Why Disable PHP Execution in Certain WordPress Directories?
By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website. However, this capability can be abused if it gets into the wrong hands, such as hackers who can use it to upload backdoor access files or malware to your WordPress website. These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website.
Sounds scary, right? Don’t worry. There is an easy fix for that. Simply disable PHP execution in certain directories where you don’t need it. By doing so, no PHP files will run inside those directories. Let’s take a look at how to improve WordPress security by disabling PHP execution using the .htaccess file.
Disabling PHP Execution in Certain WordPress Directories Using .htaccess File
Most WordPress sites have an .htaccess file in the root folder. This powerful configuration file is used to password-protect the admin area, disable directory browsing, generate an SEO-friendly URL structure, and more. By default, the .htaccess file is located in your WordPress website’s root folder, but you can also create and use additional .htaccess files inside your inner WordPress directories.
To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s /wp-includes and /wp-content/uploads directories. Simply create a new file on your computer using a text editor such as Notepad on Windows or TextEdit on Mac. Save the file as .htaccess and paste the following code snippet inside it:
|
1
2
3
|
<Files *.php>deny from all</Files> |
Now, save the file on your computer. Next, you must upload this file to the /wp-includes and /wp-content/uploads folders on your WordPress hosting server. You can upload it using an FTP client or the File Manager app in your hosting account’s cPanel dashboard. Once the .htaccess file with the above code is added, it will stop any PHP scripts from running in these directories.