Through default, WordPress makes positive directories writeable in order that you and different licensed customers to your site can simply add topics, plugins, pictures, and movies in your site.

Alternatively this capacity can also be abused if it will get within the fallacious hand akin to hackers who can use it to add backdoor access files or malware in your site.

Those malicious recordsdata are incessantly disguised as core WordPress recordsdata. They’re most commonly written in PHP and will run within the background to achieve complete get entry to to each side of your site.

Sounds horrifying, proper?

Don’t concern there is a straightforward repair for that. Mainly, you’d merely disable PHP execution in positive directories the place you don’t want it. Doing so, any PHP recordsdata won’t run inside of the ones directories.

On this article, we can display you the way to disable PHP execution in WordPress the usage of the .htaccess document.

How to Disable PHP Execution in Certain WordPress Directories

Disabling PHP Execution in Positive WordPress Directories The use of .htaccess Document

Maximum WordPress websites have a .htaccess file within the root folder. It is a tough configuration document used to password protect admin area, disable listing surfing, generate SEO friendly URL structure, and extra.

Through default, the .htaccess document positioned to your WordPress site’s root folder, however you’ll be able to additionally create and use it inside of your inside WordPress directories.

To give protection to your site from backdoor get entry to recordsdata, you want to create a .htaccess document and add it in your web site’s /wp-includes/ and /wp-content/uploads/ directories.

Merely create a clean document to your pc by means of the usage of a textual content editor like Notepad (TextEdit on Mac). Save the document as .htaccess and paste the next code inside of it.

deny from all

Create htaccess File with Code to Disable PHP

Now save the document to your pc.

Subsequent, you want to add this document to /wp-includes/ and /wp-content/uploads/ folders to your WordPress hosting server.

You’ll add it by means of using an FTP client or by means of Document Supervisor app to your website hosting account’s cPanel dashboard.

Upload htaccess file to your WordPress site

As soon as the .htaccess document with the above code is added, it’ll prevent any PHP document to run in those directories.

The use of this .htaccess trick is helping you harden your WordPress safety, however it isn’t a FIX for an already hacked WordPress web site.

Backdoors are cleverly disguised and will already be hidden in undeniable sight.

If you wish to test for imaginable backdoors to your site, then you want to turn on Sucuri to your site.


Sucuri is the best WordPress security plugin in the marketplace. It scans your site for imaginable threats, suspicious code, malware, and vulnerabilities.

It additionally successfully blocks maximum hacking makes an attempt to even achieve your site by means of including a firewall between your web site and suspicious visitors.

Most significantly, in case your WordPress web site will get hacked, then they’ll blank it up for you. To be told extra, you’ll be able to test our Sucuri review as a result of now we have been the usage of their carrier for years.

We are hoping this newsletter helped you to discover ways to disable PHP execution in positive WordPress directories to harden your site safety. In case you are searching for an entire information, take a look at our ultimate WordPress security guide.

Should you favored this newsletter, then please subscribe to our YouTube Channel for WordPress video tutorials. You’ll additionally to find us on Twitter and Facebook.

The submit How to Disable PHP Execution in Certain WordPress Directories gave the impression first on WPBeginner.

WordPress Maintenance

[ continue ]