How prevent WP from executing PHP in unsafe places

Having cleaned numerous WordPress hacks, in our experience most backdoor access files disguise themselves in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not.

One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories. In this article, we will show you how you can use .htaccess file to disable PHP execution in a specific directory.

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

deny from all

Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.

Code Explanation: This code checks for any PHP file and denies access to it.
This article is in response to one of the Quora questions, a user asked if it was possible to harden your site’s security with .htaccess file. One of the tips we mentioned was disabling PHP execution in the uploads directory.

Note: This is not a FIX for a hack. This is just a security hardening tip.

Looking for a custom solution?

Our technicians can provide you with the best custom made solutions on the market, no matter whether you're a small business or large enterprise.

Get in touch