How to Disable PHP Execution in WordPress

In The Sky IT

Why You Should Disable PHP Execution in Key WordPress Directories

WordPress allows certain folders to be writable so you and other authorized users can upload themes, plugins, images, and videos. That flexibility is useful, but it can also create a security gap. If attackers gain access, they can upload backdoor files or malware into those same directories. These malicious files often mimic legitimate WordPress components. Most are written in PHP and can silently run in the background, giving hackers complete control of your website.

Alarming? Yes. But the solution is simple: disable PHP execution in directories where PHP never needs to run. Once you block PHP in these locations, no PHP file can execute there, even if someone manages to upload one.

Below is a clear guide to improving WordPress security by using an .htaccess rule to block PHP execution.

How to Disable PHP Execution with an .htaccess File

Most WordPress installations include an .htaccess file in the root directory. This file handles important tasks such as:

  • Password-protecting admin areas

  • Disabling directory browsing

  • Enforcing SEO-friendly URLs

  • Managing redirects and performance settings

You can also place additional .htaccess files inside WordPress subfolders to apply extra security rules.

To block PHP from running in vulnerable folders, create a new .htaccess file and upload it to:

  • /wp-includes

  • /wp-content/uploads

Step 1: Create the .htaccess file

  1. Open a text editor (Notepad on Windows or TextEdit on macOS).

  2. Paste the following code:<Files *.php>
    deny from all
    </Files>

  3. Save the file with this exact name:
    .htaccess

Step 2: Upload the file to your server

Use an FTP client or your hosting provider’s File Manager to upload the .htaccess file into both target directories:

  • /wp-includes

  • /wp-content/uploads

Once in place, this rule blocks any PHP script inside those folders from running. Even if a hacker uploads a malicious .php file, it simply won’t execute.

Why This Security Step Matters

Blocking PHP execution in these directories:

  • Prevents common backdoor attacks
  • Protects your site from hidden malware scripts
  • Reduces security risks from vulnerable upload forms and plugins
  • Adds a strong layer of defense with almost no effort

WordPress does not require PHP execution in these folders for normal operation, so this security enhancement creates protection without breaking your site.