Updated on Aug 16, 2019
WordPress is a CMS that makes specific directories writeable by default. This way, you and other users with access are able to easily upload themes, images, plugins, and videos to the site. Setting correct permission for who can see which files and what actions a user could take significantly improves the security posture of your site.
This guide is to show you how to disable PHP executions in WordPress using the .htaccess
file. In the post, you will find:
Having some directories writeable by default makes your site vulnerable to hacker attacks. Hackers can use the function to upload backdoor access files or malware to your WordPress site. The malicious files would usually be disguised as core WP ones. They would mostly be written in PHP and can run as background processes in order to gain full access of everything on your site. This is not something you would like, is it?
There is a fix, and we will share it with you. What you have to do is disable PHP executions in certain directories where they are not needed. Doing that will make sure that any PHP file will not run in those particular directories.
Depending on the directory you choose, there could be a negative impact on your website. This is not for beginners, so in case you decide to disable PHP execution in one of the important directories, your WordPress site could stop working. It is of vital importance that you understand what you are doing before you go on to disable any PHP execution.
Disable PHP execution from the uploads directory. There shouldn't be any PHP executions in the uploads directory, which means that stopping PHP executions in the uploads directory won't impact your WordPress site. It's completely safe to do and will additionally improve WordPress security in general.
Also, it's important to understand that if your site has already been hacked, this is not a fix. This is a prevention measure. If you have been hacked, you will need to locate any files that have been compromised or added and delete them. Remember one of the most powerful tools a website has at its disposal is an up to date backup of their website.
Most WordPress websites have the .htaccess
file in their root folder. It is a powerful configuration file used to password protect the admin area, disable directory browsing, generate SEO friendly URL structure, etc. In case you are a regular WordPress user, you probably already know the location of the .htaccess
file. However, if you need to disable PHP execution for a particular directory, you will need to create a new file. Follow the steps below:
public_html
;.htaccess
file and press right-click over it to edit. Also, you can use the Edit option on your cPanel navigation menu;# End WordPress
:<Files *.php> deny from all </Files>
wp-content/uploads
directory where every media file is available.wp-content
folder and open Uploads. As you know, there isn’t any .htaccess
file in this directory, so you need to create a new file. It's an easy job, the .htaccess file is a simple .txt file, and you can create it by clicking on the File option from your main navigation menu.Go ahead and follow the steps below:
.htaccess
and click on the button Create New File;wp-content/uploads
directory, not your whole WordPress site. Save the file, and you're all set.You can also disable PHP execution for wp-includes
by following the same method.
Let us remind you that you can always submit a support ticket. Our 24/7 working technical support team is always there to assist you with anything hosting related. Make sure to explain your issue as well as you can to our team, and they will get on it right away.
We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!