JustBrightMe

Be Smart and Don’t Stop Learning

Home » WordPress Guide » How to Disable PHP Execution in WordPress for Maximum Security

How to Disable PHP Execution in WordPress for Maximum Security

by Leave a Comment

Recently one of our users asked how to disable PHP execution in WordPress easily.

Certain WordPress directories such as Uploads or Themes or Plugins are writable by default. But unfortunately, this type of permission makes your site vulnerable to hacker attacks.

Hackers can take advantage of this function and upload backdoor access files or malware scripts to your WordPress website or blog. These malicious files are probably disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to your site or even destroy your website.

But do not worry you can fix it easily.

In this article, I will show you how to disable PHP execution in WordPress using the .htaccess file.

Note: Take a backup of your site before modifying the files. A single mistake can break your site or cause other problems. Backup can revert to a working copy of your site.

Disabling PHP Execution in Certain WordPress Directories Using .htaccess

Since the .htaccess file is found in the root folder of WordPress sites. But you can also create and use it inside your certain WordPress directories to disable PHP execution.

Simply create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ folders.

You can use Notepad (TextEdit on Mac). Save the file as .htaccess and paste the code below in it:

<Files *.php>
deny from all
</Files>

After creating your file .htaccess file, upload it to /wp-includes/ and /wp-content/uploads/ folders. You can upload it using an FTP client or via the File Manager (cPanel dashboard).

After uploading the .htaccess file with this code, it will disable PHP Execution from these directories.

Final Thought

Here I told you how to disable PHP execution in WordPress site manually. It makes your WordPress security harden, but can not work for an already hacked WordPress site.

If you want to use the plugin to disable it, you can use the security plugin like Sucuri or All In One WP Security & Firewall Plugin.

More resources:

I’ve done it, and now it’s your turn! Find this article helpful? Don’t forget to share!

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *