply disable PHP execution in certain directories where you don’t need it. Doing so, any PHP files will not run inside those directories.

In this article, we will show you how to disable PHP execution in WordPress using the .htaccess file.

How to Disable PHP Execution in Certain WordPress Directories

Disabling PHP Execution in Certain WordPress Directories Using .htaccess File

Most WordPress sites have a .htaccess file in the root folder. This is a powerful configuration file used to password protect admin area, disable directory browsing, generate SEO friendly URL structure, and more.

By default, the .htaccess file located in your WordPress website’s root folder, but you can also create and use it inside your inner WordPress directories.

To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.

Simply create a blank file on your computer by using a text editor like Notepad (TextEdit on Mac). Save the file as .htaccess and paste the following code inside it.

<Files *.php>
deny from all
</Files>

Create htaccess File with Code to Disable PHP

Now save the file on your computer.

Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.

You can upload it by using an FTP client or via File Manager app in your hosting account’s cPanel dashboard.

Upload htaccess file to your WordPress site

Once the .htaccess file with the above code is added, it will stop any PHP file to run in these directories.

Using this .htaccess trick helps you harden your WordPress security, but it is not a FIX for an already hacked WordPress site.

Backdoors are cleverly disguised and can already be hidden in plain sight.

If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.

Sucuri

Sucuri is the best WordPress security plugin on the market. It scans your website for possible threats, suspicious code, malware, and vulnerabilities.

It also effectively blocks most hacking attempts to even reach your website by adding a firewall between your site and suspicious traffic.

Most importantly, if your WordPress site gets hacked, then they will clean it up for you. To learn more, you can check our Sucuri review because we have been using their service for years.

We hope this article helped you to learn how to disable PHP execution in certain WordPress directories to harden your website security. If you are looking for a complete guide, check out our ultimate WordPress security guide.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

298 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • How to Properly Move Your Blog from WordPress.com to WordPress.org

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

32 Comments

Leave a Reply
  1. Vitor Gonçlaves says:
    Jul 17, 2020 at 4:38 am

    I’ve found some .php files in the uploads folder created by plugins. Can I assume this won’t cause a problem, or do I have to analyse each plugin individually?

    Reply
    • WPBeginner Support says:
      Jul 17, 2020 at 10:35 am

      If you reach out to your plugins they can let you know the specifics for those files.

      Reply
  2. nirbo says:
    Jun 27, 2019 at 5:49 am

    Thanks for the information

    Reply
    • WPBeginner Support says:
      Jun 27, 2019 at 10:35 am

      You’re welcome :)

      Reply
  3. cliff denney says:
    Jun 7, 2019 at 7:33 pm

    thank you very much

    Reply
    • WPBeginner Support says:
      Jun 10, 2019 at 11:42 am

      You’re welcome :)

      Reply
  4. Suman Samanta says:
    Mar 3, 2019 at 12:21 am

    Great writing! You have a flair for informational writing. Your content has impressed me beyond words. I have a lot of admiration for your writing. Thank you for all your valuable input on this topic.

    Reply
    • WPBeginner Support says:
      Mar 4, 2019 at 1:09 pm

      Thank you, glad you enjoy our writing :)

      Reply
  5. Thato says:
    Mar 3, 2018 at 8:27 am

    Guys i think i have messed up my htaccess file, my website is completely not displaying images

    Reply
    • WPBeginner Support says:
      Mar 4, 2018 at 8:13 pm

      Hey Thato,

      You can download your .htaccess file to your computer as a backup and then delete it from your website. Go to WordPress admin area Settings » Permalinks and click on the save changes button. This should regenerate your .htaccess file.

      Reply
  6. Shawn Rebelo says:
    Nov 2, 2017 at 2:35 pm

    Do not do wp-content.
    Do wp-content/uploads.

    And this:

    order allow,deny
    deny from all

    May very on servers.

    Reply
  7. Hardik says:
    Nov 18, 2016 at 6:18 am

    Does it affect the uploads file to upload on webpages?
    I found that after uploading this htaccess file to the folder many of images from many posts are not displaying.

    Reply
  8. Chuck Cochems says:
    May 11, 2016 at 11:53 am

    Yeah, denying access to php files in the includes directory breaks the site because including actually obeys .htaccess restrictions.

    But the restriction on the uploads directory is very smart, and this should be there .BY DEFAULT in the uploads directory, and there’s no good reason for it not to be present.

    Reply
  9. Stan says:
    Mar 31, 2016 at 5:38 pm

    What’s the method for IIS servers?
    Thanks,

    Reply
  10. KOnnie says:
    Nov 4, 2015 at 5:43 pm

    ZOMG! can’t you just disable write access to /wp-includes folder?
    Why fight with consequences when you can prevent the cause?

    Reply
    • Jonathan Hodgson says:
      Jan 24, 2017 at 6:12 am

      Wouldn’t this stop wordpresss being able to update the files in core updates?

      Reply
  11. Jeff Wigal says:
    Oct 13, 2015 at 3:21 pm

    You can also put this in your Apache virtualhost, which will accomplish the same thing:

    Order allow,deny
    Deny from all

    Reply
  12. anton says:
    Jun 8, 2015 at 12:02 am

    how to implement this code if we have combination of lower case and upper case on file extention for example on.php on my website its work but it s not working if the file named with.PHp ,.PHP .PhP or combination of them,the backdoor script still executed

    Thank you

    Reply
    • Timothée Moulin says:
      Oct 30, 2017 at 9:09 am

      You can put this in your .htaccess file

      Order Deny,Allow
      Deny from All

      Reply
  13. Shams says:
    Jun 6, 2015 at 1:59 pm

    Hi Syed,
    Thanks for such an informative post and in fact it provides a great solution for saving WordPress from hackers.

    Reply
  14. Vladimir says:
    Jun 5, 2015 at 3:23 am

    Hi!

    I followed all your instructions in this article, but Its not working…

    Thanks

    Reply
  15. Aurélien Debord says:
    Mar 21, 2015 at 3:46 pm

    A so useful post with such good and quick tips.

    Thanks

    Reply
  16. Ramon says:
    Jul 25, 2014 at 6:19 pm

    I created an .htaccess file in the wp-includes folder. Site looked oke but my WYSIWYG editor in the admin pages wasn’t working. Had to remove the .htaccess file again. (WP 3.9.1)

    Reply
  17. Wes says:
    Mar 13, 2013 at 12:01 pm

    I also found my wp-includes folder full of php files and I can’t see how using that .htaccess file in there wouldn’t break something. I did use it in the uploads dir.

    Reply
    • Editorial Staff says:
      Mar 13, 2013 at 2:09 pm

      It does break it sometimes (depending on the plugin you are using), but not all the time.

      Reply
  18. Red says:
    Feb 17, 2013 at 4:48 am

    forgive my bad english…
    i followed all your instructions in this article, but when i go my dashboard to add a newpost, my post section was messed up. … i suspect the .htaccess was the problem.
    when i deleted it, the post was fine.

    Reply
    • Editorial Staff says:
      Feb 21, 2013 at 10:14 am

      Which directory did you upload the .htaccess file that caused this issue?

      Reply
  19. Chris says:
    Dec 10, 2012 at 10:44 am

    I added the .htaccess file to my wp-includes and didn’t have any problems. Thanks a lot of the tips.

    Reply
  20. Brad says:
    Nov 28, 2012 at 10:43 am

    I tried this in my /wp-includes/ directory, which is full of php files. Of course I could no longer access the site. Did you really mean to include the includes directory for use with the .htaccess file?

    Did you maybe mean /wp-includes/images ?

    Reply
    • Editorial Staff says:
      Nov 28, 2012 at 3:33 pm

      Nope. We meant /wp-includes/ folder. We have this on our wp-includes folder. If for some reason it is breaking your site, then delete the .htaccess file from your wp-includes folder.

      Reply
      • Brad says:
        Nov 28, 2012 at 7:25 pm

        Strange, my wp-includes folder has over 90 php files in it. And it does break the site. I took it back out immediately.

        But I did put it in the /wp-content/uploads/ folder and its works just fine there. Thanks for responding

        Reply
        • Alfred says:
          Dec 30, 2013 at 9:54 pm

          Putting an htaccess file denying access to php files in a directory full of php files does seem rather odd. I assume it’s because these files are normally only included, not executed directly. If that’s true, wouldn’t it be better to just deny access to the entire directory?

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
Smash Balloon
Smash Balloon
Add Custom Social Media Feeds in WordPress. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2020 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2020)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2020)
    • SiteGround Reviews from 4196 Users & Our Experts (2020)
    • Bluehost Review from Real Users + Performance Stats (2020)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2020 – Step by Step Guide
Deals & Coupons (view all)
SeedProd Logo
SeedProd Coupon
Get 50% OFF SeedProd Coming Soon Page plugin for WordPress.
Cozmoslabs
Cozmoslabs Coupon
Get 15% OFF on Cozmoslabs WordPress premium plugins.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).
Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress CDN by MaxCDN | WordPress Security by Sucuri.