Are you looking to improve the security of your WordPress site?
Hackers can upload malware to your website in an attempt to break in. Disabling PHP in these directories will stop the malware from running.
In this article, we will show you how to disable PHP execution in WordPress using the .htaccess file.
Why Disable PHP Execution in Certain WordPress Directories?
By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website.
These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.
Sounds scary, right?
Don’t worry; there is an easy fix for that. Simply disable PHP execution in certain directories where you don’t need it. By doing so, no PHP files will run inside those directories.
Let’s take a look at how to improve WordPress security by disabling PHP execution using the .htaccess file.
Disabling PHP Execution in Certain WordPress Directories Using .htaccess File
Most WordPress sites have an .htaccess file in the root folder.
By default, the .htaccess file is located in your WordPress website’s root folder, but you can also create and use additional .htaccess files inside your inner WordPress directories.
To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s/wp-includes/ and /wp-content/uploads/ directories.
Simply create a blank file on your computer using a text editor such as Notepad on Windows or TextEdit on Mac. Save the file as .htaccess and paste the following code inside it.
<Files *.php> deny from all </Files>
Now save the file on your computer.
Next, you must upload this file to the /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.
You can upload it using an FTP client or the File Manager app in your hosting account’s cPanel dashboard.
Once the .htaccess file with the above code is added, it will stop any PHP files from running in these directories.
Checking for Backdoors in WordPress Using Sucuri
Using this .htaccess trick helps you harden your WordPress security, but it will not fix a WordPress site that has already been hacked.
Backdoors are cleverly disguised and can already be hidden in plain sight.
If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.
It also effectively blocks most hacking attempts from even reaching your website by adding a firewall between your site and suspicious traffic.
Most importantly, if your WordPress site gets hacked, then it will clean it up for you. To learn more, you can read our Sucuri review because we have been using their service for years.
You can learn more in our guide on finding and fixing backdoors in a hacked WordPress site.
We hope this article helped you to learn how to disable PHP execution in certain WordPress directories to harden your website security. You might also want to learn how to create a free business email address or see our expert picks for the must-have WordPress plugins to grow your site.